Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
3 + 5 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Xoops doesn't like ZoneAlarm Pro
by Dave_L on 2004/3/14 20:43:14

Quote:
When you click a Web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the last Web page that you viewed.


I would change that to:

Quote:
When you click a link or button on a web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the last web page that you viewed.


I would also mention the actual header tag HTTP_REFERER somewhere, for the benefit of people who understand that.

I think the expanded message is a good idea, as long as it's easy to customize. On sites that tend to be targeted by abusers, detailed information could be of value to the abuser, and a terse, less informative message may be preferred.
Re: Xoops doesn't like ZoneAlarm Pro
by m0nty on 2004/3/14 20:31:53

Quote:
spiff wrote:

That's why, in my opinion, the current error message isn't satisfying; it needs to point out that the problem has to do with referrers not being accessible, which in most cases is due to a firewall being configured too rigidly.

Does it also appear to you that rewriting the message is the right way to go? From your experience, does the above draft address all the issues, or would you improve it?



yes, i think it would be a good idea to have some default text giving an explanation of reasons that could affect login and registration.. your text seems fine to me and i wouldn't change much other than adding the links to the most common firewalls to the end of the message so that users can go directly to the info page that will tell them how to configure their firewalls properly. altho this may not always be the case.. it might be better if u could write some kind of error trap into it which could detect whether the person has http refer blocked or whether the cookies are being blocked and then display the relevant message. maybe it might just be down to their internet explorer privacy settings being set too high and might not be a firewall issue.. i don't know exactly how easy it would be to write such a code to detect that.. but it would be more informative to the user..

what i wouldn't want the XOOPS team to do is compromise security to an extent as to please everybody..
Re: Xoops doesn't like ZoneAlarm Pro
by spiff on 2004/3/14 18:20:02

Quote:

m0nty wrote:

where do you draw the line between compromising security and users that don't read instructions on how to use the software they have installed correctly?

everyone who has posted this thread raises some important issues, but to me the http referrer issue is entirely down to the users and not xoops..



Yep, it would be tragic to do without the security just because some users haven't learned how to use their tools.

On the other hand, it's important to stay polite with users. A fair proportion of those who purchase a firewall product do so after having been infected by a virus, or are concerned by spam issues; they don't necessarily have the time, or the skills, to look into configuring it properly. They need to be encouraged to do so.

That's why, in my opinion, the current error message isn't satisfying; it needs to point out that the problem has to do with referrers not being accessible, which in most cases is due to a firewall being configured too rigidly.

Does it also appear to you that rewriting the message is the right way to go? From your experience, does the above draft address all the issues, or would you improve it?

Eric
Re: Xoops doesn't like ZoneAlarm Pro
by m0nty on 2004/3/14 10:53:07

i've followed this thread and it does raise some interesting points.

i think the XOOPS team for 1 should be applauded for their concerns with security.

someone mentioned about phpnuke not having these issues!! but when you count the number of phpnuke sites that have been hacked and compare them to the amount of XOOPS sites that get hacked, then you tell me which is more secure?

ok the methods used to hack sites are wide and varied but security should be taken seriously in all cases.

when u install a firewall the instructions come with it, and zonealarm for 1 and norton do say on the config screens that blocking http referer and 3rd party cookies may stop you accessing certain sites and tells you to use these settings with caution!! Certain microsoft sites and msn sites will not let u login if u have these settings blocked so should these sites lower their security just to satisfy the users that don't read instructions or bump their firewalls up too high because they are worried about being hacked?? I think not..

having a firewall does not stop you getting hacked, all it does it makes it harder for you to be hacked and why really would a normal user want to block http referring?

a high percentage of users and sites that get hacked are not down to the software or whether the user has a firewall or not, it's down to the ignorance and in experience of the user, ie clicking on unknown links that take u to a site which then steals cookies or other info, or they open an email which contains a trojan, or there maybe unclosed java scripts etc from badly designed modules..

where do you draw the line between compromising security and users that don't read instructions on how to use the software they have installed correctly?

everyone who has posted this thread raises some important issues, but to me the http referrer issue is entirely down to the users and not xoops..

Re: Xoops and Firewalls
by spiff on 2004/3/12 11:40:47

Quote:
I like this idea...but is there an easy way to hack XOOPS to make such a message display ?


I thought the easiest way to do it would be to replace the error message's variable with a complete message similar to the one I've posted.

_US_REGISTERNG variable is defined around line 37 in /language/english/user.php:

le="color: #000000"><?php define('_US_REGISTERNG','Your last request failed because it seems your computer is set up behind a firewall, which blocks sending information to {SITE_NAME}.<br /><br />Our site uses Referrer-checking to secure contents being posted; this method prevents improperly identifiable users from placing undue content on the site.<br /><br />When you click a Web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the address of the last Web page you viewed.<br /><br />Some firewalls block this information by default. It appears this is the case for your connection, which means we were unable to ascertain that the data you submitted before accessing this page was typed on a page belonging to this website. That's a security issue for us.<br /><br />If you are using a firewall such as Norton Internet Security (NIS), ZoneAlarm Pro, etc., please modify your settings accordingly. (For an example of firewall setup, see https://xoops.org/modules/xoopsfaq/index.php?cat_id=13#25).<br /><br />Additionally, your browser must be set up to accept cookies from {SITE_NAME}.<br /><br />These simple steps are necessary for us to keep this site secure; it prevents untrustworthy users from accessing it. Please check your firewall and cookie settings, then try again.');


I'm not sure whether the SITE_NAME variable requires the brackets to be rendered, or whether it needs to be specified as "$SITE_NAME". From the looks, register.php doesn't do any templating on the variable, so SITE_NAME and the http link may need to handled differently.

Some other variables may need to be modified as well (upon failed login, failed post, etc.)

Another possibility is to leave the message alone, and modify register.php (login.php, post.php?) to redirect to another page, like so:

le="color: #000000"><?php Lines 206 & 212: CHANGE: echo _US_REGISTERNG; TO: redirect_header('firewall.php', 4, _US_REGISTERNG);


I'll try setting myself behind a firewall to test this if I have the time.

Eric

Who's Online

590 user(s) are online (505 user(s) are browsing Support Forums)


Members: 0


Guests: 590


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits