31
spiff
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/11 16:29

  • spiff

  • Just popping in

  • Posts: 47

  • Since: 2003/4/16


Hello everyone,

We just ran into this problem this week, although it's likely a number of users simply didn't bother to contact us about a failed registration earlier on, and gave up.

It's nice to know that XOOPS is secure, and that the problem comes from improperly set up firewalls. However, as previously mentioned, not all users have the patience to set up a rule in their firewalls, or even know how to enable cookies for a specific site.

For the sake of security and user-friendliness, I think it would be nice if the error message that comes up after a failed registration actually explained what the problem is, in replacement for the blunt "Cannot register new user."

This could take the form of a special XOOPS page that could be linked to whenever a failed referrer-checking occurs, which would encourage the user to tackle his/her firewall installation.

Quote:

Your last request failed because it seems your computer is set up behind a firewall, which blocks sending information to {SITE_NAME}.

Our site uses Referrer-checking to secure contents being posted; this method prevents improperly identifiable users from placing undue content on the site.

When you click a Web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the last Web page that you viewed.

Some firewalls block this information by default. It appears this is the case for your connection, which means we were unable to ascertain that the data you submitted before accessing this page was typed on a page belonging to this website. That's a security issue for us.

If you are using a firewall such as Norton Internet Security (NIS), ZoneAlarm Pro, etc., please modify your settings accordingly. (For an example of firewall setup, see https://xoops.org/modules/xoopsfaq/index.php?cat_id=13#25)

Additionally, your browser must be set up to accept cookies from {SITE_NAME}.

These simple steps are necessary for us to keep this site secure; it prevents untrustworthy users from accessing it. Please check your firewall and cookie settings, then try again.


Is this complete enough? Anything missing? Let's try and work on a page that would address all the basic issues, until the Core team fixes the problem in a more elegant way.

A comprehensive response would address XOOPS users' questions and not deter them (and webmasters) from using the XOOPS CMS.

Eric

32
MadFish
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/12 3:54

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


I like this idea...but is there an easy way to hack XOOPS to make such a message display ?

33
Anonymous
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/12 6:21

  • Anonymous

  • Posts: 0

  • Since:


I can't believe this is happening to me. I'm launching a student portal for UC Berkeley on April 1. I have spent $4000 already building modules.

Because of the section 508 compliance problem, CSS validation issues, and the XOOPS template/theme system my supervisors suggested we dump XOOPS and use Plone to deploy our site. I have thought about giving up on XOOPS many times, but I think this comes really close to it.

I can't believe some of the developers' responses. This is a big issue. We have 28,000 students, 100,000 faculty and administrators and have teamed up with our alumni associatation, which has more than 40,000 active alumni contributing to our campus. Our roadmap involves making XOOPS section 508 compliant, do CSS validation and make it WAI-AAA compliant. AS A UNIVERSITY, WE ARE BOUND BY LAW TO DO THIS!

I am supposed to meet with our Chancellor next week regarding our budget for next year. HOW THE HELL AM I SUPPOSED TO TELL HIM THAT THERE'S EVEN MORE PROBLEMS THE SECTION 508 COMPLIANCE AND PROBLEMS WITH DISABLED STUDENTS ACCESSING XOOPS?!

34
MadFish
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/12 8:55

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


This seems a little off topic, however, I think there is some useful advice on addressing the Section 508 issue in this thread, which suggests that it is really a template compliance issue (so hopefully shouldn't be too hard to sort out ? Probably a lot easier than moving to a different system)

While I am all in favour of anything that will increase the accessibility of XOOPS sites, I would point out that XOOPS has a very distributed/international user base, so I don't know that it should be expected to comply with the domestic regulations of any particular country.

35
spiff
Re: Xoops and Firewalls
  • 2004/3/12 11:40

  • spiff

  • Just popping in

  • Posts: 47

  • Since: 2003/4/16


Quote:
I like this idea...but is there an easy way to hack XOOPS to make such a message display ?


I thought the easiest way to do it would be to replace the error message's variable with a complete message similar to the one I've posted.

_US_REGISTERNG variable is defined around line 37 in /language/english/user.php:

define('_US_REGISTERNG','Your last request failed because it seems your computer is set up behind a firewall, which blocks sending information to {SITE_NAME}.Our site uses Referrer-checking to secure contents being posted; this method prevents improperly identifiable users from placing undue content on the site.When you click a Web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the address of the last Web page you viewed.Some firewalls block this information by default.  It appears this is the case for your connection, which means we were unable to ascertain that the data you submitted before accessing this page was typed on a page belonging to this website.  That's a security issue for us.<br /><br />If you are using a firewall such as Norton Internet Security (NIS), ZoneAlarm Proetc., please modify your settings accordingly.  (For an example of firewall setupsee https://xoops.org/modules/xoopsfaq/index.php?cat_id=13#25).Additionally, your browser must be set up to accept cookies from {SITE_NAME}.These simple steps are necessary for us to keep this site secure; it prevents untrustworthy users from accessing it.  Please check your firewall and cookie settings, then try again.');


I'm not sure whether the SITE_NAME variable requires the brackets to be rendered, or whether it needs to be specified as "$SITE_NAME". From the looks, register.php doesn't do any templating on the variable, so SITE_NAME and the http link may need to handled differently.

Some other variables may need to be modified as well (upon failed login, failed post, etc.)

Another possibility is to leave the message alone, and modify register.php (login.php, post.php?) to redirect to another page, like so:

Lines 206 212:
CHANGE: echo _US_REGISTERNG;
TOredirect_header('firewall.php'4_US_REGISTERNG);


I'll try setting myself behind a firewall to test this if I have the time.

Eric

36
m0nty
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/14 10:53

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


i've followed this thread and it does raise some interesting points.

i think the XOOPS team for 1 should be applauded for their concerns with security.

someone mentioned about phpnuke not having these issues!! but when you count the number of phpnuke sites that have been hacked and compare them to the amount of XOOPS sites that get hacked, then you tell me which is more secure?

ok the methods used to hack sites are wide and varied but security should be taken seriously in all cases.

when u install a firewall the instructions come with it, and zonealarm for 1 and norton do say on the config screens that blocking http referer and 3rd party cookies may stop you accessing certain sites and tells you to use these settings with caution!! Certain microsoft sites and msn sites will not let u login if u have these settings blocked so should these sites lower their security just to satisfy the users that don't read instructions or bump their firewalls up too high because they are worried about being hacked?? I think not..

having a firewall does not stop you getting hacked, all it does it makes it harder for you to be hacked and why really would a normal user want to block http referring?

a high percentage of users and sites that get hacked are not down to the software or whether the user has a firewall or not, it's down to the ignorance and in experience of the user, ie clicking on unknown links that take u to a site which then steals cookies or other info, or they open an email which contains a trojan, or there maybe unclosed java scripts etc from badly designed modules..

where do you draw the line between compromising security and users that don't read instructions on how to use the software they have installed correctly?

everyone who has posted this thread raises some important issues, but to me the http referrer issue is entirely down to the users and not xoops..


37
spiff
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/14 18:20

  • spiff

  • Just popping in

  • Posts: 47

  • Since: 2003/4/16


Quote:

m0nty wrote:

where do you draw the line between compromising security and users that don't read instructions on how to use the software they have installed correctly?

everyone who has posted this thread raises some important issues, but to me the http referrer issue is entirely down to the users and not xoops..



Yep, it would be tragic to do without the security just because some users haven't learned how to use their tools.

On the other hand, it's important to stay polite with users. A fair proportion of those who purchase a firewall product do so after having been infected by a virus, or are concerned by spam issues; they don't necessarily have the time, or the skills, to look into configuring it properly. They need to be encouraged to do so.

That's why, in my opinion, the current error message isn't satisfying; it needs to point out that the problem has to do with referrers not being accessible, which in most cases is due to a firewall being configured too rigidly.

Does it also appear to you that rewriting the message is the right way to go? From your experience, does the above draft address all the issues, or would you improve it?

Eric

38
m0nty
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/14 20:31

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


Quote:
spiff wrote:

That's why, in my opinion, the current error message isn't satisfying; it needs to point out that the problem has to do with referrers not being accessible, which in most cases is due to a firewall being configured too rigidly.

Does it also appear to you that rewriting the message is the right way to go? From your experience, does the above draft address all the issues, or would you improve it?



yes, i think it would be a good idea to have some default text giving an explanation of reasons that could affect login and registration.. your text seems fine to me and i wouldn't change much other than adding the links to the most common firewalls to the end of the message so that users can go directly to the info page that will tell them how to configure their firewalls properly. altho this may not always be the case.. it might be better if u could write some kind of error trap into it which could detect whether the person has http refer blocked or whether the cookies are being blocked and then display the relevant message. maybe it might just be down to their internet explorer privacy settings being set too high and might not be a firewall issue.. i don't know exactly how easy it would be to write such a code to detect that.. but it would be more informative to the user..

what i wouldn't want the XOOPS team to do is compromise security to an extent as to please everybody..

39
Dave_L
Re: Xoops doesn't like ZoneAlarm Pro
  • 2004/3/14 20:43

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
When you click a Web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the last Web page that you viewed.


I would change that to:

Quote:
When you click a link or button on a web page, your browser notes the current page that you are on and sends that information to the server before accessing a new page. This way, the server knows the last web page that you viewed.


I would also mention the actual header tag HTTP_REFERER somewhere, for the benefit of people who understand that.

I think the expanded message is a good idea, as long as it's easy to customize. On sites that tend to be targeted by abusers, detailed information could be of value to the abuser, and a terse, less informative message may be preferred.

Login

Who's Online

158 user(s) are online (132 user(s) are browsing Support Forums)


Members: 0


Guests: 158


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits