| Author |
 Topic  |
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
 Posted - 20 July 2008 : 15:18:37
|
Due to a rare sequence of events it may be possible for a Spammer to post messgaes to the forum without being authorised.
This can happen if your forum loses it's application variable collection (this manifests itself as looking like the forum has lost all it's formatting)
The situation is caused by a problem on both your webserver and database simultaneously, but can allow someone to post without authentication.
To prevent these unauthorised posts, add the following lines to the end of config.asp (before the closing %> line)
if Application(strCookieURL & "STRVERSION")= "" Or IsNull(Application(strCookieURL & "STRVERSION")) then
Response.Write("Server Error, The Application variables are not loaded. Please try again later.")
Response.End
end if
Additional note
You also need to make the changes described by ruirib in this reply
http://forum.snitz.com/forum/topic.asp?whichpage=2&TOPIC_ID=67497#383151
it should then autoreload the app variables correctly when it is able to, so hopefully the request.end will only happen on very very rare occasions
< |
Edited by - AnonJr on 17 March 2009 18:50:35 |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 20 July 2008 : 18:13:25
|
| Thanks for this, Huw ... I experienced this issue a couple of months back.< |
 |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 July 2008 : 15:32:51
|
| yes, that would also happen, the fix will also prevent that as it basically kills the request if the application variables are not valid< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 22 July 2008 : 08:23:56
|
quote:
Originally posted by Podge
Forgive my ignorance but why don't you redirect to setup.asp or just load the application variables instead of killing the request?
1) it is not generally recomended that setup.asp remain accessible to normal users, for security reasons.
2) reloading the app variables will only work if the situation that caused the problem has been rectified, if it hasn't it will put your browser into a continual redirect loop.
So, this is the best way to deal with the situation and prevent unwanted/unexpected problems< |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 22 July 2008 : 11:16:04
|
if you want to come up with a more elegant solution then feel free, this is after all a community project, howver this is the quickest and simplest solution to prevent issue that relate to unloading of application variables.
I would not recommend redirecting normal web request through your setup.asp script, just load it up and you will see why.
don't forget, the test I have done is pretty much telling you that your db connection ain't working, if it was then the app vriables would have loaded and you would not get trapped by the response.end< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 22 July 2008 : 12:20:44
|
Huwr, I'm not trying to be awkward its just that using the solution above, every user will receive the error "Server Error, The Application variables are not loaded" until the admin goes to setup.asp to reload the variables.
It would be more convenient if the application variables were attempted to be loaded when the error is detected so that every subsequent request from visitors for the forum would attempt to reload the application variables until the problem was resolved.
Personally I don't see a problem redirecting to setup.asp but alternatively you could just include code similar to what is already in config.asp i.e. this code
In any event it will only ever affect a very small number of people. Do you have steps that can successfully recreate the problem ?< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 22 July 2008 : 12:44:42
|
Podge,
config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.< |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 22 July 2008 : 13:59:36
|
quote:
Originally posted by HuwR
Podge,
config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.
I concur with Huw, here. As long as the Db is not available, every try to load app variables will fail and it's hard to avoid an endless loop.
The exact code you posted, Podge, will be executed every single time a user tries to access the forum.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 22 July 2008 : 14:41:54
|
I'm going to work with writing and reading the loops to a text file on the server instead of to the database using the FSO. When the text file has been written and updated to a maximum specified number of times, then the user will be redirected to a custom error found in config.asp (where the "Server Error, The Application variables are not loaded" note is for this fix) ... as a note, config.asp is also used in setup.asp, so I am making a duplicate config.asp (with a different file name) and including that into setup.asp.
I am with Podge as far as trying to reload the variables, if at all possible, on a user by user basis instead of waiting on the administrator to login and run setup.asp. Also, as long as it is secure, it seems that a remote db, like an access db, on another server can serve as a data storage container to count the number of loops each user is encountering on the main site through the normal config.asp.
I am speculating on a lot of this since I have not written the code nor tested these things. Can you guys give me some pros and cons from your experience on this?
< |
Edited by - Etymon on 22 July 2008 15:17:31 |
|
|
|
phy1729
Average Member
USA
589 Posts |
Posted - 22 July 2008 : 15:21:52
|
| I suggest you also look at the last modified time on the file to put a reasonable amount of time between tries.< |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 22 July 2008 : 15:31:58
|
There are hosts who don't allow FSO on their servers (we have an alternate mod setup for a reason). How would you do handle it in that case?
Everyone is free to find an alternate solution. We need a solution that will work in the most general scenario.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
Topic |
|
Forum Locked
Topic Locked
