Support » Plugin: IP Geo Block » Exceptions for ‘Admin ajax/post’

  • Resolved abooster

    (@abooster)


    The description there is a bit unclear.
    So, my question is:
    When I add exceptions there, will those things also be skipped for “Block by country”?
    Or are the exceptions only meant to be for “Prevent Zero-day Exploit”?

    If I understand correctly, the exceptions are meant to be for both but I’m not 100% sure.
    Please clarify.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @abooster,

    It’s also a bit difficult for me how to make a good I/F to understand this functionality so easily 🙂

    When you check an action that has only locked icon Locked Icon, “Prevent Zero-day Exploit” will be bypassed while “Block by country” will be still in effective. And in case you check an action that has unlocked icon Unlocked Icon, “Block by country” will be bypassed.

    The typical use case is: You want to “Block by country” and “Prevent Zero-day Exploit” for back-end. But on the front facing pages, the ajax function via /wp-admin/admin-ajax.php is also used by unprivileged users. In this case, the target action may have both locked icon and unlocked icon. Then you need to check that action.

    I hope this can help you to understand. Please also refer to “3.0.2 Release Note“.

    Thanks for your asking!

    Thread Starter abooster

    (@abooster)

    You haven’t answered my question (but I realize was it was a bit unclear).
    Anyway, my question wasn’t about ticking the check boxes.
    My question was about manually entering exceptions.
    So, what happens for those comma separated things that I enter manually?
    As you know, there aren’t any lock symbols for them.

    When/where will those manual exceptions be applied? this is very unclear.

    For example, plugin A is getting blocked on the front end.
    If I manually enter all strings (shown in the logs) into the exceptions box, will it unblock everything for normal front end users? Or will it only unblock for logged in users?

    Another related question:
    Does “privileged user” mean any logged in user?
    Or does it mean only users with admin privileges?
    Or does it mean something entirely different??

    Thread Starter abooster

    (@abooster)

    Yet another question:
    I explained above that I was trying to enter exceptions manually into the box
    but I didn’t say where I took those things from that I was entering there.
    Well, I took them from the logs of your plugin.
    To be exact, in the “logs” tab I see entries under the “Admin area”.
    They usually look like this:

    wp-zep POST[443]:/wp-admin/admin-ajax.php

    So, I click on that to expand and then I see something like this:

    User agent:
    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
    HTTP headers:
    HTTP_ORIGIN=https://mydomain.com,HTTP_X_REQUESTED_WITH=XMLHttpRequest,HTTP_REFERER=https://mydomain.com/wp-admin/options-general.php?page=ip-geo-block&tab=4&ip-geo-block-auth-nonce=2bbd765435,HTTP_X_HTTPS=1
    $_POST data:
    data,interval,_nonce,action,screen_id,has_focus,ip-geo-block-auth-nonce

    So, I copy the parts that I see under “$_POST data” (data,interval,_nonce,action,screen_id,has_focus,ip-geo-block-auth-nonce) and paste them into the exceptions box in settings.

    Is that wrong?

    Here’s a bunch of other things that I saw in the logs under “$_POST data” when a particular plugin was getting blocked:

    tqb-variation-page_id,tqb-variation-variation_id,tqb-variation-user_unique,name,email,_form_type,__tcb_lg_fc,__tcb_lg_msg,_asset_group,_asset_option,_create_account,_error_message_option,_back_url,_submit_option,_use_captcha,_captcha_theme,_captcha_type

    So, I entered them into the exceptions box.
    Was that correct or not?

    Thread Starter abooster

    (@abooster)

    P.S.
    On this page here: http://www.ipgeoblock.com/changelog/release-3.0.2.html
    you are explaining in the screenshot that a URL part under “Request” needs to be entered into the exceptions box.
    The problem is:
    I don’t see any request part in my cases!
    Here’s an example of what I see in the logs when one of the important plugins is getting blocked:

    2017-04-28 12:01:39 *IP_ADDRESS* CA blocked POST[443]:/wp-admin/admin-ajax.php
    User agent:
    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 OPR/44.0.2510.1218
    HTTP headers:
    HTTP_ORIGIN=https://mydomain.com,HTTP_X_REQUESTED_WITH=XMLHttpRequest,HTTP_REFERER=https://mydomain.com/quiz/,HTTP_X_HTTPS=1
    $_POST data:
    tqb-variation-page_id,tqb-variation-variation_id,tqb-variation-user_unique,name,email,_form_type,__tcb_lg_fc,__tcb_lg_msg,_asset_group,_asset_option,_create_account,_error_message_option,_back_url,_submit_option,_use_captcha,_captcha_theme,_captcha_type,_…

    As you can see, there is NO “request” area as shown in this screenshot:
    http://www.ipgeoblock.com/img/2017-03/BlockedRequestLogs.png

    Here’s a screenshot I just made:

    View post on imgur.com


    How can I prevent the plugin from getting blocked?

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Sorry, I missed your point. And I know I should improve a bunch of things about UI, help text, documentations and also the logic of this plugin. I try it step by step in the limited time a day 🙂

    My question was about manually entering exceptions.
    So, what happens for those comma separated things that I enter manually?

    Well, in the exceptions text box at “Admin ajax/post“, you can manually enter a page name or an action name to specify the request that might be blocked. For example, you can add “ip-geo-block” and “do-this-job” / “do-that-job” to specify the following requests.

    • /wp-admin/options-general.php?page=ip-geo-block&...
    • /wp-admin/admin-ajax.php?action=do-this-job&...
    • /wp-admin/admin-post.php?action=do-that-job&...

    The “page=…” or “action=…” is a kind of WordPress starndard way to specify the request for “Admin ajax/post“.

    For example, plugin A is getting blocked on the front end.
    If I manually enter all strings (shown in the logs) into the exceptions box, will it unblock everything for normal front end users? Or will it only unblock for logged in users?

    It depends on how plugin A requests to the back-end from the front-end.

    Does “privileged user” mean any logged in user?

    Yes, “privileged user” = “logged-in users” and “non-privileged user” = “not-logged-in user”. I use the terms “privileged” / “non-privileged” becase of the name of action hook for ajax: wp ajax nopriv (action). But I was wrong. I should change them to “logged-in user” and “non-logged-in user”.

    Related to

    Yet another question:

    the following is wrong.

    So, I copy the parts that I see under “$_POST data” (data,interval,_nonce,action,screen_id,has_focus,ip-geo-block-auth-nonce) and paste them into the exceptions box in settings.

    In that case, please add a word “action” into “$_POST keys to be recorded with their values in logs” at “Record settings” in order to find the value of “action” in the logs. Then you will be able to find it in the “Candidate actions” under “Exceptions“.

    Here’s a bunch of other things that I saw in the logs under “$_POST data” when a particular plugin was getting blocked:

    I think that plugin uses non WordPress standard way. In such a case, you need to add some code snipet into your functions.php or “drop-in.php” in ip-geo-api folder to specify the request. Please let me know the name of that plugin.

    And the most strange things for me is:

    I don’t see any request part in my cases!

    So my question is: Is this the case related to the paticular plugin’s requests? Or you can’t find “Request” anywhere in your logs (Comment post, XML-RPC, Login form…).

    Anyway, I need to investigate more concretely. So I’d appreciate if you send me what “Installation information” at “Plugin settings” reports. You can find my email address at https://github.com/tokkonopapa .

    Thanks a lot for taking your time to report this topic and cooperation to improve this plugin.

    Thread Starter abooster

    (@abooster)

    I just sent you an email with login details to a test installation
    and detailed information regarding the issue and how to replicate it.
    To replicate the issue you need to try from a **non-whitelisted** country (I had whitelisted Japan so you can login).

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @abooster,

    The quiz plugin has a lot of queries so the text in the logs was shortened with “…” like this:

    $_POST data:
    tqb-variation-page_id,tqb-variation-variation_id,tqb-variation-user_unique,name,email,_form_type,__tcb_lg_fc,__tcb_lg_msg,_asset_group,_asset_option,_create_account,_error_message_option,_back_url,_submit_option,_use_captcha,_captcha_theme,_captcha_type,_…

    So I used Developer Tool on Chrome and I found the “action” named “tve_api_form_submit”.

    Chrome Developer Tool

    Please add “tve_api_form_submit” into “Exceptions” text box at “Admin ajax/post”. As this action would be registered only on the quiz page, it doesn’t appear at “Candidate actions” on admin dashboard.

    Thanks.

    Thread Starter abooster

    (@abooster)

    Thanks a lot!
    I also replied to your email with some ideas on how you could potentially create a premium version of your plugin.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Exceptions for ‘Admin ajax/post’’ is closed to new replies.