Support » Plugin: IP Geo Block » IP Geo Block blocks site editing under certain conditions

  • Resolved alpengreis

    (@alpengreis)


    Hello again!

    I make often the following steps to editing (different) sites in WordPress:

    1) I open my Firefox (x64) Browser under Win 10 1607

    2) I login fresh into WordPress.

    3) I navigate to the site screen …
    ip-geo-block-1

    4) I choose a site to edit in new browser tab (middle mouse click).

    5) Then, IP Geo Block blocks me with message “forbidden” and I can see a log entry as following …
    ip-geo-block-2

    Now an important point: if a make a (large) break from work (I even set the computer on standby) and try later (maybe 2 hours later or so), I do no more have this problem, which means: no problem to open additional new tabs to edit sites then!

    I can reproduce this scenario.

    I have the following relevant IP Geo Block settings:

    Response code = 403
    Validation target settings = all activated, incl. ZEP

    Why is this behaviour? Could it be that active connections (after fresh login to WP) are the reason or cache things or …?

    Thank you in advance!

    Best regards.
    Alpengreis

    PS: I use current release of IP Geo Block

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi alpengreis,

    Thank you for your reporting this issue. Unfortunately, I can’t reproduce the issue.

    In the 2nd image, the request is like this: GET[443]:/wp-admin/post.php?post=2460&action=edit and there’s no &ip-geo-block-auth-nonce=xxxxxxxxxx which is the nonce for ZEP. That’s why you got forbidden.

    … and try later (maybe 2 hours later or so), I do no more have this problem,…

    This time, I guess you could find the &ip-geo-block-auth-nonce=xxxxxxxxxx at the end of URL you requested. I’m not sure why the behaviors for the 1st time and 2nd time were different. But with my firefox (48.0.2 on OS X 10.9.5), there’s a case that no nonce is attached when I click a link with right side of the mouse (middle mouse click in Win) to open it in a new tab.

    A nonce for ZEP is attached at the end of the link whenever javascript fetches a click event. And I guess there may be some reason this mechanism would not work. I should identify that this issue depends on the browsers or platforms (win or mac).

    So I appreciate if you try another browser like Chrome or IE.

    Thanks.

    • This reply was modified 3 years, 2 months ago by tokkonopapa.
    Plugin Author tokkonopapa

    (@tokkonopapa)

    PS: In general, a nonce is a secret string that is available only once for a person who watches a certain page. And WP-ZEP uses a WordPress nonce which is almost the same but has a limited lifetime (24 hours by default).

    • This reply was modified 3 years, 2 months ago by tokkonopapa.

    Hello tokkonopapa

    First, thank you VERY much for your detailed answer!

    By the way: I found out, that I can’t ALWAYS reproduce this. Maybe it has todo (also) with Browser AddOns like uMatrix or uBlock Origin, which I use.

    However: I understand now the technical behind and so it’s no more a big thing for me.

    I can’t switch easily to another browser at this moment, but I would say, it’s not necessary anyway since I know a workaround for this behaviour. So if I open another Site overview I can use the function edit page from there without new tab and have no problems.

    I you can find out more or can even change something in the mechanism it would be good of course, if not, I see this behaviour “by design” (after your explanation I would say it’s even much more a (WP) nonce thing than thing with your plugin).

    Summary: no showstopper to use your great plugin and I close the thread here now (I hope this is okay for you too).

    Have a good time!
    Alpengreis

    • This reply was modified 3 years, 2 months ago by alpengreis.
    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi alpengreis,

    Thank you for your kind proclaim and closing this thread. I’d keep the issue in my mind so as to solve it in the future.

    Here, I’d like to let you know my design concept about WP-ZEP. If you’re interested in a question “Why should an admin be blocked?“, please read the followings.

    Let’s assume that an attacker made a malicious page that have a link to attack against the vulnerable plugin or theme in your site.

    +-- A malicious page --+
    |                      |
    |[click me]            |
    |                      |
    +----------------------+

    And unfortunately when you click the link (leaded by email or something) and jump to your site, your would have a serious situation (e.g. your username and password are stolen or a new user would be created for the attacker) even when you’re logged in as an admin (and rather for this reason).

    +-- Your admin page ---+
    |                      |
    |OMG! Got hacked!!     |
    |                      |
    +----------------------+

    This type of attack is called “Cross Site Request Forgeries” and is combined with other types of attack. In this case, admin authentication can’t help to prevent it because you’re logged in as an admin!. And this could also happen when a malicious link is placed on the comment field of your site when it is covered by some shortlink services.

    So a nonce is applied in order to prevent the CSRF. It can verify whether you’re viewing at the certain page or not when you click the link.

    Thus, adding a nonce and Referrer Suppressor (which can suppress an accidental leak of any nonce in the admin page) are the basic and important mechanism for WP-ZEP to protect against not only the CSRF but also other types of attack.

    I hope this helps your better understandings.

    Thank you for reading this to the end!

    Hi tokkonopapa

    I always appreciate more infos.

    Very interesting and indeed, I understand now better behind the scene.

    So, thank you very much!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘IP Geo Block blocks site editing under certain conditions’ is closed to new replies.