By socrates.awmn on

SOS I need your help!

I have a similar problem as is described on http://drupal.org/node/201513.
Every time I try to change user permissions by clicking "Save permissions" button, my browser redirects me to the disney website.

What can I do to get rid of it and be sure that my site is safe?

current drupal version: 6.4

Categories: Drupal 6.x

Comments

socrates.awmn’s picture

socrates.awmn commented

Sorry!

Clicking "Save blocks" button on "User Permissions" page takes me to disney website, has a hacker attacked my site?

must be replaced by...

Clicking "Save permissions" button on "User Permissions" page takes me to disney website, has a hacker attacked my site?

gpk’s picture

gpk commented

Presumably you have checked out the suggestions in the topic you posted http://drupal.org/node/201513?

Also check the page source on the permissions page for "disney". And you could check the reports at admin/logs/hits (if statistics.module is enabled and configured) and the web server access log to see if the form submission is reaching your site/server (in which case the redirect could be happening during processing of the form submission), or going straight to disney.

Do other parts of the site seem to work OK?

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

socrates.awmn’s picture

socrates.awmn commented

so far I have tried...

- Accessing my site by using different browsers
- Accessing my site from a 'clean' computer and a different internet connection/dns
- Replacing the index.php file with a fresh download of index.php
- Checking the source code of Submit form buttons

<input type="submit" name="op" id="edit-submit" value="Save permissions"  class="form-submit" />
<input type="hidden" name="form_build_id" id="form-5990ab459ac0cac45bbc535123e7f0cd" value="form-5990ab459ac0cac45bbc535123e7f0cd"  />
<input type="hidden" name="form_token" id="edit-user-admin-perm-form-token" value="80be7a4b6c5fcec7b2db92e151023435"  />

- Thorough grep for any suspicious word in the files of the site
- Thorough check of logs in /admin/reports/hits

- I have also installed firebug to ff but I cannot find a way to use it effectively

Every other part of the site seems to be working OK

Any other ideas?

gpk’s picture

gpk commented

>Checking the source code of Submit form buttons
You need to check the whole page source... e.g. it could be the defined form "action" that is modified ... though your grepping (grep -r ??) of the Drupal source might have picked this up...

Check your Apache access log ... you should be able to see the form POST, something like
... POST /admin/user/permissions HTTP/1.1" 302 - "http://example.com/admin/user/permissions"

immediately followed (perhaps a second later) by a GET of the same URL
GET /admin/user/permissions HTTP/1.1" 200 42276 "http://example.com/admin/user/permissions"

Both of these should also feature in the access log. If not then that might point to where the probem is ...

I'm not sure either how to use Firebug to check for handlers added to the submit button. However you can use it to check for added JS files (use the Script tab) and also you can check the page source for added JS.

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

socrates.awmn’s picture

socrates.awmn commented

First of all thank you for your replies!

Apache logs are OK and I have both POST and GET entries.
The grep command was (grep -ir "disney" .) and it was executed on the website root directory with no results.

Maybe it is something that has to do with the database of the site (mysql). If I find something I let you know!

Thanks agaiin!

gpk’s picture

gpk commented

>The grep command
Well I suppose it's fairly easy to construct disney from dis and ney...

>Maybe it is something that has to do with the database of the site (mysql)
It could perhaps be PHP code in a block or ?? possibly a node. Do you have PHP module enabled?

Also you could try disabling all modules except the core required ones.

And you could try a fresh (multisite) install using the same codebase to see whether it exhibits the same behaviour.

All very odd. Do the permissions actually get updated before you are redirected?

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

socrates.awmn’s picture

socrates.awmn commented

I wasn't able to figure out what was the problem until this morning.

I decided to reinstall everything from the scratch and I noticed that I could reproduce the problem even with a fresh damn clean installation (drupal 6.5) and a new database. Surprisingly the reason behind the “Disney” redirection wasn't a malicious attack to the server but the default action of suhosin, a php5 module which works as a filter for black listed functions or illegal arguments.

Changing some parameters solved the problem! 

php_admin_value suhosin.request.max_vars 500
php_admin_value suhosin.post.max_vars 500

Thanks for the help!

gpk’s picture

gpk commented

Why on earth does it redirect you to Disney though? Sounds pretty daft!

I imagine it was the suhosin.post.max_vars that got you. Out of interest, what was the default value?

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

socrates.awmn’s picture

socrates.awmn commented

I have replaced 100 with 500 in both cases, and no more "Disney" on my screen :)

gpk’s picture

gpk commented

Looks like the redirect to disney is a specific example suhosin give of how to configure the action to take when the max_vars limit is exceeded. I guess they didn't actually intend anyone to implement that specific rule!

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk