WebsiteBaker Community Forum
WebsiteBaker Support (2.13.x) => Modules => Topic started by: RonR on February 24, 2025, 05:06:53 PM
-
Just upgraded WB from 2.13.5 r220 to 2.13.6 r237. Working on PHP 8.1.
Have a problem with the guestbook version 2.10.4.
I thought I tested it well, but it seems it is only working with me being logged in as an admin.
As nonlogged in (just like my guest) I get the sign-guestbook page (guestbook/gstbk_add.php) but when I hit the add button it redirects me directly to mysite/pages/ being a forbidden page (403) without entering anything in the guestbook.
As logged-in user I can add to the guestbook and return to the guestbook page, all goes well.
Also the delete-entries-button in the admin does not seem to work.
Any idea what could go wrong?
Greetz, Ron
-
Hi, i cannot confirm this. it works as expected, even as a visitor who is not logged in.
but the captcha does not work for me, it is always wrong.
and it is not possible to delete a entry (jquery.insert is not a function).
-
Any idea what could go wrong?
the redirect to the start- or homepage in the frontend! comes, if section-id or page_id is not part of the add-Link, see example
..... /modules/guestbook/gstbk_add.php?sid=20&pid=18&add=37
there is no switch, what check the login-status
in first step, it check's the section- and page_id (green and blue marked in my example-link)
in second, it looks for your ASP-Settings (see AdminTools -> Captcha-Settings) and check the add-ID (red marked) - is ASP enabled, it checks this add-ID with a session-variable, added from the view.php of the guestbook-module. That means also: this link can only work on a page with the guestbook-view.php
if the session-variable is missing or the submitted id wrong, it set a redirect to the start page
i n the last step, it reads the data from this page-id and this section id.
if there is no result, redirect to the start-page
but the captcha does not work for me, it is always wrong.
fixed in v2.10.5 in attachement
-
Ok, I managed to establish that it is not connected to being logged on or not.
I am seeing: gstbk_add.php?sid=22&pid=22&add=13
so all the parts are there.
Admin Tools ASP enabled, but module settings verification disabled, because there is a built-in honeypot (nixhier) (besides; the captcha is always wrong.)
It just sometimes fails randomly, a second or third try will work, but that is not an ideal situation.
Do not know what could be wrong.
Any idea when 2.10.5 will be released?
-
Did I forget to attach the zip? Sorry!! See attachment - now :roll: :roll: :roll:
AdminComment: remove the attached ZIP, see newer version
-
Captcha is working (Y)
You could change the exit in gstbk_save.php (and other) from
// jump back to guestbook
exit(header("Location: $link"));to// jump back to guestbook
header("Location: $link");
exit();
to avoid deprecated message in errorlog
-
Thanks!!
changes in v2.10.6
- remove included own jquery from backend.js, produce issues in conflict with jquery from WB
+ change all header:location-calls to a newer method (prepared for PHP 8.4)
-
Thank you for the new version!
I installed it, but took out the smileys and the homepage, which I do not use.
Also I made pagination for the backend entries, because over 2000 entries took too long to load the backend page.
Still had the 403 to /pages/ sometimes, but I noticed this happened only on Chrome and Firefox browser. Edge and Duckduckgo were fine, as far as I tested.
I then enabled Capthcha, which seems to end the problem.
Thanks DBS and Sternchen8875!
-
Thanks for the feedback,
a pagination for the backend is certainly a good idea. Maybe you could provide us with the files, that would save some time
Still had the 403 to /pages/ sometimes
pls give more details
you have it only, when you add a new entry or also in more actions?
-
Happy to share, i just copied the code from the frontend to backend.
the 403 to /pages/ happens on the frontend, after filling the form to add and entry when you hit the submit button. It then takes you to a 403 to /pages/ and does not register the entry.
The bug is not gone completely and very random it happens.
-
Thanks (Y) (Y)
-
We are currently testing on 5-6 domains simultaneously, but cannot reproduce anywhere what happens with this 403. The 403 appears in three possible cases
#1 - if section ID or page ID were not transferred
#2 - if ASP is activated and the add value was not transferred and this value does not match the value transferred in the session
#3 - if the data for the page with the guestbook was not found in the DB
My favourite would be #2, because the rest would be verifiable by us and is also visible. Incidentally, the links set in the pages directory have always been incorrect. It may be, that it was possible in earlier WB versions, but at least since WB 2.10 this is no longer possible. If you feel like testing, you could set different headers (location) for each of these three variants, which then also have a reachable target. This can also be a hidden page or three different target pages
However, to prevent the 403, these three targets should be changed in the file gstbk_add.php
original in v2.10.6
header('Location: '.WB_URL.PAGES_DIRECTORY); exit();
change to
header('Location: '.WB_URL.'/index.php'); exit();
-
Thanks for your help.
What would be the recomended setting for Store $_SERVER-Array: in the settings section of the module?
I changed all 3 header locations, as suggested, but I still get a 403 now and then.
I think it must be something outside the module then? WebsiteBaker itself?
My website is up and running since 2010, and updated now and then for new versions, could there be a setting i forgot to add when updating?
Greetz, Ron
-
Sometimes i get 403 forbidden from my server (mode_security). In this case i have to add the number of this process in the whitelist.
But this will not the reason in your case i think.
Can you check the permission rights of your files and folders?
I attache the file (for root directory)
-
permissions fixed, but problem still exists.. :cry:
-
What would be the recomended setting for Store $_SERVER-Array: in the settings section of the module?
if this option is activated, the guestbook save the complete $_SERVER-Array, a lot of datas, here a list of all indices -> https://www.php.net/manual/en/reserved.variables.server.php
May be, any of this indices are good to know, like REMOTE_ADDR - IP from the visitor - but on the other side, you get a lot of trouble with GDPR, if you store this datas for a longer time
recommendation (from my view) - dont use it
-
Thanks, I will leave it off then,
Will continue to look for a fix for this 403.
Chrome, developer mode: Console:
Uncaught ReferenceError: WB_REL is not defined at at gstbk_add.php?sid=22&pid=22&add=42:158:17
Url says: guestbook/gstbk_add.php?sid=22&pid=22&add=42
.
Could that be a cause, and how to fix?
-
2 things here:
1. the WB_rel not defined.
2. url different than what devconsole says gstbk_add.php?sid=23&pid=23&add=64:158:17
-
to #1
comes from the file captcha.php. The job is: load fontawesome.css. We've to fix it there, has nothing to do with the guestbook module
to #2
these are line and char-number
to the problem: i think, it needs the three different target-pages like my description, so that you know, what case is it. i get this 403 only, if i click a link in my browser history, but there, i know, i have no add-ID submitted
I've never seen this error, when i click on the link "Add a new entry to the guestbook"
Build three (hidden) pages, type = wysiwyg, call it number 1, number2, number3, add this filename in the wysiwyg-content, see this pages in the frontend, copy the link and add it as header(Location) target in gstbk_add.php
the try it again and you see, where you are with the error
-
Ok, we forget the WB-REL for now.
I already changed the 3 destinations to header('Location: '.WB_URL.'/index.php'); exit();
so I should not get a 403 to /pages/ anymore.
But I still get 403's , I managed to reproduce the 403 error also on jacobi22 guestbook
Firefox devconsole: SyntaxError: Element.querySelect orAll: '*,:x' is not a valid selector
I am starting to think this is a jquery script error which stops even before a destination is handled.
Element.querySelect orAll is aslo one line below the WB_REL in the script.
-
But I still get 403's , I managed to reproduce the 403 error also on jacobi22 guestbook
Firefox devconsole: SyntaxError: Element.querySelect orAll: '*,:x' is not a valid selector
I am starting to think this is a jquery script error which stops even before a destination is handled.
Element.querySelect orAll is aslo one line below the WB_REL in the script.
sorry, but i cannot confirm this.... :|
the only way, to get the 403 is a click on a link on the browser history after i send the form to the guestbook
the problem for the missing WB_REL (and maybe some more issues in JS) is the missing definition of some variables for Javascript like this
<script>
/* inserted by register_frontend_m odfile 2.13.6.237 */
var WB_URL = 'https://www.xxxxxxx.com';
var WB_REL = '';
var THEME_URL = 'https://www.xxxxxxx.com/templates/DefaultTheme';
var TEMPLATE_DIR = 'https://www.xxxxxxx.com/templates/DefaultTemplate';
var TEMPLATE = 'DefaultTemplate';
var EDITOR = 'ckeditor';
var LANGUAGE = 'DE';
</script>
you dont need register_frontend_m odfiles('js'); in your frontend-template, but if you need one of the here defines JS-Variables, you've to defined somewhere before you use it
on my test-page, i use the DefaultTemplate in original, WB_URL is defined there
-
i just deleted the WB_REL from the captcha-script, website is on the root anyway. Registered_frontend _modfiles enabled. No more errors on devconsole.
I now still have 403's to /pages/, when hitting the submit button, but they have become fewer in number now:
it used to be 1 on +/- 8 entries
now 1 on +/- 20 entries.
Not fixed but better.
-
So, the 403 error comes from the file gstbk_save.php line 90 or line 152
respectively this code
header('Location: '.WB_URL.PAGES_DIRECTORY);
replace with
header('Location: '.WB_URL.'/index.php');
in the area around line 90 in gstbk_save, the content sent by the form is checked in the basic values, i.e. section ID, page ID, the "name" field and the text field for content as well as a honypot field to see whether it has been sent. If there are problems here, cancellation and redirection to the start page
in the area around line 150, the fields sent by POST and the session data are checked, including a time check.
If the time between opening the form and submitting it is less than 10 seconds, the script suspects a bot and redirects to the start page (or in the old script still to the pages directory, which then generates the 403
Now I can imagine that it could be sent faster than 10 seconds, especially in testing, but only you can know that.
3 values are set in the mod_captcha database table, but these cannot be changed in the WB admin area using the form (AdminTools -> CaptchaControl).
'asp_session_min_age'=>'20', // use in News-module for comments
'asp_view_min_age'=>'10', // use in guestbook, gstbk_save.php
'asp_input_min_age'=>'5', // use in News in News-module for comments
You could try to set a different, shorter value in the database, e.g. 5 or in the file gstbk_save.php in line 142 this line here
(!isset($_SESSION['comes_from_view_gb_ time']) OR $_SESSION['comes_from_view_gb_ time'] > $t-ASP_VIEW_MIN_AGE) OR // user is too fast (10sec)
replace with
(!isset($_SESSION['comes_from_view_gb_ time']) OR $_SESSION['comes_from_view_gb_ time'] > $t-ASP_INPUT_MIN_AGE) OR // user is too fast (5 Sec)
-
Solved! I am happy! Thanks for your help!
I was not aware there was a timer active for the ASP, that explains when testing I get 403's, because quickly using autofill.
You are a hero! Keep up the good work!
Greetz, Ron.
-
Honestly now or are you just fed up ;-)
Tell me, which timer setting did you use? I'll incorporate that into a new version
-
I changed the code to use the 5 seconds of $t-ASP_INPUT_MIN_AGE, like the line above you wrote.
Changing the database setting was a bit too difficult in phpmyadmin ( did not see a modify button), so changing the line of code was the easy fix for me.
Never thought there was a timer active, so indeed I feel a bit silly. Never mind, I will grow over it.
And l learned the hard way, but learned nevertheless. :-D
Thanks for your patience. (Y)
Greetz, Ron.
-
Thanks for your patience. (Y)
Same for you!
I'll incorporate it into a new version
-
a repaired version v2.10.7 is now online -> https://addon.WebsiteBaker.org/en/browse-add-ons/?id=0601F521
Thank you for your patience during testing (Y)