Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.
foc_in_gaura

Breach Notice: Resolving Violations of the Identifying Users Policy

by foc_in_gaura, Last updated on 4 years ago in Security Issues & Announcements - 8
As the title say, Google warned me that my site is vulnerable.

Look at this page, to see what is about. https://support.google.com/adsense/an...3366?hl=en

In the email they sent me, they say that the files :
login.php
lostpassword.php
register.php


are the problem.

I removed the ads from that pages. I disabled email confirmation (so it won't appear in the activation link)

They recommend to use a slug for every email address .

Please, it's urgent, I have deadline until 13.06.2015.

Thanks!
I'm pretty sure those web pages aren't violating user policies.

I cannot offer a solution as there doesn't seem to be a problem with those pages.

For example of a breach:

thewebsite.com/contact.php?email=true&from=example@example.com

PHP-Fusion uses POSTS on those pages and no privacy information is being passed via GET.

Quote

From Google:
I believe I was contacted in error. Please re-review my account.
If you believe that you were contacted in error, please select this status. In this case, the policy team will conduct a re-review of your account and send you a follow-up message. Learn more about false positives.
Need help? Having trouble?
» View our Documentation for guides, functions and more - including the Getting Started section!
» Attach Log Files and Screenshots when reporting issues
» My support days are usually Mon-Thurs. Send me a PM if urgent.
In those pages, it was the GET function used. I did replaced every word GET with POST in that files, and it seems to work ok, bunt I'm afraid that my account will be suspended. IDK if that is a solution, but now I'm hanging on every method.

Another problem is that even I restricted google ads on that pages (register, login and lostpassword), on links like this (test), the ads are still shown.

why?
The claim that your site would be vulnerable thru these files should be just plain wrong,
We would be swimming in hack reports by now if there were in truth to it.
Follow Netrix tip to request a re-evaluation from someone that has a better understanding and just don´t go by POST / GET variables.

If you exclude correctly the panel should be excluded, always exclude with a slash like
/lostpassword.php
/login.php
etc.
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct

(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
It's not totally wrong from them,

I attached a printscreen with the type of link is generated for recovering password. Thee problem is the email in that link, which google thinks is not ok for privacy . It's against their rules.

gpszone.ro/infusions/image_hosting/thumbs/4d2cc2e52c4814e9a370d19f388c57c8.jpg


It wouldn't be a big problem, but the restriction for the /lostpassword.php is not working when is followed by the rest of the link (as in the printscreen).

The solution for my problem would be to alter the lostpassword link using .htaccess, replacing the email address with a slug.
Second solution would be to be able to restrict the ads panels in all password recovery pages.


Please help, it's urgent!
Just restrict the content in the panel then..

if (!preg_match('/lostpassword.php/i', $_SERVER['PHP_SELF'])) {
//Panel Content

}
Need help?, Having trouble?

• View our Documentation for Guides, Standards and Functions

• Name and Organize your content correctly in the corresponding Forums for best support results

• Attaching Log Files and Screenshots when reporting issues will help

• Please read and comply with the Code of Conduct



(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
That worked. Thanks.

If Google will still see that my website have issues, will there be a solution to remove/replace the email tin that type of link?
If no ads are being served on restricted pages, I see no cause for concern.

There is always an option to remove, although manual programming is required.
Need help? Having trouble?
» View our Documentation for guides, functions and more - including the Getting Started section!
» Attach Log Files and Screenshots when reporting issues
» My support days are usually Mon-Thurs. Send me a PM if urgent.
OK, I hope that google will let me do my work :).
Sorry for double post, but I have another request.

How can I make this code to work on pages with account activation link ?

if (!preg_match('/lostpassword.php/i', $_SERVER['PHP_SELF'])) {

//Panel Content



}

You just select from what file to exclude with the filename , it should not make any differance on activation links or not
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct

(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
Yes, but Iwant to use both lostpassword.php and register.php . Thanks!
Something like

if (!preg_match('/lostpassword.php/i', $_SERVER['PHP_SELF']) || !preg_match('/register.php/i', $_SERVER['PHP_SELF'])) {
// Content
}
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct

(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
Thanks! Great support!
Not happy to announce , but I still got the problem (idk why).

Look at this sample file with the information which they say it's not OK.

Please help me to do something to prevent my Google Adsense account to be closed.

Number of domains: 1

Domain: gpszone.ro has 3 unique url(s).

Url group: gpszone.ro/login.php
Found 880 time(s) or 0.26027802 of the total records
Url sample: http://gpszone.ro/login.php?error=1
Record sample: GET /pagead/ads?client=ca-pub-425659606811xxxx&format=897x90&output=html&h=90&slotname=8083039864&adk=3833793710&w=897&lmt=1432450367&flash=14.0.0&url=http%3A%2F%2Fgpszone.ro%2Flogin.php%3Ferror%3D1%26redirect%3D%252Flostpassword.php%253Fuser_email%253Dredacted@example.com%2526account%253D2d3b566c3c6b376d1cd05c6112edcda95e17435360cfb2fde2e52d84b2d0c1c8&resp_fmts=3&dt=1432461164558&bpp=78&bdt=2075&shv=r20150519&cbv=r20150521&saldr=aa&prev_fmts=300x600&correlator=2838445221889&frm=20&ga_vid=*&ga_sid=*&ga_hid=*&ga_fc=1&u_tz=180&u_his=2&u_java=1&u_h=800&u_w=1280&u_ah=760&u_aw=1280&u_cd=24&u_nplug=15&u_nmime=127&dff=gotham&dfs=15&adx=38&ady=185&biw=1263&bih=699&eid=575144603%2C317150304&oid=3&rx=0&eae=0&fc=24&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C760%2C1280%2C699&vis=1&rsz=%7C%7C%7C&abl=CS&ppjl=f&fu=128&bc=1&ifi=2&xpc=yzNczbA286&p=http%3A//gpszone.ro&dtd=3152 HTTP/1.1
Most recent time: 2015-05-31 06:51:40 UTC

Url group: gpszone.ro/lostpassword.php
Found 1710 time(s) or 0.50576752 of the total records
Url sample: http://gpszone.ro/lostpassword.php?user_email=redacted@example.com
Record sample: GET /pagead/ads?client=ca-pub-425659606811xxxx&format=1200x90_as&output=html&h=90&slotname=8083039864&adk=1326996234&w=1200&lmt=1432463347&flash=17.0.0&url=http%3A%2F%2Fgpszone.ro%2Flostpassword.php%3Fuser_email%3Dredacted@example.com%26account%3D4343c88f6e45283cbf2e286f30acd462&resp_fmts=3&dt=1432463346956&bpp=787&bdt=74&shv=r20150519&cbv=r20150521&saldr=aa&prev_fmts=300x600_as&correlator=3497196607489&frm=20&ga_vid=*&ga_sid=*&ga_hid=*&ga_fc=1&u_tz=120&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1200&u_aw=1920&u_cd=24&u_nplug=6&u_nmime=8&dff=gotham&dfs=15&adx=201&ady=185&biw=1891&bih=1094&eid=575144603%2C317150304&oid=3&rx=0&eae=0&fc=24&brdim=3%2C0%2C3%2C0%2C1920%2C0%2C1918%2C1200%2C1908%2C1094&vis=1&rsz=%7C%7C%7C&abl=CS&ppjl=f&fu=128&bc=1&ifi=2&xpc=TZoYdriEWQ&p=http%3A//gpszone.ro&dtd=830 HTTP/1.1
Most recent time: 2015-05-31 06:04:50 UTC

Url group: gpszone.ro/register.php
Found 791 time(s) or 0.23395444 of the total records
Url sample: http://gpszone.ro/register.php?email=redacted@example.com
Record sample: GET /pagead/ads?client=ca-pub-425659606811xxxx&format=300x600&output=html&h=600&slotname=6376261868&adk=1846109464&w=300&lmt=1432638103&flash=0&url=http%3A%2F%2Fgpszone.ro%2Fregister.php%3Femail%3Dredacted@example.com%26code%3Def1a91c794a464475cec40f13c74c6a83f3aff77&dt=1432648902087&bpp=49&shv=r20150519&cbv=r20150521&saldr=aa&correlator=8339459715073&frm=20&ga_vid=*&ga_sid=*&ga_hid=*&ga_fc=1&u_tz=180&u_his=1&u_java=0&u_h=1024&u_w=768&u_ah=748&u_aw=1024&u_cd=32&u_nplug=0&u_nmime=0&dff=gotham&dfs=15&adx=713&ady=191&biw=1024&bih=672&eid=575144604%2C317150304%2C828064100&oid=3&rx=0&eae=0&fc=24&brdim=0%2C0%2C0%2C0%2C1024%2C0%2C0%2C0%2C1024%2C672&vis=1&rsz=%7C%7C%7C&abl=CS&ppjl=u&srr=1&fu=16&bc=1&ifi=1&xpc=UvuD6cRqYi&p=http%3A//gpszone.ro&dtd=1127 HTTP/1.1
Most recent time: 2015-05-31 06:59:27 UTC

You can always just turn both sides off for these areas in Settings > Main settings

Exclude Left Panels
/login.php
/register.php
/lostpassword.php

Exclude Right Panels
/login.php
/register.php
/lostpassword.php

Also if login was included in the report the match exclude section did not include it. ( included in the code below)

if (!preg_match('/lostpassword.php/i', $_SERVER['PHP_SELF']) || !preg_match('/register.php/i', $_SERVER['PHP_SELF']) || !preg_match('/login.php/i', $_SERVER['PHP_SELF'])) {
// Content
}
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct

(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
Users who participated in discussion: Falk, NetriX, foc_in_gaura