Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by on Wednesday, 21 April 2021 20:17 CDT
facebook is adding ?fbclid= to the url which seems to trigger admin tools Direct File Inclusion shield (DFIShield) this happens when sharing links from our site to facebook and users clicking those links on facebook to visit our site.
https://fbclid.com
is there a way to leave DFIShield enabled but tell it that fbclid is allowed?
fbclid is a tracker parameter added there by Facebook. It does not have the form of a path and does not correspond to any file on your site so it can't trigger DFIShield (Direct File Inclusion prevention).
If you get an fbclid parameter on your site that corresponds to an existing file on your site or has the form of a path it is not legitimate (it does not come from Facebook). Someone is abusing it to attack your site and Admin Tools blocks them, as it should.
While you can circumvent this protection it'd beat the purpose of having Admin Tools. Once of the many ways Admin Tools protects you is by preventing the abuse of well known URL parameters such as the marketing / tracking identifiers added by ad networks and social media. In other words, attackers trying to fly under the radar might use one of these well known URL parameters with malicious content (URLs to malware or spam, files on your server, SQL injection, ...). To further muddy the waters they'd use the same User Agent as the legitimate site but with an IP address which does NOT belong to the legitimate site.
Also remember that one of the typical ways malicious actors would harvest potential target URLs is, of course, by what is being shared on social media. That's their second most used source. The first most frequently used source is web search results.
So, how sure are you that the fbclid you are getting blocked is legitimately coming from Facebook and not, in fact, an actual attack on your site?
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Well this happened when I was testing sharing links on facebook, it blocked me, so Im pretty sure its not a hacker, turning off DFIShield seemed to fix the issue, Im not sure if that is what really fixed it but admin tools no longer blocks me when cllicking links from facebook back to our site
Tell me what exactly is the Target URL you see. Last I checked fbcid was an alphanumeric identifier and social sharing worked on all my sites. I am wondering if there was something else in your URL which was being blocked in the same URL which means that fbclid is just a red herring.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
https://anara.farm/community/957-hisgraceacres?fbclid=IwAR0UUe8ayilqGnIR_bEZTjCX2ZmP13F8WC0nGCtT3UPkdOFg_sVCpGA0K0Q
I think you might be right, it might be a red herring, I haven't been able to replicate it since the first time it occured, I'll report back if it does happen again.
The format of the fbclid is indeed what I read in Facebook's documentation and doesn't trigger the DFIShield. I think the URL you were trying with Facebook may have container a parameter like something=/ which would trigger DFIShield (a single forward slash is the root of the server's disk).
If it happens again please tell me what the Target URL is so we can help you further.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!