XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / Firewall problems and XOOPS_DB_CHKREF
Register
1
petzan
Firewall problems and XOOPS_DB_CHKREF

  • 2003/12/4 17:01

  • petzan

  • Just popping in

  • Posts: 11

  • Since: 2003/11/19


Hi!
I think it is a bit anoying that I have to inform my visitors how to setup their firewall. So I found this change in a post.
But my qestion is, what harm could be done to my site if I make the change?


in include/common.php
change

if (!defined('XOOPS_XMLRPC')) { define('XOOPS_DB_CHKREF', 1);} else { define('XOOPS_DB_CHKREF', 0);}

to


define('XOOPS_DB_CHKREF', 0);

As sugested in
https://xoops.org/modules/newbb/viewtopic.php?topic_id=6594&forum=20
2
CBlue
Re: Firewall problems and XOOPS_DB_CHKREF

The webmaster of this site posted the solution in that post you added. So I would think that it would be safe as long as you trust your visitors as he said.
3
petzan
Re: Firewall problems and XOOPS_DB_CHKREF

  • 2003/12/4 17:19

  • petzan

  • Just popping in

  • Posts: 11

  • Since: 2003/11/19


But, if my site is on internet I can not trust all visitors. So could this change make it possible for anonymous (not logged in) users to harm my site?
4
CBlue
Re: Firewall problems and XOOPS_DB_CHKREF

You will have to ask the webmaster who posted that fix. Personally, I see no problem with users configuring their firewalls to work right with my site. I've had no users complain about it and I use a firewall myself.
5
Mithrandir
Re: Firewall problems and XOOPS_DB_CHKREF

Quote:

petzan wrote:
But, if my site is on internet I can not trust all visitors. So could this change make it possible for anonymous (not logged in) users to harm my site?

anonymous or logged in - they both have to live under the same rules regarding the database.

The Referrer-check checks if form requests came from the webserver. If you disable the check, you cannot be certain that visitors aren't making their own versions of forms and send them via the POST method. This could leave your site open for e.g. SQL injection from custom made forms.

I use a custom form for accessing an email account - which makes life easier for me, but it might be possible to exploit that (I just don't)
6
petzan
Re: Firewall problems and XOOPS_DB_CHKREF

  • 2003/12/4 19:08

  • petzan

  • Just popping in

  • Posts: 11

  • Since: 2003/11/19


Thanx for your reply, so it could be a bit dangerous to make the change. I will try to convince my users to disable their firewalls.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

309 user(s) are online (189 user(s) are browsing Support Forums)

Members: 0

Guests: 309

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits