XOOPS 
Faq
HOW TO USE A XOOPS WEBSITE ALL ABOUT XOOPS ADMINISTRATING AND BUILDING A XOOPS WEBSITE DEVELOPMENT AND CUSTOMISATION
SmartFAQ is developed by The SmartFactory (https://www.smartfactory.ca), a division of InBox Solutions (https://www.inboxsolutions.net)

How do you disable the check for referrer information?
If you have users on your own site who cannot post in forums or add other information to the site due to their firewall or some other software that is blocking the referrer information, then you may want to turn off the referrer check in the XOOPS code.

For more info about the referrer information problem, check out this question:

https://xoops.org/modules/smartfaq/faq.php?faqid=9

[There is a comment with detailed instructions for fixing the problem from the firewall end, but that requires all your users with the problem to successfully follow those steps, which chances are they will not all do, hence the need to be able to turn off the check in your XOOPS site.]

To turn off the referrer check, add a line to the function xoops_refcheck() in include/functions.php file, around line 137:

function xoops_refcheck($docheck=1)
{
   [color=ff0000]return true;#*#DISABLE_REFERER_CHECK#[/color]
   $ref xoops_getenv('HTTP_REFERER');
   if ($docheck == 0) {
      return true;
   }
   if ($ref == '') {
      return false;
   }
   if (strpos($refXOOPS_URL) !== ) {
      return false;
   }
   return true;
}


This information applies to XOOPS 2.0.7, and possibly earlier and later versions too. (Hopefully a system configuration option will be added in the future to turn this off without a hack).

Thanks to Mithrandir for this information, found in his post in the following thread:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=25989

15 Comment(s) Print Q&A Send Q&A

The comments are owned by the author. We aren't responsible for their content.
user

 this FAQ is too dangerous, isn't this?

 Olorin   Published 12/23/2004 13:29   Updated 03/15/2005 16:20   Just popping in   Joined 07/05/2003   Comments 50    

Well, I'm not a professional. But, as far as I know, it is very risky to disable "referrer-check" because turning off the check makes the web sites more vulnerable to CSRF attacks.

function xoops_refcheck($docheck=1)
{
$ref xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
[d]return false;[/d]//the very original
[b][color=ff0000]return [u]true[/u];[/color][/b]//hacked code
}
if (strpos($refXOOPS_URL) !== ) {
return false;
}
return true;
}


Instead, the code above is rather safer than the one on FAQ. Bear in mind, ALL the webmaster MUST turn on "referrer" so as to protect your site.

Last but not least, all the thanks goes to GIJOE since this hack is originally introduced by him.

EDITED:
Well...the original code returns "FALSE" when referrer information is empty. On the other hand, the hacked code returns "TRUE". As a result, it disables referrer-check for those who doesn't send referrer.

So this hack in introduced for the convenience of USERS who don't know what referrer is and what their firewall does.

 
user

 Re: this FAQ is too dangerous, isn't this?

 Mithrandir   Published 12/23/2004 15:20   XOOPS is my life!   Joined 06/21/2003   Comments 6320    

Thanks, updated

 
user

 Re: this FAQ is too dangerous, isn't this?

 jegelstaff   Published 01/04/2005 19:30   Updated 01/04/2005 19:36   Module Developer   Joined 07/02/2004   Comments 518    

With the code changed, the text doesn't make complete sense, since you don't just add return true; at the same point. Could a mod change the text to match the new code?

A good link explaining more about Cross Site Request Forgery attacks (CSRF):

http://shiflett.org/articles/foiling-cross-site-attacks

Thanks,

--Julian

 
user

 Re: this FAQ is too dangerous, isn't this?

 Dave_L   Published 01/05/2005 0:12   Updated 01/05/2005 0:33   XOOPS is my life!   Joined 11/07/2003   Comments 2277    

I've edited this FAQ to clarify the code change.

I don't understand Olorin's post. The code he posted looks the same as the original (unhacked) code.

Keep in mind that the HTTP_REFERER check isn't bulletproof anyway, since it's not difficult to spoof it. It's just an extra layer of security.

 
user

 Re: this FAQ is too dangerous, isn't this?

 Olorin   Published 01/15/2005 7:36   Updated 01/15/2005 7:38   Just popping in   Joined 07/05/2003   Comments 50    

Alright. Let me clarify what I wanted to say.
First, my code may protect the webmasters enabling "referrer" from CSRF at very least.
Second, but it won't the users disabling "referrrer" since the check is always bypassed.

Now let's check what my code does. The "first-if" returns true whenerver the check itself is disabled. The "second-if" returns true when "referrer" isn't sent. The "third-if" returns false when an invalid (possibly malicious) "referrer" is detected.

This results in disabling the check for those who don't send referrer, which means every novice user doesn't need to worry about his/her firewall.At the same time, fair game for CSRF, the webmaster will be protected as long as he sends "referrer" with javascript turned off.

Quote:


Keep in mind that the HTTP_REFERER check isn't bulletproof anyway, since it's not difficult to spoof it. It's just an extra layer of security.
Agree. The layer of referrer protection is thin like epidermis, but it surely works to some extent.

So if you are a webmaster, turn on your referrer, disable javascript (since it spoils many protections), and install Protector (not for CSRF but for the total security).

And don't click a strange link.

All being said, my code could provide a little more thick layer of security than just returning true by 0.1 nanometers...

 
user

 Re: this FAQ is too dangerous, isn't this?

 bumbum   Published 02/12/2005 15:14   Just popping in   Joined 10/18/2004   Comments 99    

I'm having the same issue with new users registering and being a total novice I've been researching the problem on various forums. I think for those other novices watching these threads it's important to understand what CSRF means. I found this article to be most useful http://shiflett.org/articles/foiling-cross-site-attacks
Basically, it seems to me that this whole issue is down to a decision the administrator has to make:
Do I want to make my web site totally accessible to everyone at the risk of comprimising site security?
OR
Do I want to ask visitors to alter settings on their PC in order to use my site and protect the security of my site?
The problem here is convenience for the user and the issue of trust - do you really want to post security warnings on the registration page of your site that might scare potential members away?

suggestion for possible solution?

Is it possible to have downloadable patches on the registration page that users can download and install on their machines that are specific to their OS and firewall software?
This would seem like an idea solution for ease of use for members and maintaning optimal security on the web site.

 
user

 Re: this FAQ is too dangerous, isn't this?

 toddherrold   Published 05/16/2005 3:01   Quite a regular   Joined 06/13/2004   Comments 274    

I'm trying to follow the hack here, as I am having the same problem with a few of my users, but my original code in 2.0.10 is quite different:

Quote:

function xoops_refcheck($docheck=1)
{
return $GLOBALS['xoopsSecurity']->checkReferer($docheck);
}


What does the hack look like in this context?

 
user

 Re: this FAQ is too dangerous, isn't this?

 brash   Published 05/16/2005 3:21   Friend of XOOPS   Joined 04/10/2003   Comments 2206    

Xoops 2.0.10 uses the ticket system for user identification, so I'm not sure if this FAQ is relevant . Mith might need to confirm this though.

 
user

 Re: this FAQ is too dangerous, isn't this?

 Mithrandir   Published 05/16/2005 7:34   XOOPS is my life!   Joined 06/21/2003   Comments 6320    

The ticket system is not yet implemented in most modules, so the HTTP REFERER check is still very much in use.

In 2.0.10, the referer check is moved to /class/xoopssecurity.php in the checkReferer() method. The code is the same as in the function in the previous versions.

 
user

 Re: this FAQ is too dangerous, isn't this?

 mpowell   Published 11/09/2005 18:38   Friend of XOOPS   Joined 02/10/2004   Comments 119    

How is this implemented in 2.2.3? Is the hack still valid? Thanks.

 
user

 Re: this FAQ is too dangerous, isn't this?

 St_Anubis   Published 01/06/2006 1:50   Just popping in   Joined 01/06/2006   Comments 1    

Hi,

I have the same problens with HTTP_REFERER, posted here. I tryed everything that was posted.

The problem was partial resolved. I can login at first time without the HTTP_REFERER error, but when I click on any link my user was logout and I need to login again to continue, as the same way when I receive the HTTP_REFERER error.

Just the messenge are gone, the efects still there.

Anyone can help me?

Thank you

 
user

 Re: this FAQ is too dangerous, isn't this?

 geist3   Published 04/24/2006 13:02   Just popping in   Joined 02/01/2005   Comments 4    

===How is this implemented in 2.2.3? Is the hack still valid? Thanks.=====

I think you change
function checkReferer($docheck=1)
{
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}

to

function checkReferer($docheck=1)
{
return true;
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}

on line 164 of class/xoopssecurity.php

 
user

 Cannot Login

 macsite2006   Published 09/29/2006 19:47   Just popping in   Joined 04/04/2006   Comments 15    

If I am not wrong I checked every possible related issue to solve my problem but when I try none of them will work. Here what happen to my site

I cannot login (admin) and none (user) can login. After I login it says :

"Thank you for login in Macsite"

But it will go back to the same page without login to my website.

Can anyone tell me which file or what code need to be modify. Thank you.

 
user

 Re: Cannot Login

 masterdwarf   Published 10/09/2006 22:50   Just popping in   Joined 01/25/2006   Comments 4    

bump

 
user

 Solution - check .htacess

 nmbsailorgal   Published 01/25/2009 0:46   Just popping in   Joined 01/17/2005   Comments 6    

I was having a similar problem and had the .htacess file set to change mysite.com to http://www.mysite.com. This was preventing me from getting to the admin area on a brand new installation.

 

Login

Register now!  |  Lost Password?

Search

Advanced Search

Who's Online

213 user(s) are online (6 user(s) are browsing XOOPS FAQ)

Members: 0

Guests: 213

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Did you know ?

Some modules don't work properly, if run on a PHP5 platform with the register_long_arrays directive turned off

Random question

Can I use Fantastico's script to upgrade to the latest XOOPS version?

Recent Q&A List