smartfaq
SmartFAQ is developed by The SmartFactory (http://www.smartfactory.ca), a division of InBox Solutions (http://www.inboxsolutions.net)

How do you disable the check for referrer information?
Requested and Answered by Jegelstaff on 2004/12/15 15:45:00 (25073 reads)
If you have users on your own site who cannot post in forums or add other information to the site due to their firewall or some other software that is blocking the referrer information, then you may want to turn off the referrer check in the XOOPS code.

For more info about the referrer information problem, check out this question:

https://xoops.org/modules/smartfaq/faq.php?faqid=9

[There is a comment with detailed instructions for fixing the problem from the firewall end, but that requires all your users with the problem to successfully follow those steps, which chances are they will not all do, hence the need to be able to turn off the check in your XOOPS site.]

To turn off the referrer check, add a line to the function xoops_refcheck() in include/functions.php file, around line 137:

function xoops_refcheck($docheck=1)
{
   [
color=ff0000]return true;#*#DISABLE_REFERER_CHECK#[/color]
   
$ref xoops_getenv('HTTP_REFERER');
   if (
$docheck == 0) {
      return 
true;
   }
   if (
$ref == '') {
      return 
false;
   }
   if (
strpos($refXOOPS_URL) !== ) {
      return 
false;
   }
   return 
true;
}


This information applies to XOOPS 2.0.7, and possibly earlier and later versions too. (Hopefully a system configuration option will be added in the future to turn this off without a hack).

Thanks to Mithrandir for this information, found in his post in the following thread:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=25989


The comments are owned by the author. We aren't responsible for their content.
  • Just popping in

 this FAQ is too dangerous, isn't this?

Well, I'm not a professional. But, as far as I know, it is very risky to disable "referrer-check" because turning off the check makes the web sites more vulnerable to CSRF attacks.

function xoops_refcheck($docheck=1)
{
$ref xoops_getenv('HTTP_REFERER');
if (
$docheck == 0) {
return 
true;
}
if (
$ref == '') {
[
d]return false;[/d]//the very original
[b][color=ff0000]return [u]true[/u];[/color][/b]//hacked code
}
if (
strpos($refXOOPS_URL) !== ) {
return 
false;
}
return 
true;
}


Instead, the code above is rather safer than the one on FAQ. Bear in mind, ALL the webmaster MUST turn on "referrer" so as to protect your site.

Last but not least, all the thanks goes to GIJOE since this hack is originally introduced by him.

EDITED:
Well...the original code returns "FALSE" when referrer information is empty. On the other hand, the hacked code returns "TRUE". As a result, it disables referrer-check for those who doesn't send referrer.

So this hack in introduced for the convenience of USERS who don't know what referrer is and what their firewall does.

 
  • XOOPS is my life!

 Re: this FAQ is too dangerous, isn't this?

Thanks, updated

 
  • Module Developer

 Re: this FAQ is too dangerous, isn't this?

With the code changed, the text doesn't make complete sense, since you don't just add return true; at the same point. Could a mod change the text to match the new code?

A good link explaining more about Cross Site Request Forgery attacks (CSRF):

http://shiflett.org/articles/foiling-cross-site-attacks

Thanks,

--Julian

 
  • XOOPS is my life!

 Re: this FAQ is too dangerous, isn't this?

I've edited this FAQ to clarify the code change.

I don't understand Olorin's post. The code he posted looks the same as the original (unhacked) code.

Keep in mind that the HTTP_REFERER check isn't bulletproof anyway, since it's not difficult to spoof it. It's just an extra layer of security.

 
  • Just popping in

 Re: this FAQ is too dangerous, isn't this?

Alright. Let me clarify what I wanted to say.
First, my code may protect the webmasters enabling "referrer" from CSRF at very least.
Second, but it won't the users disabling "referrrer" since the check is always bypassed.

Now let's check what my code does. The "first-if" returns true whenerver the check itself is disabled. The "second-if" returns true when "referrer" isn't sent. The "third-if" returns false when an invalid (possibly malicious) "referrer" is detected.

This results in disabling the check for those who don't send referrer, which means every novice user doesn't need to worry about his/her firewall.At the same time, fair game for CSRF, the webmaster will be protected as long as he sends "referrer" with javascript turned off.

Quote:


Keep in mind that the HTTP_REFERER check isn't bulletproof anyway, since it's not difficult to spoof it. It's just an extra layer of security.
Agree. The layer of referrer protection is thin like epidermis, but it surely works to some extent.

So if you are a webmaster, turn on your referrer, disable javascript (since it spoils many protections), and install Protector (not for CSRF but for the total security).

And don't click a strange link.

All being said, my code could provide a little more thick layer of security than just returning true by 0.1 nanometers...

 
  • Just popping in

 Re: this FAQ is too dangerous, isn't this?

I'm having the same issue with new users registering and being a total novice I've been researching the problem on various forums. I think for those other novices watching these threads it's important to understand what CSRF means. I found this article to be most useful http://shiflett.org/articles/foiling-cross-site-attacks
Basically, it seems to me that this whole issue is down to a decision the administrator has to make:
Do I want to make my web site totally accessible to everyone at the risk of comprimising site security?
OR
Do I want to ask visitors to alter settings on their PC in order to use my site and protect the security of my site?
The problem here is convenience for the user and the issue of trust - do you really want to post security warnings on the registration page of your site that might scare potential members away?

suggestion for possible solution?

Is it possible to have downloadable patches on the registration page that users can download and install on their machines that are specific to their OS and firewall software?
This would seem like an idea solution for ease of use for members and maintaning optimal security on the web site.

 
  • Quite a regular

 Re: this FAQ is too dangerous, isn't this?

I'm trying to follow the hack here, as I am having the same problem with a few of my users, but my original code in 2.0.10 is quite different:

Quote:

function xoops_refcheck($docheck=1)
{
return $GLOBALS['xoopsSecurity']->checkReferer($docheck);
}


What does the hack look like in this context?

 
  • Friend of XOOPS

 Re: this FAQ is too dangerous, isn't this?

Xoops 2.0.10 uses the ticket system for user identification, so I'm not sure if this FAQ is relevant . Mith might need to confirm this though.

 
  • XOOPS is my life!

 Re: this FAQ is too dangerous, isn't this?

The ticket system is not yet implemented in most modules, so the HTTP REFERER check is still very much in use.

In 2.0.10, the referer check is moved to /class/xoopssecurity.php in the checkReferer() method. The code is the same as in the function in the previous versions.

 
  • Friend of XOOPS

 Re: this FAQ is too dangerous, isn't this?

How is this implemented in 2.2.3? Is the hack still valid? Thanks.

 
  • Just popping in

 Re: this FAQ is too dangerous, isn't this?

Hi,

I have the same problens with HTTP_REFERER, posted here. I tryed everything that was posted.

The problem was partial resolved. I can login at first time without the HTTP_REFERER error, but when I click on any link my user was logout and I need to login again to continue, as the same way when I receive the HTTP_REFERER error.

Just the messenge are gone, the efects still there.

Anyone can help me?

Thank you

 
  • Just popping in

 Re: this FAQ is too dangerous, isn't this?

===How is this implemented in 2.2.3? Is the hack still valid? Thanks.=====

I think you change
function checkReferer($docheck=1)
{
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}

to

function checkReferer($docheck=1)
{
return true;
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}

on line 164 of class/xoopssecurity.php

 
  • Just popping in

 Cannot Login

If I am not wrong I checked every possible related issue to solve my problem but when I try none of them will work. Here what happen to my site

I cannot login (admin) and none (user) can login. After I login it says :

"Thank you for login in Macsite"

But it will go back to the same page without login to my website.

Can anyone tell me which file or what code need to be modify. Thank you.

 
  • Just popping in

 Re: Cannot Login

bump

 
  • Just popping in

 Solution - check .htacess

I was having a similar problem and had the .htacess file set to change mysite.com to www.mysite.com. This was preventing me from getting to the admin area on a brand new installation.