Results 1 to 4 of 4

Thread: Wrong Referer [safely FIXED]

  1. #1
    Member computerbar's Avatar
    Joined
    Nov 2007
    Location
    UK
    Posts
    78

    Lightbulb Wrong Referer [safely FIXED]

    Hi all
    I was having problem with posting using Bookmarklet button and was getting the Wrong Referer error.
    I did not wanna remove the check referer function as I thinkk it would make it easy for spammer to post junk...

    After a bit of googling I have found a fix by a developer on his site and I thought would share it here with all of you incase the post is deleted or the website get bust. all credits to original poster.




    Wrong Referrer is a message you might see if yoou post an url from other pages and is caused in function check_referrer() when checking for possible xsfr (Cross-site request forgery). It happend to me when implementing submit button on other pages. Not safe solution is simply removing check_referrer() function call in submit.php file. My solution checks if site that a request came from is the same as posted url in 2 steps: 1. update submit.php file by replacinf code in line 20

    if (!$_COOKIE['referrer'])
    check_referrer();

    with code:

    if (!$_COOKIE['referrer']){
    if(empty($_POST['phase']) && (!empty($_GET['url']))) {
    if(!empty($_GET['url']))
    {
    $_POST['url'] = $_GET['url'];
    }
    }
    $url = htmlspecialchars(sanitize($_POST['url'], 3));
    check_referrer($url);
    }

    2. now we have to update function check_referrer() in file /libs/html1.php (arround line 973). replace exsisting function with:

    //
    // CSFR/XSFR protection
    // updated
    //
    function check_referrer($post_url=false)
    {
    global $my_base_url, $my_pligg_base, $xsfr_first_page, $_GET, $_POST;

    if (sizeof($_GET)>0 || sizeof($_POST)>0)
    {

    if ($_SERVER['HTTP_REFERER'])
    {
    $base = $my_pligg_base;

    if (!$base) $base = '/';
    $_SERVER['HTTP_REFERER'] = sanitize($_SERVER['HTTP_REFERER'],3);

    // update checks if HTTP_REFERER and posted url are the same!
    if(strpos($_SERVER['HTTP_REFERER'],$post_url)!==false) return true;


    if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url).$base)!==0)
    {
    unset($_SESSION['xsfr']);
    die("Wrong Referrer '{$_SERVER['HTTP_REFERER']}'");
    }
    }
    elseif ($xsfr_first_page)
    {
    unset($_SESSION['xsfr']);
    die('Wrong security code');
    }
    }
    }


    SOURCE:Wrong Referrer with Pligg safe solution | xweblabs.com

  2. #2
    Pligg Developer/Coder/Designer ChuckRoast's Avatar
    Joined
    Dec 2005
    Location
    Pliggville USA
    Posts
    9,118
    Thanks for sharing that with the community. I'll see if I can't add this to SVN
    Help Keep ChuckRoast Home
    Today's Pligg Blog Post


  3. #3
    Pligg Developer/Coder/Designer ChuckRoast's Avatar
    Joined
    Dec 2005
    Location
    Pliggville USA
    Posts
    9,118
    Added to the SVN early this morning.
    Thanks again.
    Help Keep ChuckRoast Home
    Today's Pligg Blog Post


  4. #4
    Member computerbar's Avatar
    Joined
    Nov 2007
    Location
    UK
    Posts
    78
    glad to help the forum..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •