I copied this directly from a thread I made on the vB.com forums: http://www.vbulletin.com/forum/showthread.php?t=127448

---

I made a simple PHP script months ago to automatically create a thread with info that has been inputed into a form. This of course uses POST. As I understand, this "security hole" has been patched in one of the new versions of the released software. When I try to use the script now I receive an "POST requests from foreign hosts are not allowed." error on newthread.php. As you might of guessed, the host that the script is on is different than the one the forums are on.

This script is used to simplify the process and reduce the time it takes for our referees to write out reports (they write more than 50 a day on average).

I'm just wondering if there is anyway I can get around this without actually placing the script on the same host. This is a last resort for me, as I will not have direct access to the host to change files, I will allows have to go through another person to make small changes.

I've thought about creating a small MySQL db that will prune but I don't know how newthread.php will respond to MySQL queries.

The script I have written can be located at http://socomsource.gamebattles.com/reports/?a=s2 and the forums at http://forums.gamebattles.com.

Any help is appreciated.

The quickest way would be to find ;

die('POST requests from foreign hosts are not allowed.');
in init.php and comment it out.

This is probably not the recommended thing to do - but it should work.

(in 3.0.6 this seems to be line 666 !)

You can disable the check by putting


define('SKIP_REFERER_CHECK', 1);


at the top of init.php.
You could also modify your POST-script to submit the correct referer.

You can disable the check by putting


define('SKIP_REFERER_CHECK', 1);


at the top of init.php.
You could also modify your POST-script to submit the correct referer.
I heard you could put this in the config (config.php or something), is this true?

And how would I change my post script to do that?

what about an "allow" mod? like adding just that subdomain. Thanks!

we have 2 domain names...... the main account is www.x5world.com where the forum is installed and working.

x5world.net has an http refresh that redirects and reloads to x5world.com.

it shows the forum/etc correctly, but when you try to login, you get the error message above.

i tried to redirect to a secondary html file at x5world.com which redirected immediately to x5world.com's main page, but it doesn't solve the problem.

is there a way to add a second 'allowed referrer' to the code? ie x5world.net? there is only 1 install at the x5world.com site, and x5world.net is another server that holds FAQ/html data from the original non-BB site.

thanks

drex

Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...

Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...

Be useful if they tell us howas im having same problem

actually, the problem resolved itself when the DNS pointers finally resolved around the web, and now the problem disappeared on its own....

yeah!

its not a software problem...

Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...

http://www.vbadvanced.com/forum/showthread.php?t=4439

*THIS NOT TESTED*

for those who want to use multiple domains open their init.php file and find:

$http_host = preg_replace('#^www\.#i', '', $http_host);

after that add:

$allowedhosts= array();
$allowedhosts[]= "subdomain.yoursite.com";
$allowedhosts[]= "othersite.com";
$allowedhosts[]= "subdomain.othersite.com";
if(in_array($http_host, $allowedhosts))
{
$referrer_parts['host']= $http_host;
}

ok acceptable host names for $allowedhosts array for example are:
subdomain.yoursite.com
othersite.com
subdomain.othersite.com

do not include http:// or www. as prefix to any of the $allowedhosts!

if someone could test and report back that would be great:D

/tag - I may need this later.

*THIS NOT TESTED*

for those who want to use multiple domains open their init.php file and find:

$http_host = preg_replace('#^www\.#i', '', $http_host);

after that add:

$allowedhosts= array();
$allowedhosts[]= "subdomain.yoursite.com";
$allowedhosts[]= "othersite.com";
$allowedhosts[]= "subdomain.othersite.com";
if(in_array($http_host, $allowedhosts))
{
$referrer_parts['host']= $http_host;
}

ok acceptable host names for $allowedhosts array for example are:
subdomain.yoursite.com
othersite.com
subdomain.othersite.com

do not include http:// or www. as prefix to any of the $allowedhosts!

if someone could test and report back that would be great:D

Didn't work for me. :(

what did u use as your allowedhost domain?

what did u use as your allowedhost domain?

www.mirzone.net is the main domain.
www.spiritual-connections.com is the subdomain


I made these changes:

$allowedhosts= array();
$allowedhosts[]= "spiritual-connections.com";
if(in_array($http_host, $allowedhosts))
{
$referrer_parts['host']= $http_host;
}

so the second domain is an addon domain? so try using the direct subdomain instead of the addon domain

edit:
an example of what im talking about is:
say your 2nd domain is holla.com and it is an addon domain
that means it should be like holla.your1stsite.com or whatever subdomain you assigned to the 2nd domain.

so the second domain is an addon domain? so try using the direct subdomain instead of the addon domain

edit:
an example of what im talking about is:
say your 2nd domain is holla.com and it is an addon domain
that means it should be like holla.your1stsite.com or whatever subdomain you assigned to the 2nd domain.

My partner didndt explain it well. We have 3 domains all pointing to the same site. Using addon domains. Vbulletin has set www.mirzone.net as the domain (in the admin cp) and it means we get the error stated on the other domains, When making your changes the message went but it did not save peoples information for more than one visit (cookies im guessing)

My partner didndt explain it well. We have 3 domains all pointing to the same site. Using addon domains. Vbulletin has set www.mirzone.net as the domain (in the admin cp) and it means we get the error stated on the other domains, When making your changes the message went but it did not save peoples information for more than one visit (cookies im guessing)
im confused...did it or didnt?

also that check does not use an information from admincp. it checks the actual referer and your server. has nothing to do with vb;)

but for this hack use the subdomains your assigned to your new domains and it should work...

Oh GOD. Finally fixed. I can't believe I went through all those threads for a solution..

Open includes/init.php;

Find:
$http_host = preg_replace('#^www\.#i', '', $http_host);

Add below:
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';

... and save.

Oh GOD. Finally fixed. I can't believe I went through all those threads for a solution..

Open includes/init.php;

Find:
$http_host = preg_replace('#^www\.#i', '', $http_host);

Add below:
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';

... and save.
no!!!! you just loopholed vbulletin! now any site can submit to your website...
you should check the host first and if one of the hosts you want then process resetting!

DO NOT USE ABOVE FILE EDITS!

or Does it? I may have loopholed it or whatever, but:
Yesterday I didn't add in the real forums subdomain as $http_host, making it only being the domain I added; and all my members couldn't post.
Here's what I did: My main site is v3.hmotaku.net; and the forums are located at forums.hmotaku.net.
I just declared v3.hmotaku.net as $http_host; ($http_host = 'v3.hmotaku.net';) and in result all requests from forums.hmotaku.net (the real forums domain) was blocked by "POST requests from foreign hosts are not allowed." What happened was that all requests were blocked; EXCEPT from v3.hmotaku.net; which was declared at $http_host. So I declared forums.hmotaku.net $http_host as well, and all was fine again. -_-;;

I'm not sure how the whole referer checking thing works in vB; but how exactly did I loophole it? And NO, any other site can't submit; as proved above. =__=;

or Does it? I may have loopholed it or whatever, but:
Yesterday I didn't add in the real forums subdomain as $http_host, making it only being the domain I added; and all my members couldn't post.
Here's what I did: My main site is v3.hmotaku.net; and the forums are located at forums.hmotaku.net.
I just declared v3.hmotaku.net as $http_host; ($http_host = 'v3.hmotaku.net';) and in result all requests from forums.hmotaku.net (the real forums domain) was blocked by "POST requests from foreign hosts are not allowed." What happened was that all requests were blocked; EXCEPT from v3.hmotaku.net; which was declared at $http_host. So I declared forums.hmotaku.net $http_host as well, and all was fine again. -_-;;

I'm not sure how the whole referer checking thing works in vB; but how exactly did I loophole it? And NO, any other site can't submit; as proved above. =__=;
you loopholed it by over writting what ever hot is really submitting... the reason urs did not work is because the subdomain of main site used in $http_host did not match your forums domain. so basically by setting doing the edits you did, you over write who/what site is really submitting making your site vulnerable. What you should be doing is checking the $http_host first to make it its your main site submitting then change $http_host if it is your main site. Do not under estimate the checking because this helps keep your site secure from malicious hackers and websites.

You can disable the check by putting


define('SKIP_REFERER_CHECK', 1);


at the top of init.php.
You could also modify your POST-script to submit the correct referer.
I did this and the member is still getting the foreign host error. Any suggestions?