vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   "POST requests from foreign hosts are not allowed." (https://vborg.vbsupport.ru/showthread.php?t=74898)

PolishPanda 01-22-2005 09:26 PM
"POST requests from foreign hosts are not allowed."
 
I copied this directly from a thread I made on the vB.com forums: http://www.vbulletin.com/forum/showthread.php?t=127448

---

I made a simple PHP script months ago to automatically create a thread with info that has been inputed into a form. This of course uses POST. As I understand, this "security hole" has been patched in one of the new versions of the released software. When I try to use the script now I receive an "POST requests from foreign hosts are not allowed." error on newthread.php. As you might of guessed, the host that the script is on is different than the one the forums are on.

This script is used to simplify the process and reduce the time it takes for our referees to write out reports (they write more than 50 a day on average).

I'm just wondering if there is anyway I can get around this without actually placing the script on the same host. This is a last resort for me, as I will not have direct access to the host to change files, I will allows have to go through another person to make small changes.

I've thought about creating a small MySQL db that will prune but I don't know how newthread.php will respond to MySQL queries.

The script I have written can be located at http://socomsource.gamebattles.com/reports/?a=s2 and the forums at http://forums.gamebattles.com.

Any help is appreciated.

Paul M 01-22-2005 11:06 PM
The quickest way would be to find ;

PHP Code:
die('POST requests from foreign hosts are not allowed.'); 
in init.php and comment it out.

This is probably not the recommended thing to do - but it should work.

(in 3.0.6 this seems to be line 666 !)

Andreas 01-22-2005 11:44 PM
You can disable the check by putting

PHP Code:
define('SKIP_REFERER_CHECK'1); 
at the top of init.php.
You could also modify your POST-script to submit the correct referer.

PolishPanda 01-23-2005 12:21 AM
Quote:
Originally Posted by KirbyDE
You can disable the check by putting

PHP Code:
define('SKIP_REFERER_CHECK'1); 
at the top of init.php.
You could also modify your POST-script to submit the correct referer.
I heard you could put this in the config (config.php or something), is this true?

And how would I change my post script to do that?

boiboi 02-18-2005 04:52 PM
what about an "allow" mod? like adding just that subdomain. Thanks!

drex 03-02-2005 07:31 AM
we have 2 domain names...... the main account is www.x5world.com where the forum is installed and working.

x5world.net has an http refresh that redirects and reloads to x5world.com.

it shows the forum/etc correctly, but when you try to login, you get the error message above.

i tried to redirect to a secondary html file at x5world.com which redirected immediately to x5world.com's main page, but it doesn't solve the problem.

is there a way to add a second 'allowed referrer' to the code? ie x5world.net? there is only 1 install at the x5world.com site, and x5world.net is another server that holds FAQ/html data from the original non-BB site.

thanks

drex

Deaths 03-02-2005 10:44 AM
Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...

GamerzWorld 03-09-2005 01:13 PM
Quote:
Originally Posted by Deaths
Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...
Be useful if they tell us howas im having same problem

drex 03-09-2005 03:37 PM
actually, the problem resolved itself when the DNS pointers finally resolved around the web, and now the problem disappeared on its own....

yeah!

its not a software problem...

KW802 03-09-2005 04:29 PM
Quote:
Originally Posted by Deaths
Check vBAdvanced.com, he had the same problem with the CMPS, but fixed it somehow...
http://www.vbadvanced.com/forum/showthread.php?t=4439

AN-net 03-09-2005 07:07 PM
*THIS NOT TESTED*

for those who want to use multiple domains open their init.php file and find:
PHP Code:
        $http_host preg_replace('#^www\.#i'''$http_host); 
after that add:
PHP Code:
$allowedhosts= array();
$allowedhosts[]= "subdomain.yoursite.com";
$allowedhosts[]= "othersite.com";
$allowedhosts[]= "subdomain.othersite.com";
if(in_array($http_host$allowedhosts))
{
$referrer_parts['host']= $http_host;

ok acceptable host names for $allowedhosts array for example are:
subdomain.yoursite.com
othersite.com
subdomain.othersite.com

do not include http:// or www. as prefix to any of the $allowedhosts!

if someone could test and report back that would be great:D

Reeve of shinra 03-09-2005 07:22 PM
/tag - I may need this later.

Kru 03-10-2005 08:27 PM
Quote:
Originally Posted by AN-net
*THIS NOT TESTED*

for those who want to use multiple domains open their init.php file and find:
PHP Code:
        $http_host preg_replace('#^www\.#i'''$http_host); 
after that add:
PHP Code:
$allowedhosts= array();
$allowedhosts[]= "subdomain.yoursite.com";
$allowedhosts[]= "othersite.com";
$allowedhosts[]= "subdomain.othersite.com";
if(in_array($http_host$allowedhosts))
{
$referrer_parts['host']= $http_host;

ok acceptable host names for $allowedhosts array for example are:
subdomain.yoursite.com
othersite.com
subdomain.othersite.com

do not include http:// or www. as prefix to any of the $allowedhosts!

if someone could test and report back that would be great:D
Didn't work for me. :(

AN-net 03-10-2005 09:29 PM
what did u use as your allowedhost domain?

Kru 03-11-2005 06:37 AM
Quote:
Originally Posted by AN-net
what did u use as your allowedhost domain?
www.mirzone.net is the main domain.
www.spiritual-connections.com is the subdomain


I made these changes:

PHP Code:
$allowedhosts= array(); 
$allowedhosts[]= "spiritual-connections.com"
if(in_array($http_host$allowedhosts)) 

$referrer_parts['host']= $http_host

AN-net 03-11-2005 04:51 PM
so the second domain is an addon domain? so try using the direct subdomain instead of the addon domain

edit:
an example of what im talking about is:
say your 2nd domain is holla.com and it is an addon domain
that means it should be like holla.your1stsite.com or whatever subdomain you assigned to the 2nd domain.

GamerzWorld 03-12-2005 07:46 AM
Quote:
Originally Posted by AN-net
so the second domain is an addon domain? so try using the direct subdomain instead of the addon domain

edit:
an example of what im talking about is:
say your 2nd domain is holla.com and it is an addon domain
that means it should be like holla.your1stsite.com or whatever subdomain you assigned to the 2nd domain.
My partner didndt explain it well. We have 3 domains all pointing to the same site. Using addon domains. Vbulletin has set www.mirzone.net as the domain (in the admin cp) and it means we get the error stated on the other domains, When making your changes the message went but it did not save peoples information for more than one visit (cookies im guessing)

AN-net 03-12-2005 02:08 PM
Quote:
Originally Posted by GamerzWorld
My partner didndt explain it well. We have 3 domains all pointing to the same site. Using addon domains. Vbulletin has set www.mirzone.net as the domain (in the admin cp) and it means we get the error stated on the other domains, When making your changes the message went but it did not save peoples information for more than one visit (cookies im guessing)
im confused...did it or didnt?

also that check does not use an information from admincp. it checks the actual referer and your server. has nothing to do with vb;)

but for this hack use the subdomains your assigned to your new domains and it should work...

Rancher 04-06-2005 12:47 PM
Oh GOD. Finally fixed. I can't believe I went through all those threads for a solution..

Open includes/init.php;

Find:
$http_host = preg_replace('#^www\.#i', '', $http_host);

Add below:
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';

... and save.

AN-net 04-06-2005 10:59 PM
Quote:
Originally Posted by Rancher
Oh GOD. Finally fixed. I can't believe I went through all those threads for a solution..

Open includes/init.php;

Find:
$http_host = preg_replace('#^www\.#i', '', $http_host);

Add below:
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';
$http_host = 'yourdomain.com';

... and save.
no!!!! you just loopholed vbulletin! now any site can submit to your website...
you should check the host first and if one of the hosts you want then process resetting!

DO NOT USE ABOVE FILE EDITS!

Rancher 04-07-2005 04:38 AM
or Does it? I may have loopholed it or whatever, but:
Yesterday I didn't add in the real forums subdomain as $http_host, making it only being the domain I added; and all my members couldn't post.
Here's what I did: My main site is v3.hmotaku.net; and the forums are located at forums.hmotaku.net.
I just declared v3.hmotaku.net as $http_host; ($http_host = 'v3.hmotaku.net';) and in result all requests from forums.hmotaku.net (the real forums domain) was blocked by "POST requests from foreign hosts are not allowed." What happened was that all requests were blocked; EXCEPT from v3.hmotaku.net; which was declared at $http_host. So I declared forums.hmotaku.net $http_host as well, and all was fine again. -_-;;

I'm not sure how the whole referer checking thing works in vB; but how exactly did I loophole it? And NO, any other site can't submit; as proved above. =__=;

AN-net 04-07-2005 11:41 AM
Quote:
Originally Posted by Rancher
or Does it? I may have loopholed it or whatever, but:
Yesterday I didn't add in the real forums subdomain as $http_host, making it only being the domain I added; and all my members couldn't post.
Here's what I did: My main site is v3.hmotaku.net; and the forums are located at forums.hmotaku.net.
I just declared v3.hmotaku.net as $http_host; ($http_host = 'v3.hmotaku.net';) and in result all requests from forums.hmotaku.net (the real forums domain) was blocked by "POST requests from foreign hosts are not allowed." What happened was that all requests were blocked; EXCEPT from v3.hmotaku.net; which was declared at $http_host. So I declared forums.hmotaku.net $http_host as well, and all was fine again. -_-;;

I'm not sure how the whole referer checking thing works in vB; but how exactly did I loophole it? And NO, any other site can't submit; as proved above. =__=;
you loopholed it by over writting what ever hot is really submitting... the reason urs did not work is because the subdomain of main site used in $http_host did not match your forums domain. so basically by setting doing the edits you did, you over write who/what site is really submitting making your site vulnerable. What you should be doing is checking the $http_host first to make it its your main site submitting then change $http_host if it is your main site. Do not under estimate the checking because this helps keep your site secure from malicious hackers and websites.

TwinsForMe 05-10-2005 07:02 PM
Quote:
Originally Posted by KirbyDE
You can disable the check by putting

PHP Code:
define('SKIP_REFERER_CHECK'1); 
at the top of init.php.
You could also modify your POST-script to submit the correct referer.
I did this and the member is still getting the foreign host error. Any suggestions?


All times are GMT. The time now is 02:46 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01329 seconds
  • Memory Usage 1,814KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (9)bbcode_php_printable
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (23)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete