101

Re: INFO: Bad HTTP_REFERER

This bad referrer message can be due to something as simple as the difference between "http" and "https," which is what was causing it for me. Hope this helps someone.

Noah

102

Re: INFO: Bad HTTP_REFERER

https is secure http and unless or even if your webhost supports secure connections its gonna cause problems

103 (edited by spider8 2005-01-17 00:53)

Re: INFO: Bad HTTP_REFERER

Is there any good reason securitywise that should prevent me from having o_base_url = domainname.tld and then calling confirm_referrer(''); instead of confirm_referrer('scriptname.php'); in each affected script (or change confirm_referrer() in functions.php to ignore $script)?

I'd like to do this, because I heavily rewrite my URLs in my modded forum version and I'd like to do some admin stuff with the original version as well.

104

Re: INFO: Bad HTTP_REFERER

To solve the problem with people using Norton Personal Firewall Configure it..


Privacy Control -> Configure -> Custom level -> Deselect Enable Browser Privacy...

You don't need to disable the entire firewall..  just share a little bit of browsing information...  hehe

105

Re: INFO: Bad HTTP_REFERER

spider8 wrote:

Is there any good reason securitywise that should prevent me from having o_base_url = domainname.tld and then calling confirm_referrer(''); instead of confirm_referrer('scriptname.php'); in each affected script (or change confirm_referrer() in functions.php to ignore $script)?

Not really. The most important part is the domain check.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

106

Re: INFO: Bad HTTP_REFERER

Thank you Rickard, this will help me a lot.

107

Re: INFO: Bad HTTP_REFERER

I have Norton Security that I just installed on my computer.  I am having the

Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that 'Base URL' is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the PunBB documentation.

I read the instruction about how to go around it and it didn't work. What am I doing wrong?  Should I re-install punnbb? I just don't know!  Also, I edited some script in the admin_options and the admin_forums.  I am not sure but I think I deleted too much in the admin_forums.  Can I get the original script anywhere?

http://www.foreverdestined.com/forum

108

Re: INFO: Bad HTTP_REFERER

I am using my forums on

http://209.97.203.116/~trueabso/forums/index.php

When I try to change my base url, it wont let me. I have reinstalled the system and everything. It still gives me the bad http_referer error when I try and change it...

What should I set it to, and what should I do to bypass this?

109

Re: INFO: Bad HTTP_REFERER

anthem: That means your using some kind of firewall or software that strips out your HTTP_REFERER. Are you using Norton? In that case, read the first post in this topic.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

110

Re: INFO: Bad HTTP_REFERER

Rickard wrote:

anthem: That means your using some kind of firewall or software that strips out your HTTP_REFERER. Are you using Norton? In that case, read the first post in this topic.

I set my firewall to not strip it. I am now using http://northernconflict.net/forums/

Base URL 
The complete URL of the forum without trailing slash (i.e. http://www.mydomain.com/forums). This must be correct in order for all admin and moderator features to work. If you get "Bad referer" errors, it's probably incorrect.

I have http://www.northernconflict.net/forums set. yet it still gives me the bad http_referer

111

Re: INFO: Bad HTTP_REFERER

anthem: I've registered in your forums. Could you make me an admin or moderator so that I can check it out myself?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

112 (edited by anthem 2005-06-05 03:36)

Re: INFO: Bad HTTP_REFERER

Rickard wrote:

anthem: I've registered in your forums. Could you make me an admin or moderator so that I can check it out myself?

Done.


[edit]

well, shit... I guess it works now. Must have been the system having some troble updating.

113

Re: INFO: Bad HTTP_REFERER

smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

114 (edited by h4ns 2005-08-06 11:44)

Re: INFO: Bad HTTP_REFERER

HTTP_REFERER is a variable that gets filled with whatever is sent in the "Referer" HTTP header. Any hacker with any size of brain can easily spoof this...

How important do you consider this referrer check really?

I've just recently discovered punBB and it really outrulez everything else BTW smile

115

Re: INFO: Bad HTTP_REFERER

I've described the reason for the referrer check earlier in this topic. I am very much aware that anyone can spoof their HTTP_REFERER, but spoofing it wouldn't make any sense. The referrer check is there to protect admins and moderators.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

116

Re: INFO: Bad HTTP_REFERER

Ah sorry, I must be reading over it again and again. The only thing I can find about it is:

Rickard wrote:

The check is there for a very good reason, trust me :-)

I trust you (for checking my referrer anyway tongue) and was wondering what that very good reason might be. I thought maybe you've put it in there for an even better reason than hacker-blocking...?

117

Re: INFO: Bad HTTP_REFERER

Aha. Maybe that was in a different topic.

Without the referrer check, it would be possible for a malicious user to construct a web page somewhere and then trick an admin or a moderator to visit that page. On the page, a hidden form would be posted via Javascript that posts to a page in the forums (an admin page or maybe someones profile). It would be easy to e.g. upgrade a user to admin status. However, with the referrer check, this wouldn't be allowed because the forums would check the referrer and notice that the form was posted from somewhere outside the forums.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

118

Re: INFO: Bad HTTP_REFERER

That is indeed the best reason I've ever heard for implementing a referrer check! Thanks!

119

Re: INFO: Bad HTTP_REFERER

Rickard is a clever man! big_smile

120 (edited by frippz 2005-09-07 20:08)

Re: INFO: Bad HTTP_REFERER

I think I've tried everything now. The URL checks out, no firewall in the way or proxy and still I get the "Bad HTTP_REFERER" error. I even tried on two different hosts and from two different computers (different ISP's in different cities).

I'm starting to run out of ideas here... sad

Forum located at: http://www.adjust.nu/forum/

121

Re: INFO: Bad HTTP_REFERER

frippz: Earlier in this topic, I recommended a way of modifying the referrer check to print out the two URL's it's trying to compare. Have a look at that and post the results.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

122

Re: INFO: Bad HTTP_REFERER

Rickard wrote:

3. You are browsing the forum through a proxy or firewall of some sort that is stripping HTTP_REFERER from all requests. Norton Personal Firewall and Kerio Personal Firewall 4 are the only ones I know of so far that strip HTTP_REFERER by default....

Zone alarm 6.06 can join the band

123

Re: INFO: Bad HTTP_REFERER

Really? I think that's what I use, and I don't have issues...

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

124

Re: INFO: Bad HTTP_REFERER

I still haven't been able to receive a straight answer as to how stripping out HTTP_REFERER increases security. I guess they call it a "privacy feature". People are too paranoid.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

125

Re: INFO: Bad HTTP_REFERER

Mmm, updated ZA smile
Download and test time

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize