• Registered: 2008-02-03
  • Posts: 15

Topic: confirm_refererer

Which are the consequences of the removal of the "confirm_refererer" of the files of the punbb?

I had some problems with the "refererer check" and that was my only solution.

2 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: confirm_refererer

The confirm_referrer function is there for security purposes. I believe cross site scripting is merely one of the attacks you have made yourself open to by removing it.

MattF's Website

  • Registered: 2008-02-03
  • Posts: 15

Re: confirm_refererer

MattF wrote:

The confirm_referrer function is there...

Cross site? Style php injection?

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: confirm_refererer

CSRF attacks.

Moved to PunBB Discussion

  • Registered: 2006-04-30
  • Posts: 382

Re: confirm_refererer

I don't think you will fall into a critical security hole, but the referer  check makes things a bit more trick on the attacker side, so it's good to have it.
So i guess the answer is: none really. or... you will take one first ( very thin though ) defense down.

PS:Camarada, sem problema, esse inglês está bom. big_smile

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: confirm_refererer

pedrotuga: No. CSRF attacks are very real. Without the confirm_referrer check, I can make an administrator do things on a forum just by visiting a page I control (on any site).