Rickard wrote:

Where can I read more about that?

http://www.securityfocus.com/bid/4754/discussion/
http://www.securityfocus.com/bid/3546/discussion/

If you click the "Info"-tab, you'll see a list of the vulnerable versions of ie.

Rickard wrote:

A separate admin sessions would probably be a more solid solution, but it will also add a lot of overhead.

Yeah, but one doesn't have to do admin stuff that often, really.

Rickard wrote:

Then again, moderator actions do not require a separate login, so I guess vBulletin is vulnerable in that respect.

Agree.

Yeah, you're 100% right - one would need the cookie-values in order to fake the request. Although not too likely, an evil script could get access to cookies, for instance via browsers' security holes: like when microsoft releases a new vulnerable browser, for instance internet explorer 6.0 (before SP1), + there are still users out there using older browsers. I would guess that that scenario is just as likely as someone making you visit an evil script while you're logged in as admin at your own board.

My point is that I for one wouldn't count on the HTTP_REFERER to add any extra security. To me, vBulletin's separate session cookie for the admin-panel seems preferable over a HTTP_REFERER check: if you're an admin, you're not _always_ logged in as admin-admin (plus: it favors usability)....

But, it's your forum (and I'm pleased with it so far) smile

Ok, not sure I made too much sense in the above "one-liner".

If the page with the javascript submits the data to http://evil.example.com/evil-script.php, then evil-script.php might include code for sending the data to the punBB-board + spoofing the HTTP_REFERER. After all, the HTTP_REFERER is just a string / HTTP header. If I know the board URL, I know what to include in my spoof-scripts. A HTTP_REFERER check only gives a false feeling of security.

"The most common use of this header is to track how users are finding your site. (...) this information should only be used to satisfy your curiosity (...) it should never be relied upon for any sort of security." - Chris Shiflett, HTTP Developer's Handbook


Wouldn't it be better to include some kind of shared secret between the form and the admin-scripts. One could for instance include a hidden-field in the form - with its value set to some kind of "dynamic"/"secret" content, and then validate the post-data in the admin-scripts afterwards.

Example:
First, generate the value:

<?php $secret = md5(date("Ymdh") . "some kind of secret string"); ?>

(It would probably have to be better than the use of date() above, but it serves as an example of content that you would be able to check later on)
Then, insert it into the form

<input type="hidden" name="secret" value="<?= $secret ?>" />

And finally, in the admin-scripts, you check that a $newly_calculated_value_of_secret == $_POST['secret'].

Make sense?

It's of course not bulletproof, but this way you at least require more effort from the user (to figure out what the $secret is / is calculated from), plus: an evil form wouldn't be valid/useful for long...

Yeah, but the page that submitted the form could (via for instance a php-script) easily spoof the http_referer so that the punBB script THOUGHT that it came from "itself".

1. Sorry. But you made it look fine smile
2. Again: sorry, didn't read the howto for stopwords.

The Norwegian trans. should be in use at the Uni. of Bergen, Norway sometime this fall (things tend to take a while to get done)...

And feel free to use it...of course... wink

I know there are threads about the HTTP_REFERER check in the troubleshooting-forum, but since this is not a problem (per se), and none answer my question -  which is...

why the HTTP_REFERER check?

It's not secure, only annoying. I know it's easily removed, but it's annoying to have to do so, seeing that there is no security reasons for having it there in the first place. I'm not trying to say that you should remove it because I feel that it's annoying. I just don't understand why it's included.

If I wanted to hack a punBB forum, I would most likely be smart enough to know how to spoof the HTTP_REFERER... It really doesn't add a fraction of application-level security.

It's located here: http://www.billy-corgan.com/punBB/no.zip

Rickard wrote:

I actually think hej is swedish, danish and norwegian.

"Hei" is Norwegian wink