Invalid redirect url appearing since security patch
Collapse
X
-
-
I'm not sure if this problem is related but at the bottom bar there's a link to my forum labeled "www.compositescentral.com" but it refers to "www.compositescentral.com/www.compositescentral.com".
This same issue appears with the lost pw form where my forum url is repeated twice before the login do function is after it. I think this might be the source of my issues. Any ideas?Comment
-
What *exactly* do you have in AdminCP > vBulletin Options > site name/url/etc > Forum URL ?
Please don't PM or VM me for support - I only help out in the threads.
vBulletin Manual & vBulletin 4.0 Code Documentation (API)
Want help modifying your vbulletin forum? Head on over to vbulletin.org
If I post CSS and you don't know where it goes, throw it into the additional.css template.
W3Schools <- awesome site for html/css helpComment
-
-
-
Looks like the 3.8 patch has a flaw:
Code:// if the "realurl" of this request does not equal $bburl, add it as well.. $realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
It's supposed to add the real URL of the site (not the one defined in the options, but the real URL taken from the web server request) to the whitelist. Looks like if it was working, it would take care of the issues in this thread.Comment
-
I found an easyer solution, just add "http://domain.com/forums" to your Redirect Domain Whitelist in the Admincp->Site/Url/Contact details.
Problem fixed.
However, an automatic redirect from domain.com to www.domain.com should be nicer.Comment
-
Looks like the 3.8 patch has a flaw:
Code:// if the "realurl" of this request does not equal $bburl, add it as well.. $realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
Baby, I was born this wayComment
-
I'm running version 3.8.7 PL2. I've tried changing the "Cookie Domain" and "Path to Save Cookies" solutions without success. I don't see a "Redirect Domain Whitelist" option in the "Site/Url/Contact Details" page. And I'm currently running on Windows Server 2003/IIS6, so the .htaccess solution isn't going to help either.
I can just put up a notice for users to make sure they use www with the url for now, but will a code patch be offered soon? Any other options or solutions?Comment
-
-
Here's how we fixed it...
Temporary patch to functions.php redirect_whitelist doesn't exist as an "option". It's called "allowedreferrers" in the settings table. By changing the check for the whitelist to options['allowedreferrers'] it fixed our issue.Comment
-
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment