Invalid redirect url appearing since security patch

**Bahadar Musalman** · Sun 17 Jul '11, 8:30pm

Originally posted by Black Tiger

There are 3 solutions mentioned, have you tried any of them? Best is to use the .htaccess option.

Thanks Black Tiger
This option set my problem
Now My Forum is Right

**canyoncomposite** · Wed 20 Jul '11, 10:40am

I'm not sure if this problem is related but at the bottom bar there's a link to my forum labeled "www.compositescentral.com" but it refers to "www.compositescentral.com/www.compositescentral.com".

This same issue appears with the lost pw form where my forum url is repeated twice before the login do function is after it. I think this might be the source of my issues. Any ideas?

**Lynne** · Wed 20 Jul '11, 2:41pm

What *exactly* do you have in AdminCP > vBulletin Options > site name/url/etc > Forum URL ?

**canyoncomposite** · Wed 20 Jul '11, 5:09pm

Below is a screenshot. Thanks for the help!

Attached Files

**Trevor Hannant** · Thu 21 Jul '11, 2:35am

Forum URL should be http://...

**kmike** · Fri 22 Jul '11, 3:51am

Looks like the 3.8 patch has a flaw:

Code:

// if the "realurl" of this request does not equal $bburl, add it as well..
$realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;

The problem is that VB_URL_SCHEME and VB_URL_HOST are undefined in vB 3.8. Maybe it's a piece of code from 4.x?

It's supposed to add the real URL of the site (not the one defined in the options, but the real URL taken from the web server request) to the whitelist. Looks like if it was working, it would take care of the issues in this thread.

**Webbstre** · Mon 25 Jul '11, 3:28am

Originally posted by Black Tiger

I found an easyer solution, just add "http://domain.com/forums" to your Redirect Domain Whitelist in the Admincp->Site/Url/Contact details.
Problem fixed.

However, an automatic redirect from domain.com to www.domain.com should be nicer.

Thanks for this! It fixed it on my site.

**Paul M** · Mon 25 Jul '11, 4:10am

Originally posted by kmike

Looks like the 3.8 patch has a flaw:

Code:

// if the "realurl" of this request does not equal $bburl, add it as well..
$realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;

The problem is that VB_URL_SCHEME and VB_URL_HOST are undefined in vB 3.8. Maybe it's a piece of code from 4.x?

Yep, that looks like a bug.

**hossenpheffer** · Tue 26 Jul '11, 4:38am

I'm running version 3.8.7 PL2. I've tried changing the "Cookie Domain" and "Path to Save Cookies" solutions without success. I don't see a "Redirect Domain Whitelist" option in the "Site/Url/Contact Details" page. And I'm currently running on Windows Server 2003/IIS6, so the .htaccess solution isn't going to help either.

I can just put up a notice for users to make sure they use www with the url for now, but will a code patch be offered soon? Any other options or solutions?

**dknelson99** · Fri 9 Sep '11, 8:35am

Originally posted by Paul M

Yep, that looks like a bug.

So what is the correct fix?

**Paul M** · Fri 9 Sep '11, 12:56pm

There is a fix in the pipeline, I have no eta tho.

**pirate4x4lance** · Wed 5 Oct '11, 6:06am

Here's how we fixed it...

Temporary patch to functions.php redirect_whitelist doesn't exist as an "option". It's called "allowedreferrers" in the settings table. By changing the check for the whitelist to options['allowedreferrers'] it fixed our issue.

**kiss of death** · Thu 10 Nov '11, 4:10pm

never mind figured it out

vBulletin 3 End of Life

Invalid redirect url appearing since security patch

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment