Did the login routine change from 2.3.2 to 3.0.7?

**Zachery** · Wed 11 May '05, 2:04pm

Alot... there was a security change in 3.0.6/7 that made it so POST requests from foreign hosts, are not allowed. This means any url that is not set to be the forum url.

You can try adding this to the config, however, you will lose the security benifit.

define('SKIP_REFERRER_CHECK', true);

**dgraff** · Wed 11 May '05, 2:22pm

When you say,

" You can try adding this to the config, however, you will lose the security benifit."
Would I do that through the admincp or in a file somewhere. If it's in a file...can you point me to where the file might be?

Thanks,
Doug

**Steve Machol** · Wed 11 May '05, 3:33pm

The first thing I recommend is that you reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server.

**dgraff** · Thu 12 May '05, 9:31am

I don't see how doing the same thing again will change the security routine? I'd rather have someone tell me where I enter the "SKIP_REFERRER_CHECK" property.

Thanks,
Doug

**Zachery** · Thu 12 May '05, 9:51am

I did say, you need to add that line to config.php

**dgraff** · Thu 12 May '05, 10:21am

OK...so this is the exact line I put into config.php

$define SKIP_REFERRER_CHECK = true;

and it didn't change the outcome. I'm still getting

POST requests from foreign hosts are not allowed.

If I did everything correct above. Any suggestions on how to manage a server that sits in a DMZ and is addressed from two URLs?

**Steve Machol** · Thu 12 May '05, 10:22am

Just out of curiousity, did you reupload the original vB files as I sugggested?

**Zachery** · Thu 12 May '05, 11:11am

Originally posted by dgraff

OK...so this is the exact line I put into config.php

$define SKIP_REFERRER_CHECK = true;

and it didn't change the outcome. I'm still getting

POST requests from foreign hosts are not allowed.

If I did everything correct above. Any suggestions on how to manage a server that sits in a DMZ and is addressed from two URLs?

It needs to be this line exactly as i said above

Code:

define('SKIP_REFERRER_CHECK', true);

Steve this is an issue from the security measures added in 3.0.6/7

**Steve Machol** · Thu 12 May '05, 11:40am

Originally posted by Zachery

Steve this is an issue from the security measures added in 3.0.6/7

Are you saying this is common with the original vB 3.0.7 files? If so, this is the fiorst I've heard of this.

**Marco van Herwaarden** · Thu 12 May '05, 11:46am

Yes this was added in 3.0.6 to prevent a possible security issue.

You will only have problems with this new protection if you access your board from different domains.

There was also a way (but that required a 1 line hack i think) to only accept the second domain and keep the rest of the protection up.

**Steve Machol** · Thu 12 May '05, 11:47am

Ahh, forgot about the second domain issue. Thanks.

**dgraff** · Thu 12 May '05, 12:14pm

Thanks Guys,

This seems to have done the trick.

Doug

**Gordon Regar** · Fri 13 May '05, 8:31am

Is a reboot necessary after adding the line:
define('SKIP_REFERRER_CHECK', true);
to ./includes/config.php?
tks.
I'll reboot the Windows server anyway just to be on the safe side.

**Marco van Herwaarden** · Fri 13 May '05, 9:01am

No.

PHP scripts are always evaluated when they are called.

Did the login routine change from 2.3.2 to 3.0.7?

Did the login routine change from 2.3.2 to 3.0.7?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment