phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3, ... 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Mon Jan 26, 2009 5:32 pm 
Post subject: Re: The Final phpBB 2 Security Error

Maybe then it would be an idea to wait until 1st Feb just in case there is an official release in which there are other changes.
As you say not long to go so must be worth the short wait to see.

Jim
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 5:34 pm 
Post subject: Re: The Final phpBB 2 Security Error

I asked Kellanved if there is a chance it will be officially released. I am still awaiting his answer.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Mon Jan 26, 2009 5:54 pm 
Post subject: Re: The Final phpBB 2 Security Error

In Firefox if you select "Tools">"RefControlOptions the you will see what is in the image below.
Click the "Edit" and select to Block

Images are in reverse order.

Jim

Edit
Dave.
Why are images uploaded via your Attachment mod always very poor quality?



block.jpg
 Description:
 Filesize:  33.04 KB
 Viewed:  1706 Time(s)

block.jpg



ref.jpg
 Description:
 Filesize:  47.9 KB
 Viewed:  1692 Time(s)

ref.jpg


Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Jan 26, 2009 7:00 pm 
Post subject: Probability of phpBB 2.0.24 release

Kellanved wrote:
So, to sum my off-the-record speculation up: extremely unlikely.
Back to top
roadhog
Board Member



Joined: 18 Nov 2008

Posts: 96
Location: Central Texas


flag
PostPosted: Mon Jan 26, 2009 10:30 pm 
Post subject: Re: The Final phpBB 2 Security Error

Jim,

I don't see "RefControlOptions" on my "Tools" menu.



Dog Cow,

Are you reasonably sure that the correct parameter would be:

network.http.sendRefererHeader;0

rather than:

network.http.sendSecureXSiteReferrer;false

If we pick the wrong one, we will assume that we have the problem licked, when, of course, we might not. IOW, I'm messin' with stuff that I don't fully understand, here.

Wait a minute, I'm always messin' with stuff that I don't fully understand - in this case, I'm messin' with stuff that I don't understand at all. icon_lol.gif

I'm thinking that maybe I'd better just make the code changes to those php files, that you posted about, and be done with it, (hopefully).
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Tue Jan 27, 2009 7:09 am 
Post subject: Re: The Final phpBB 2 Security Error

This is why I say we have to test it live on our boards and try to hack ourself. icon_wink.gif
roadhog wrote:
Jim,
I don't see "RefControlOptions" on my "Tools" menu.

Me neither. icon_smile.gif

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Tue Jan 27, 2009 12:10 pm 
Post subject: Re: The Final phpBB 2 Security Error

Ah I see why you do not see it.
It was an add on for Firefox.
If you want it then here it is https://addons.mozilla.org/en-US/firefox/addon/953

Jim
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Jan 27, 2009 3:06 pm 
Post subject: Re: The Final phpBB 2 Security Error

roadhog wrote:

If we pick the wrong one, we will assume that we have the problem licked, when, of course, we might not.

Let's do a test then.

This web site will tell you what referrer was sent to it: http://www.whatismyreferrer.com/index.php
So if you click it now, you should see phpbb2refugees.com is the referrer. We can now adjust that setting in Firefox and see which one will disable it completely.

Conclusion: it does indeed appear to be true that setting config option network.http.sendRefererHeader to equal zero disables Firefox from sending the referrer information.
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Tue Jan 27, 2009 3:19 pm 
Post subject: Re: The Final phpBB 2 Security Error

Hm, according to Dog Cow's link my site's sends it's referrer despite the fact that according to the settings of Jim's add-on no referrer should be sent. icon_cry.gif

My first guess is that I'm missing something, icon_razz.gif allthough it looks like I did things right: Installed the add-on, blocked my site from sending referrers, posted Dog Cow's link on my board and clicked on it.

_________________
phpBB2 will never die, I hope!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Tue Jan 27, 2009 4:29 pm 
Post subject: Re: The Final phpBB 2 Security Error

Quote:
What is my referrer?



Referrer: -

IP: 79.69.6.109

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Host Name: 79-69-6-109.dynamic.dsl.as9105.com

Request Method: GET

Query String: -


No referrer sent.
The add on gives the ability to spoof a referrer as well.



Quote:
What is my referrer?



Referrer: http://phpbb.com

IP: 79.69.6.109

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Host Name: 79-69-6-109.dynamic.dsl.as9105.com

Request Method: GET

Query String: -


Jim
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Tue Jan 27, 2009 5:31 pm 
Post subject: Re: The Final phpBB 2 Security Error

How did you do it? icon_eek.gif

I put my site in the proper place, indicate referrers should be blocked and that should be it. Or not?

_________________
phpBB2 will never die, I hope!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Tue Jan 27, 2009 5:38 pm 
Post subject: Re: The Final phpBB 2 Security Error

dogs and things wrote:
How did you do it? icon_eek.gif

I put my site in the proper place, indicate referrers should be blocked and that should be it. Or not?


How do you mean you put your site in the proper place?
Just click the link above and see what it says. Do not copy the link to your site - no need.

Jim
Back to top
roadhog
Board Member



Joined: 18 Nov 2008

Posts: 96
Location: Central Texas


flag
PostPosted: Tue Jan 27, 2009 5:43 pm 
Post subject: Re: The Final phpBB 2 Security Error

Excellent Jim!

Got it. Thank you sir.



Dog Cow,

Thanks for the link - that's mighty handy. I appreciate your checking it out, and verifying that it works, too.
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Tue Jan 27, 2009 5:47 pm 
Post subject: Re: The Final phpBB 2 Security Error

I mean that I added my site to the add-ons list of site's that should be blocked from sending referrers.

After doing that I posted a topic on my board that includes the link Dog Cow placed, I clicked on that link and that topic's url appeared where you show an empty referrer. icon_confused.gif

_________________
phpBB2 will never die, I hope!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Tue Jan 27, 2009 5:52 pm 
Post subject: Re: The Final phpBB 2 Security Error

Nope.
That is for you to specify what referrer you want to send to those sites when you connect to them and not what you want the site to send.
I left that panel blank.
If I wanted to I could add this site and tell it that I want my connection to appear to have come from phpbb.com. Get the idea?

Jim
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 2 of 14 All times are GMT - 4 Hours
Goto page Previous  1, 2, 3, ... 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.1073 seconds using 18 queries. (SQL 0.0120 Parse 0.0130 Other 0.0823)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo