Announcement

Collapse
No announcement yet.

Invalid redirect url appearing since security patch

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by Black Tiger View Post
    There are 3 solutions mentioned, have you tried any of them? Best is to use the .htaccess option.
    Thanks Black Tiger
    This option set my problem
    Now My Forum is Right

    Comment


    • #32
      I'm not sure if this problem is related but at the bottom bar there's a link to my forum labeled "www.compositescentral.com" but it refers to "www.compositescentral.com/www.compositescentral.com".

      This same issue appears with the lost pw form where my forum url is repeated twice before the login do function is after it. I think this might be the source of my issues. Any ideas?

      Comment


      • #33
        What *exactly* do you have in AdminCP > vBulletin Options > site name/url/etc > Forum URL ?

        Please don't PM or VM me for support - I only help out in the threads.
        vBulletin Manual & vBulletin 4.0 Code Documentation (API)
        Want help modifying your vbulletin forum? Head on over to vbulletin.org
        If I post CSS and you don't know where it goes, throw it into the additional.css template.

        W3Schools <- awesome site for html/css help

        Comment


        • #34
          Below is a screenshot. Thanks for the help!
          Attached Files

          Comment


          • #36
            Looks like the 3.8 patch has a flaw:
            Code:
            // if the "realurl" of this request does not equal $bburl, add it as well..
            $realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
            The problem is that VB_URL_SCHEME and VB_URL_HOST are undefined in vB 3.8. Maybe it's a piece of code from 4.x?

            It's supposed to add the real URL of the site (not the one defined in the options, but the real URL taken from the web server request) to the whitelist. Looks like if it was working, it would take care of the issues in this thread.

            Comment


            • #37
              Originally posted by Black Tiger View Post
              I found an easyer solution, just add "http://domain.com/forums" to your Redirect Domain Whitelist in the Admincp->Site/Url/Contact details.
              Problem fixed.

              However, an automatic redirect from domain.com to www.domain.com should be nicer.
              Thanks for this! It fixed it on my site.

              Comment


              • #38
                Originally posted by kmike View Post
                Looks like the 3.8 patch has a flaw:
                Code:
                // if the "realurl" of this request does not equal $bburl, add it as well..
                $realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
                The problem is that VB_URL_SCHEME and VB_URL_HOST are undefined in vB 3.8. Maybe it's a piece of code from 4.x?
                Yep, that looks like a bug.
                Baby, I was born this way

                Comment


                • #39
                  I'm running version 3.8.7 PL2. I've tried changing the "Cookie Domain" and "Path to Save Cookies" solutions without success. I don't see a "Redirect Domain Whitelist" option in the "Site/Url/Contact Details" page. And I'm currently running on Windows Server 2003/IIS6, so the .htaccess solution isn't going to help either.

                  I can just put up a notice for users to make sure they use www with the url for now, but will a code patch be offered soon? Any other options or solutions?

                  Comment


                  • #40
                    Originally posted by Paul M View Post
                    Yep, that looks like a bug.
                    So what is the correct fix?


                    Comment


                    • #41
                      There is a fix in the pipeline, I have no eta tho.
                      Baby, I was born this way

                      Comment


                      • #42
                        Here's how we fixed it...

                        Temporary patch to functions.php redirect_whitelist doesn't exist as an "option". It's called "allowedreferrers" in the settings table. By changing the check for the whitelist to options['allowedreferrers'] it fixed our issue.

                        Comment


                        • #43
                          never mind figured it out
                          Last edited by kiss of death; Thu 10 Nov '11, 5:04pm.

                          Comment

                          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                          Working...
                          X