Announcement

Collapse
No announcement yet.

Did the login routine change from 2.3.2 to 3.0.7?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Did the login routine change from 2.3.2 to 3.0.7?

    Yesterday, I upgraded my vBulletin SW from version 2.3.2 to 3.0.7. Since my server sits in the DMZ it is accessed from two different URLs. Internally, everything is working fine, but now all of my customers get the following error when they enter their username and password.

    "POST requests from foreign hosts are not allowed."

    Everything worked fine before the upgrade. Is there a different login routine in 3.0.7 from 2.3.2? If so, what do I need to tell my firewall guys?

    Thanks,
    Doug

  • #2
    Alot... there was a security change in 3.0.6/7 that made it so POST requests from foreign hosts, are not allowed. This means any url that is not set to be the forum url.

    You can try adding this to the config, however, you will lose the security benifit.

    define('SKIP_REFERRER_CHECK', true);

    Comment


    • #3
      When you say,

      " You can try adding this to the config, however, you will lose the security benifit."
      Would I do that through the admincp or in a file somewhere. If it's in a file...can you point me to where the file might be?

      Thanks,
      Doug

      Comment


      • #4
        The first thing I recommend is that you reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          I don't see how doing the same thing again will change the security routine? I'd rather have someone tell me where I enter the "SKIP_REFERRER_CHECK" property.

          Thanks,
          Doug

          Comment


          • #6
            I did say, you need to add that line to config.php

            Comment


            • #7
              OK...so this is the exact line I put into config.php

              $define SKIP_REFERRER_CHECK = true;

              and it didn't change the outcome. I'm still getting

              POST requests from foreign hosts are not allowed.

              If I did everything correct above. Any suggestions on how to manage a server that sits in a DMZ and is addressed from two URLs?

              Comment


              • #8
                Just out of curiousity, did you reupload the original vB files as I sugggested?
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment


                • #9
                  Originally posted by dgraff
                  OK...so this is the exact line I put into config.php

                  $define SKIP_REFERRER_CHECK = true;

                  and it didn't change the outcome. I'm still getting

                  POST requests from foreign hosts are not allowed.

                  If I did everything correct above. Any suggestions on how to manage a server that sits in a DMZ and is addressed from two URLs?
                  It needs to be this line exactly as i said above

                  Code:
                  define('SKIP_REFERRER_CHECK', true);
                  Steve this is an issue from the security measures added in 3.0.6/7

                  Comment


                  • #10
                    Originally posted by Zachery
                    Steve this is an issue from the security measures added in 3.0.6/7
                    Are you saying this is common with the original vB 3.0.7 files? If so, this is the fiorst I've heard of this.
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #11
                      Yes this was added in 3.0.6 to prevent a possible security issue.

                      You will only have problems with this new protection if you access your board from different domains.

                      There was also a way (but that required a 1 line hack i think) to only accept the second domain and keep the rest of the protection up.
                      Want to take your board beyond the standard vBulletin features?
                      Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                      Comment


                      • #12
                        Ahh, forgot about the second domain issue. Thanks.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment


                        • #13
                          Thanks Guys,

                          This seems to have done the trick.

                          Doug

                          Comment


                          • #14
                            Is a reboot necessary after adding the line:
                            define('SKIP_REFERRER_CHECK', true);
                            to ./includes/config.php?
                            tks.
                            I'll reboot the Windows server anyway just to be on the safe side.
                            Gordon Regar
                            http://Regar.Ca
                            http://Regar-Forums.com

                            Comment


                            • #15
                              No.

                              PHP scripts are always evaluated when they are called.
                              Want to take your board beyond the standard vBulletin features?
                              Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X