You are here

Wrong Referrer with Pligg safe solution

Wrong Referrer is a message you might see if yoou post an url from other pages and is caused in function check_referrer() when checking for possible xsfr (Cross-site request forgery). It happend to me when implementing submit button on other pages. Not safe solution is simply removing check_referrer() function call in submit.php file. My solution checks if site that a request came from is the same as posted url in 2 steps: 1. update submit.php file by replacinf code in line 20

if (!$_COOKIE['referrer'])
    check_referrer();

with code:

if (!$_COOKIE['referrer']){
	if(empty($_POST['phase']) && (!empty($_GET['url']))) {
		if(!empty($_GET['url']))
		{
			$_POST['url'] = $_GET['url'];
		}
	}
	$url = htmlspecialchars(sanitize($_POST['url'], 3));
	check_referrer($url);
}

2. now we have to update function check_referrer() in file /libs/html1.php (arround line 973). replace exsisting function with:

//
// CSFR/XSFR protection
// updated
//
function check_referrer($post_url=false)
{
    global $my_base_url, $my_pligg_base, $xsfr_first_page, $_GET, $_POST;
   
    if (sizeof($_GET)>0 || sizeof($_POST)>0)
    {
       	
        if ($_SERVER['HTTP_REFERER'])
		{
		    $base = $my_pligg_base;
		    
		    if (!$base) $base = '/';
		    $_SERVER['HTTP_REFERER'] = sanitize($_SERVER['HTTP_REFERER'],3);
		   
		    // update checks if HTTP_REFERER and posted url are the same!
		    if(strpos($_SERVER['HTTP_REFERER'],$post_url)!==false)   	return true;

		    
		    if (strpos(preg_replace('/^.+:\/\/(www\.)?/','',$_SERVER['HTTP_REFERER']).'/',preg_replace('/^.+:\/\/(www\.)?/','',$my_base_url).$base)!==0) 
		    {
				unset($_SESSION['xsfr']);
		    	die("Wrong Referrer '{$_SERVER['HTTP_REFERER']}'");
		    }
		}	
		elseif ($xsfr_first_page)
		{
		    unset($_SESSION['xsfr']);
		    die('Wrong security code');
		}
    }
}

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer