# FAIR WARNING for firewall users, particularly Norton.



## Michael Morris (Jan 3, 2005)

Vbulletin 3.0.4 has been released, and among other bug features it has a block to prevent self-submitting form attacks.  Unfortunately, the code for this will LOCK YOU OUT of any forums that upgrade to 3.0.4.

To avoid being locked out you must configure your firewall to allow the HTTP Referer variable to be sent to the server.  Without this code the server has no way of verifing that the form came from vbulletin. Therefore you must allow it to be sent to use sites running vbulletin 3.0.4

3.0.4 closes a number of security holes, so unless Russ decides otherwise I'll be taking the forums up to that version during the upgrade. I certainly don't want to see these forums hit by something akin to the Santy worm which took down numerous phpbb sites a couple weeks ago, including boards ran by some of the members here.


----------



## diaglo (Jan 3, 2005)

part of the problem of being a dinosaur... 

i have no idea what you just said. but i recognized the words firewall and Norton. both of which i know work uses.

so just in case i can only log on from home from now on... thanks for the heads up.


----------



## Ghostwind (Jan 3, 2005)

Michael, when you post something like this, it would be helpful to give folks exact directions on what they need to do to be able to view the site. For instance, I run ZoneAlarm as a firewall. Is this something that will affect me also? Is it merely a fix of adding the site to the "trusted" list?


----------



## Michael Morris (Jan 3, 2005)

Ghostwind said:
			
		

> Michael, when you post something like this, it would be helpful to give folks exact directions on what they need to do to be able to view the site. For instance, I run ZoneAlarm as a firewall. Is this something that will affect me also? Is it merely a fix of adding the site to the "trusted" list?




Tell you what. I'll write up a simple diagnostic test page that will let you know if they'll be a problem.  It's still going to be a couple of weeks before the new site goes up, so it will give you time to tweak your settings 

Ok, click here for the test.

Hmm, what I typed in should work.  Maybe I need to check my own firewall settings as well (sheepish grin) - that or the test code don't work.


----------



## Michael Morris (Jan 3, 2005)

Apparently that script isn't working, cause I just tried to lock myself out with a conditional.. Hmmm..  I will get a working test page shortly.


----------



## Enkhidu (Jan 3, 2005)

MM,

Is your referrer page the same one as was posted in the vBulletin thread you started over at vBulletin.org?


----------



## Michael Morris (Jan 3, 2005)

It's similar.  It's a code level change that is being instituted by Jelsoft themselves, but problems have already been reported at vbulletin.com regarding the fix.


----------



## Enkhidu (Jan 3, 2005)

Well, in that case maybe a 3rd party test would be in order?

My Google-Fu brought me here: http://www.wykes.org/firewalls.html

It's a test designed for a different purpose, but includes a quick and simple http_referer test. From the look of it, outward facing firewalls (like most SOHO Cable-DSL routers out there) won't be affected; it will take an inward facing firewall (like Norton, BlackIce, etc) to give trouble.


----------



## Knight Otu (Jan 3, 2005)

Enkhidu said:
			
		

> My Google-Fu brought me here: http://www.wykes.org/firewalls.html



 According to that one, I should be safe without changes... (Given that I'm not in a position to change our firewall settings, that's good).


----------



## Verequus (Jan 3, 2005)

I'm using both Firefox and Zonealarm and the test linked by *Enkhidu* fails at both examples. How do I know, which setting of which program is responsible?


----------



## Darkness (Jan 3, 2005)

Uh-oh. I tried Otu's page. Looks like I'll need to talk to my internet admin. I hope he'll be able to reconfigure the router firewall properly; he's not exactly what they call "1337," you see.


----------



## Enkhidu (Jan 3, 2005)

RuleMaster said:
			
		

> I'm using both Firefox and Zonealarm and the test linked by *Enkhidu* fails at both examples. How do I know, which setting of which program is responsible?




Start with Zonealarm and the HTTP_Referer setting, then check again. The HTTP_Referer problem is more broad.


----------



## Verequus (Jan 3, 2005)

Enkhidu said:
			
		

> Start with Zonealarm and the HTTP_Referer setting, then check again. The HTTP_Referer problem is more broad.



 I don't find a setting in Zonealarm, which seems to have anything to do with HTTP_Referrer. Either I've overlooked it, it has another name in the German version or there isn't such a setting at all.


----------



## BSF (Jan 3, 2005)

Thanks for the heads-up Michael.  Looks like I need to be a little less restrictive with the firewall settings at work.


----------



## Morrus (Jan 3, 2005)

Hmmm.... it's registering a problem with me and I'm _not_ behind a firewall.


----------



## Enkhidu (Jan 3, 2005)

Morrus said:
			
		

> Hmmm.... it's registering a problem with me and I'm _not_ behind a firewall.




1) What browser are you using, and 2) who's you're internet provider?


----------



## Verequus (Jan 3, 2005)

Morrus said:
			
		

> Hmmm.... it's registering a problem with me and I'm _not_ behind a firewall.



 I've deactivated shortly Zonealarm and the images still didn't show up. I'm having Strato as provider, but I don't think that you know this company.


----------



## Michael Morris (Jan 3, 2005)

I can already tell this is going to be a headache.  Well, it is possible to disable the block, at increased risk to the site.


----------



## Morrus (Jan 3, 2005)

Probably best, Michael.  If I'm having trouble (and I'm supposed to be on top of what goes on here), just imagine what the rest of the visitors will be experiencing.


----------



## BOZ (Jan 3, 2005)

ick


----------



## Enkhidu (Jan 4, 2005)

RuleMaster said:
			
		

> I've deactivated shortly Zonealarm and the images still didn't show up. I'm having Strato as provider, but I don't think that you know this company.




When you said the images didn't show up, did you get the BANNED icon or simply the failed image icon? If its the former, you still have an HTTP_referer issue, if not then don't worry about it - it wouldn't effect what MM was suggesting anyway.

As for the security feature: would it be a good idea to, on the new server, set up a test bed after its built (and before vBulletin is installed) with the appropriate PHP scripts to test the setting (and all other necessary PHP security settings) and then conduct a test driven by the community? You could have a meta thread (or maybe a general thread) with a link to the test, directions on fixing it if the test fails, and even a poll to determine how many have problems even after the fix.

It could let the powers that be make an informed decision.


----------



## Truth Seeker (Jan 4, 2005)

eeeee....I can't see, I can't seee....eeeeee


----------



## Darkness (Jan 4, 2005)

me said:
			
		

> I tried *Enkhidu's* page.



 Fixed.

Example 1: shows up
Example 2: right image is broken
Example 3: right image says "Blocked"


----------



## diaglo (Jan 4, 2005)

$_SERVER['HTTP_REFERRER'] is not present, you'll need to figure out how to turn off the setting of your firewall that blocks this variable from being sent.


----------



## jthilo (Jan 4, 2005)

*typo?*

Stab in the dark here--could it be that you've misspelled HTTP_REFERER?  The test page spells it HTTP_REFERRER.  That might explain why people who aren't behind firewalls fail the test.


----------



## Verequus (Jan 4, 2005)

Enkhidu said:
			
		

> When you said the images didn't show up, did you get the BANNED icon or simply the failed image icon? If its the former, you still have an HTTP_referer issue, if not then don't worry about it - it wouldn't effect what MM was suggesting anyway.



  I get neither the right images for both examples 2 and 3 - one broken link and the BLOCKED icon. Do I have to worry then?

 The Internet Explorer has the same problem. Does this mean, that my provider does something wrong?


----------



## Enkhidu (Jan 4, 2005)

RuleMaster said:
			
		

> I get neither the right images for both examples 2 and 3 - one broken link and the BLOCKED icon. Do I have to worry then?
> 
> The Internet Explorer has the same problem. Does this mean, that my provider does something wrong?




Allright, everybody out of the pool.

Take a look at the top most image pair - is the pair clean and identical? If so, then you have absolutely no problem. The image pairs farther down the page are simply references for you to match the real image pair to.


----------



## Verequus (Jan 4, 2005)

Oh. Ohohoh. Shame on me - the stupid user syndrome has smitten me... A truly sad day, if you would know, what I should be capable of. AARRGGHH!!!

 Everything fine - ignore all my above posts please.


----------



## Gez (Jan 4, 2005)

RuleMaster said:
			
		

> Oh. Ohohoh. Shame on me - the stupid user syndrome has smitten me... A truly sad day, if you would know, what I should be capable of. AARRGGHH!!!




If it can consolate you, you aren't the only one completely ashamed right now. I blame the English language. I mean, all these things are redacted in a crazy moon language that I can barely decipher.


----------



## Enkhidu (Jan 4, 2005)

Gez said:
			
		

> If it can consolate you, you aren't the only one completely ashamed right now. I blame the English language. I mean, all these things are redacted in a crazy moon language that I can barely decipher.




This coming from the Frenchman who can properly use the word "redacted."


----------



## Darkness (Jan 5, 2005)

I'm not ashamed. I was just too tired.


----------



## Verequus (Jan 5, 2005)

Gez said:
			
		

> If it can consolate you, you aren't the only one completely ashamed right now. I blame the English language. I mean, all these things are redacted in a crazy moon language that I can barely decipher.



 How about creating a thread, where we all remember our misunderstandings regarding English? I could start with the tale, that I used intercourse instead discourse. Luckily, it was the right person on the other end - which understood, that I made a mistake, not the other way.


----------

