FAIR WARNING for firewall users, particularly Norton.

[Michael Morris]

Vbulletin 3.0.4 has been released, and among other bug features it has a block to prevent self-submitting form attacks. Unfortunately, the code for this will LOCK YOU OUT of any forums that upgrade to 3.0.4.

To avoid being locked out you must configure your firewall to allow the HTTP Referer variable to be sent to the server. Without this code the server has no way of verifing that the form came from vbulletin. Therefore you must allow it to be sent to use sites running vbulletin 3.0.4

3.0.4 closes a number of security holes, so unless Russ decides otherwise I'll be taking the forums up to that version during the upgrade. I certainly don't want to see these forums hit by something akin to the Santy worm which took down numerous phpbb sites a couple weeks ago, including boards ran by some of the members here.

 

[diaglo]

part of the problem of being a dinosaur...

i have no idea what you just said. but i recognized the words firewall and Norton. both of which i know work uses.

so just in case i can only log on from home from now on... thanks for the heads up.

 

[Ghostwind]

Michael, when you post something like this, it would be helpful to give folks exact directions on what they need to do to be able to view the site. For instance, I run ZoneAlarm as a firewall. Is this something that will affect me also? Is it merely a fix of adding the site to the "trusted" list?

 

[Michael Morris]

Michael, when you post something like this, it would be helpful to give folks exact directions on what they need to do to be able to view the site. For instance, I run ZoneAlarm as a firewall. Is this something that will affect me also? Is it merely a fix of adding the site to the "trusted" list?

Tell you what. I'll write up a simple diagnostic test page that will let you know if they'll be a problem. It's still going to be a couple of weeks before the new site goes up, so it will give you time to tweak your settings

Ok, click here for the test.

Hmm, what I typed in should work. Maybe I need to check my own firewall settings as well (sheepish grin) - that or the test code don't work.

 

[Michael Morris]

Apparently that script isn't working, cause I just tried to lock myself out with a conditional.. Hmmm.. I will get a working test page shortly.

 

[Enkhidu]

MM,

Is your referrer page the same one as was posted in the vBulletin thread you started over at vBulletin.org?

 

[Michael Morris]

It's similar. It's a code level change that is being instituted by Jelsoft themselves, but problems have already been reported at vbulletin.com regarding the fix.

 

[Enkhidu]

Well, in that case maybe a 3rd party test would be in order?

My Google-Fu brought me here: http://www.wykes.org/firewalls.html

It's a test designed for a different purpose, but includes a quick and simple http_referer test. From the look of it, outward facing firewalls (like most SOHO Cable-DSL routers out there) won't be affected; it will take an inward facing firewall (like Norton, BlackIce, etc) to give trouble.

 

[Knight Otu]

My Google-Fu brought me here: http://www.wykes.org/firewalls.html

According to that one, I should be safe without changes... (Given that I'm not in a position to change our firewall settings, that's good).

 

[Verequus]

I'm using both Firefox and Zonealarm and the test linked by Enkhidu fails at both examples. How do I know, which setting of which program is responsible?