MyBB Community Forums

MyBB Community Forums > MyBB 1.4 Series > MyBB Suggestions and Feedback > Check referrer for various actions
Full Version: Check referrer for various actions
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Yumi

08-27-2007, 01:24 AM
Basically, I think MyBB should have something similar to PunBB's feature: http://netfusion.new21.net/punbb/faq.html#BAD_REFERER

It seems possible that someone could easily send a moderator/administrator to a page such that a thread, for example, could get deleted, eg:

del.html
Code:
<html><body onLoad="document.forms[0].submit()">

<form action="<board URL>/moderation.php" method="post">
<input type="hidden" name="action" value="do_deletethread" />
<input type="hidden" name="tid" value="<TID Number>" />
</form>

</body></html>
gohere.html
Code:
<html><body><iframe src="del.html" style="display: none;"></iframe>
<iframe src="<Some interesting webpage>" style="width: 100%; height: 100%; border: 0"></iframe>
</body></html>

What do you think?

Galen

08-30-2007, 11:02 AM
It's an interesting feature, but basically pointless. Referrers are very easily faked (there's even a Firefox plugin to do it). Data sent from the browser should never be counted on to be accurate.

Yumi

08-30-2007, 11:06 AM
^ No, you don't understand the point.

Yes, I know the Firefox plugin to fake referrers, but no-one can force you to install the referrer faking plugin.
In fact, to my knowledge, there's no way to fake a referrer using HTML and Javascript.

Yumi

09-27-2007, 02:31 AM
Bump - what do you think about this?

Ryan Gordon

09-27-2007, 02:48 AM
MyBB 1.4 will have sids for moderator actions to prevent this sort of CRSF attack

Yumi

09-27-2007, 04:17 AM
Oh I see. Thanks Tikitiki!
You can get rid of this thread then.
MyBB Community Forums > MyBB 1.4 Series > MyBB Suggestions and Feedback > Check referrer for various actions
Reference URL's