Adding additional specific refers to eliminate external source security warnings

9 posts by 3 authors in: Forums > CMS Builder
Last Post: July 9   (RSS)

By gkornbluth - July 6

Hi All,
I’m trying to allow access to the CMSB back end and eliminate the external source security warning by adding specific URLs to the $isExternalReferer code in /lib/common.php (line 2613 in CMSB Version 3.50)

I changed the code from this:

$programBaseUrl = _security_getProgramBaseRefererUrl();
$isInternalReferer = startsWith($programBaseUrl, $_SERVER['HTTP_REFERER']);
if (!$isInternalReferer) {
$format = "Security Warning: A link from an external source has been detected and automatically disabled.\n";

To this:

$programBaseUrl = _security_getProgramBaseRefererUrl();
$popsearch1= 'https://popupdude.com/search.php';
$popsearch2= 'https://popupdude.com/m/search.php';
$isInternalReferer = startsWith($programBaseUrl, $_SERVER['HTTP_REFERER'] || $popsearch1 || $popsearch2);
if (!$isInternalReferer) {
$format = "Security Warning: A link from an external source has been detected and automatically disabled.\n";

But that didn’t work, and it also messed up the page format of the back end, although no errors were listed in the error log.

Any thoughts?

Thanks,
Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - July 7

Hi Greg,

Thanks for looking at this and for your code suggestion..

I have a modify this record link on a search results page that's only available to admins so that they can update information with less clicks.

<?php if (@$CURRENT_USER['isAdmin']): ?><a href="cmsAdmin/admin.php?menu=books&action=edit&num=<?php echo $record['num'] ?>" ><span class="text_font" style="text-decoration:underline">Modify This Entry</span></a><br /><?php endif ?>

I'll give your suggestion a try and let you know what happens.

Best,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - July 7

Hi Greg,

Sorry to be back with this.

When I add your suggested code, I don't get the referrer warning, but the page is very strangely formatted (I got that with my first attempt also)

I've attached screenshots of the original page and the page with your code added to the common.php file.

Hope it's a quick fix and you can get back to more important work.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Attachments:

with code.jpg 213K

original.jpg 239K

By gregThomas - July 8

Hey Jerry, 

I'm not sure what's causing that, are there any errors appearing in the error log? It might be that an error is appearing somewhere and causing the formatting of the page to be off. 

Cheers,

Greg

Greg Thomas

PHP Programmer - interactivetools.com

By gkornbluth - July 8

Sorry Greg,

No errors shown. I've cleared the cache and cookies, and tried all 3 browsers.

Can you suggest another approach to not throwing referrer errors for specific referrers?

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By Steve99 - July 8

Hey Jerry,

In reference to "but the page is very strangely formatted"... I've seen that happen before when patching a file. It ended up being the DW html editor that corrupted the file.

Try replacing the modified file with the original packaged one, then perform the edits in another editor program such as Notepad++ or Sublime Text and upload.

Steve

By gkornbluth - July 8

Good catch Steve,

I'll try that.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - July 9 - edited: July 9

Hey Steve, Greg,

That was it.

Used notepad++ and it worked like a charm.

Appreciate all your help.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php