Adding additional specific refers to eliminate external source security warnings

9 posts by 3 authors in: Forums > CMS Builder
Last Post: July 9, 2020   (RSS)

By gkornbluth - July 6, 2020

Hi All,
I’m trying to allow access to the CMSB back end and eliminate the external source security warning by adding specific URLs to the $isExternalReferer code in /lib/common.php (line 2613 in CMSB Version 3.50)

I changed the code from this:

$programBaseUrl = _security_getProgramBaseRefererUrl();
$isInternalReferer = startsWith($programBaseUrl, $_SERVER['HTTP_REFERER']);
if (!$isInternalReferer) {
$format = "Security Warning: A link from an external source has been detected and automatically disabled.\n";

To this:

$programBaseUrl = _security_getProgramBaseRefererUrl();
$popsearch1= 'https://popupdude.com/search.php';
$popsearch2= 'https://popupdude.com/m/search.php';
$isInternalReferer = startsWith($programBaseUrl, $_SERVER['HTTP_REFERER'] || $popsearch1 || $popsearch2);
if (!$isInternalReferer) {
$format = "Security Warning: A link from an external source has been detected and automatically disabled.\n";

But that didn’t work, and it also messed up the page format of the back end, although no errors were listed in the error log.

Any thoughts?

Thanks,
Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gregThomas - July 7, 2020

Hey Jerry,

It would be great if you could give me a few more details on why users from those search pages are being redirected into the CMS, I'd recommend trying to avoid having that action happen if possible.

But if it is necessary, updating your code to the following should work:

  $programBaseUrl = _security_getProgramBaseRefererUrl();
  $popsearch1= 'https://popupdude.com/search.php';
  $popsearch2= 'https://popupdude.com/m/search.php';
  $isInternalReferer = ( startsWith($programBaseUrl, $_SERVER['HTTP_REFERER']) || startsWith($popsearch1, $_SERVER['HTTP_REFERER']) || startsWith($popsearch2, $_SERVER['HTTP_REFERER']) );
  if (!$isInternalReferer) {
    $format = "Security Warning: A link from an external source has been detected and automatically disabled.\n";

The problem was the previous code would pass true if any of the variables existed instead of passing a string, the code above will check if the referrer starts with the pop search 1 or 2 or the CMS base url.

As these are customizations to the CMS core, we can't provide any support if they cause any unforeseen issues, I'd recommend avoiding making these changes if you can.

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gkornbluth - July 7, 2020

Hi Greg,

Thanks for looking at this and for your code suggestion..

I have a modify this record link on a search results page that's only available to admins so that they can update information with less clicks.

<?php if (@$CURRENT_USER['isAdmin']): ?><a href="cmsAdmin/admin.php?menu=books&action=edit&num=<?php echo $record['num'] ?>" ><span class="text_font" style="text-decoration:underline">Modify This Entry</span></a><br /><?php endif ?>

I'll give your suggestion a try and let you know what happens.

Best,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - July 7, 2020

Hi Greg,

Sorry to be back with this.

When I add your suggested code, I don't get the referrer warning, but the page is very strangely formatted (I got that with my first attempt also)

I've attached screenshots of the original page and the page with your code added to the common.php file.

Hope it's a quick fix and you can get back to more important work.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Attachments:

with code.jpg 213K

original.jpg 239K

By gregThomas - July 8, 2020

Hey Jerry, 

I'm not sure what's causing that, are there any errors appearing in the error log? It might be that an error is appearing somewhere and causing the formatting of the page to be off. 

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By Steve99 - July 8, 2020

Hey Jerry,

In reference to "but the page is very strangely formatted"... I've seen that happen before when patching a file. It ended up being the DW html editor that corrupted the file.

Try replacing the modified file with the original packaged one, then perform the edits in another editor program such as Notepad++ or Sublime Text and upload.

Steve

By gkornbluth - July 8, 2020

Good catch Steve,

I'll try that.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - July 9, 2020 - edited: July 9, 2020

Hey Steve, Greg,

That was it.

Used notepad++ and it worked like a charm.

Appreciate all your help.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php