Ticket #954 (open enhancement)
Bad HTTP_REFERER when posting on FluxBB forum sites [Non-privileged user account]
- Created: 2014-03-02 15:46:39
- Reported by: cfr
- Assigned to: None
- Milestone: 1.6
- Component: security
- Priority: normal
I have been getting this error for over a month on the forums at https bbs<dot>archlinux<dot>org. [Sorry, I cannot post links here.] In an attempt to get to the bottom of the problem, I created an account at fluxbb<dot>org/forums/ and tried to post in a relevant thread there. However, I get exactly the same error when I try to post.
When I try to post, reply etc. I receive the following message:
Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that 'Base URL' is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.
However, I am not a moderator or administrator so I have no control over the setting of 'Base URL' as far as I'm aware.
The site does know that I am logged in and continues to recognise me correctly.
I am using Firefox (currently 27.0.1). Specifically, I am using Mozilla's binary build for GNU/Linux x86_64.
If I use a clean profile, I can initially post but then the problem recurs. Disabling add ons did not seem to help. I can post if I use an alternative browser (Arch's build of chromium for x86_64).
I have tried deleting every cookie I could find related to the site or anything else. However, given that I can reproduce the issue with a brand new account on the FluxBB forums, I guess this is not likely to be the problem.
I have also tried watching the web console for errors. I don't even get any warnings. I do get a few messages from NoScript concerning the setting of secure cookies but these just note the fact that the cookies have been set and, besides, disabling add ons didn't help so I assume these are likely normal.
This is not a new issue in the sense that it has been going on for weeks. It is a new issue in that everything worked perfectly prior to that point.
I'm not sure what else to check and would be extremely grateful for any pointers. I'm happy to provide additional information if that would be helpful. Obviously, I can only provide information from my own machine - I can't provide information about the forum sites unless it is accessible to members with ordinary registration.
I'm running 3.13.5-1-ARCH #1 SMP PREEMPT Sun Feb 23 00:25:24 CET 2014 x86_64 GNU/Linux. This is the current stable release of Arch Linux. I'm not using any packages from testing. My desktop environment is KDE. I use Mozilla's build of Firefox because Arch's build does not work with my preferred interface language. I have some issues accessing parts of stackexchange.com but these are similar to problems reported by others whereas the issue with Arch's forums seems to be specific to me. I can post fine on Arch wiki (https wiki<dot>archlinux<dot>org/) and on AUR (https aur<dot>archlinux<dot>org/). I'm not certain if this is because those sites work differently or if it is just because they use distinct accounts.
Visman 2014-03-02 16:38:01
Wait for FluxBB 2 release. Developers aren't going to change before it approach to check of authenticity of forms.
Franz 2014-03-02 21:09:45
It's not really a bug, but by design. Then again, that design is rather bad.
Are you using any firewall or software that might be changing your Firefox's referrer headers?
Visman has this implemented in his modification. Is this something to consider for 1.6.x? If yes, maybe Visman would consider submitting a pull request.
I'm using iptables but it is not changing headers for Firefox (or anything else). I'm also behind a NAT but there's no other firewall. So I don't think it is that.
How can it be by design that it is not possible to post on a forum? Isn't that sort of the point of forum software?
At the very least, it could give a more accurate error message. Since a non-admin user can't alter the options it mentions, perhaps it should just say 'Version 2 of this forum software will have an exciting new feature allowing users to post as well as view forums. If you are very lucky, the administrators of this site may upgrade to version 2 when we release it. We would suggest you urge them to do so except you can't because version 1 doesn't have this feature.'
But this is a regression and not an enhancement request. It worked perfectly. Then it didn't. How can that not be a bug?
Franz 2014-03-03 09:27:33
What I meant is that using the referrer for cross-site request forgery prevention is by design. That approach is certainly far from being the best, but it's not a bug in itself.
The fact that you can't post obviously is, though. We just need to figure out what is happening to your referrer header. Can you use Firefox's dev tools to check which referrer header is sent when you access the site?
Sorry for coming across as rude, if I did.
Pierre 2014-03-07 05:23:04
You should try to remove that NoScript extension as that might mess with your referer.
I am the maintainer of the Arch Linux forums and we had a few issues with this referer check. Usually people either use soem extension or manually disabled sending the referer (see about:config).
In general depending on the referer is not great securitywise and peole might want to disable it in their browsers for privacy reasons. A token-based system is pretty easy to implement though.
Koos 2014-03-20 20:59:50
An idea for implementing a token system without the need make many file changes:
https://github.com/Koos10/fluxbb/commit … 035607a0ac
Franz 2018-07-19 21:55:04
- Component set to security.
- Milestone set to 1.6.
- Type changed from bug to enhancement.
Visman 2018-07-20 02:55:05
It has long been decided with minimal interference in the code https://github.com/MioVisman/FluxBB_by_ … 1131-L1176
The protocol also affects the value of the token
JChase2 2020-02-12 00:16:27
For what it's worth, we ran into this issue with a user this week. Implemented Visman's code, still got the error. Eventually ended up adding a custom 'Empty referrer' message in common.php and changed the error for an empty referrer to 'Empty referrer'.
Disabled all addons, still got the error. Had him go to about:config , then check network.http.sendRefererHeader , which he had set to 0 instead of 2. Setting it back to 2 fixed the issue.
Visman 2020-02-12 00:40:49
@JChase2, I have added the csrf_hash variable in all forms and links that cause changes to the forum: https://github.com/MioVisman/FluxBB_by_ … =csrf_hash
JChase2 2020-02-12 00:57:27
@Visman Ah, yeah that makes sense. Thanks!