Bug Referer filter can be circumvented

Theraze

Theraze

Active member
The short 'why' is because mafia is trying to be more secure than KoL itself. :) The slightly longer 'why' is because apparently that option (disabling referrers completely) is no longer possible with mafia post r12023.
 
matchu

matchu

New member
Yeah, this is the reason why most modern sites implement CSRF protection with tokens instead of referers :/ There's a more thorough option that would keep us safe while still allowing all clients: find the specific actions we need to protect (like adventuring), rewrite all pages to include the pwd token on that action, and then reject requests that don't include it. That doesn't sound incredibly feasible, though…
 
L

Laughing_Jack

New member
I might be doing something wrong, but this change appears to have borked the raid manager, as I believe that things are coming in w/o the http:// preface. Every time I try to look at dungeon stats, I see:
Request from bogus referer ignored
Path: "/clan_hobopolis.php?place=2"
Host: "127.0.0.1:60081"
Referer: "null"
Is this something that I need to look further into fixing in the manager script?
 
lostcalpolydude

lostcalpolydude

Developer
Staff member
I think I'm just going to have to revert the disallowing of null referers. Maybe I can require a password hash for adventure.php and make sure to add it to every adventure.php link provided in a page that comes through mafia, but that will probably happen later.
 
You must log in or register to reply here.
Top