The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Http_xxxxxxxxxxxxxxx

Discussion in 'General Discussion' started by kostaia, May 5, 2006.

  1. kostaia

    kostaia Registered

    Joined:
    Dec 13, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I've noticed instead of http_referer I get the HTTP_XXXXXXXXXXXXXXX in phpinfo
    is that a bug or fix to referer spam that cpanel released?
    i really need the http_referer variable. how can i enable it please
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Can you clarify exactly waht you mean by "HTTP_XXXXXXXXXXXXXXX"?

    The value of $_SERVER['HTTP_REFERER'] is only really relevant when checking it from an executing script and not really relevant in the context of the output of php_info(). What are you actually seeing in your scripts?

    Furthermore, I don't believe that there is way of dealing with referrer spam. This value is set by the user agent and can be set to any possible value which is impossible to verify.

    Because of this, scripts should never depend on $_SERVER['HTTP_REFERER']. By all means use it as a reference or in conjunction with some other verification method, but so long as you assume the value to be incorrect.
     
  3. kostaia

    kostaia Registered

    Joined:
    Dec 13, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    in addition

    sorry i just realized the http_xxxxx coming from zone alarm security suite as it's converting the string http_host into http_xxxx

    though my original question was about referer.

    Is it dangerous to enable the http_referer variable? as mentioned i could see the http_referer in phpinfo but i can't see it now.

    I use the http_referer to verify the referers coming to my site to get an automated update on software so once the variable is no longer showing the value, my updatings are not available to members.

    any recommendation is really appreciated please.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    As I mentioned, what you see in the output of php_info() really isn't relevant. The important aspect is whether or not $_SERVER['HTTP_REFERER'] is set in scripts and, if not, it is only relevant if it should have been set.

    And no, it's not dangerous to enable $_SERVER['HTTP_REFERER']. It's only a plain text value, but you should remember that as it can contain absolutely anything anyone wants, it is first not to be trusted and second could contain some malicious content that could be executed under certain conditions - always santise it before using it!

    1) What OS are you running?
    2) What version of WHM/cPanel are you running?
    3) What version of PHP are you running?
    4) If a Redhat-based OS and if you are using Yum to update the OS, is PHP excluded from Yum updates?

    You should also remember that $_SERVER['HTTP_REFERER'] is (most commonly) set by the user agent as being the URL of the page the user was viewing before reaching your page. If they browse directly to your page, $_SERVER['HTTP_REFERER'] will be blank.

    $_SERVER['HTTP_REFERER'] is picked up from Apache and is just a plain text value that is set in an HTTP request header. Since HTTP requests are plain text and can be manipulated at will, such values can be set by anyone to anything they want at any time and in no way can this ever be checked for validity. Therefore it is unwise to use $_SERVER['HTTP_REFERER'] for anything important.
     

Share This Page