[Vtigercrm-developers] vtiger 6.1 referrer check fails - Illegal Request error

Hamono, Chris (DPC) Chris.Hamono at sa.gov.au
Sun Dec 21 00:42:59 GMT 2014 

Sorry I made a mistake

The fixed test was
if ((stripos($site_URL, $_SERVER['HTTP_REFERER']) !== 0)

and should be..
if ((stripos(preg_replace('/^https{0,1}:\/\//i','',($_SERVER['HTTP_REFERER']), $_SERVER['HTTP_HOST']) !== 0)

This ensures the referrer is the same domain. Not tested but should work...

I'd like to know what this test is meant to achieve. Is it some sort of security test?

You cannot and should not rely on any UA supplied string for security, that is false security and will only lead to bigger security holes in other areas of code.

The mentality "Oh we tested xyz therefore its ok to do this" creeps in and if xyz is an invalid test it causes more insecure code. 

Chris
________________________________________

Sent: Friday, December 19, 2014 1:52 PM
To: vtigercrm-developers at lists.vtigercrm.com
Subject: [Vtigercrm-developers] vtiger 6.1 referrer check fails

Vtiger 6.1 contains the following code

protected function validateReferer() {
// Referer check if present - to over come
if (isset($_SERVER['HTTP_REFERER'])) {
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');
}
}
return true;
}

This code does not take into account that the site may be in a folder other than root or linked from another domain!

In my case I have a folder at root level that has a link to the vtiger install. Clicking that link causes the above referrer test to fail
my link is… /vtigercrm/index.php
Therefore the referrer is… http://domain.moc

i.e. http://domain.moc != http://domain.moc/vtigercrm

The test would succeed (in my case) if you changed it to…

if ((stripos($site_URL, $_SERVER['HTTP_REFERER']) !== 0)

But would still fail when linked from another domain.

Why is this test even there? It should be perfectly fine to have a link on another completely different domain link to the index page of the vtiger application.

Chris

P.S.
Referer is spelt incorrectly the original author of the HTTP spec miss spelt it and it stuck it should be referrer!

P.P.S.
I seem to spend more time working around vt bugs then doing actual work it is becoming increasingly frustrating.

More information about the vtigercrm-developers mailing list