<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>Vtiger 6.1 contains the following code</div>
<div> </div>
<div><font face="Courier New, monospace">protected function validateReferer() {</font></div>
<div><font face="Courier New, monospace">// Referer check if present - to over come </font></div>
<div style="text-indent: 36pt; "><font face="Courier New, monospace">if (isset($_SERVER['HTTP_REFERER'])) {</font></div>
<div style="padding-left: 36pt; text-indent: 36pt; "><font face="Courier New, monospace">global $site_URL;</font></div>
<div style="padding-left: 36pt; text-indent: 36pt; "><font face="Courier New, monospace">if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {</font></div>
<div style="padding-left: 72pt; text-indent: 36pt; "><font face="Courier New, monospace">throw new Exception('Illegal request');</font></div>
<div style="padding-left: 36pt; text-indent: 36pt; "><font face="Courier New, monospace">}</font></div>
<div style="text-indent: 36pt; "><font face="Courier New, monospace">}</font></div>
<div style="text-indent: 36pt; "><font face="Courier New, monospace">return true;</font></div>
<div><font face="Courier New, monospace">}</font></div>
<div> </div>
<div>This code does not take into account that the site may be in a folder other than root or linked from another domain!</div>
<div> </div>
<div>In my case I have a folder at root level that has a link to the vtiger install. Clicking that link causes the above referrer test to fail</div>
<div>my link is… /vtigercrm/index.php</div>
<div>Therefore the referrer is… <a href="http://domain.moc">http://domain.moc</a></div>
<div> </div>
<div>i.e. <a href="http://domain.moc">http://domain.moc</a> != <a href="http://domain.moc/vtigercrm"><font color="#0000FF"><u>http://</u></font><font color="#0000FF"><u>domain.moc</u></font><font color="#0000FF"><u>/vtigercrm</u></font></a></div>
<div> </div>
<div>The test would succeed (in my case) if you changed it to…</div>
<div> </div>
<div style="padding-left: 36pt; text-indent: 36pt; ">if ((stripos($site_URL, $_SERVER['HTTP_REFERER']) !== 0)</div>
<div> </div>
<div>But would still fail when linked from another domain.</div>
<div> </div>
<div>Why is this test even there? It should be perfectly fine to have a link on another completely different domain link to the index page of the vtiger application.</div>
<div> </div>
<div>Chris</div>
<div> </div>
<div>P.S.</div>
<div>Referer is spelt incorrectly the original author of the HTTP spec miss spelt it and it stuck it should be referrer!</div>
<div> </div>
<div>P.P.S.</div>
<div>I seem to spend more time working around vt bugs then doing actual work it is becoming increasingly frustrating.</div>
<div> </div>
<div> </div>
</font>
</body>
</html>