Author Topic: Wrong HTTP referer detected, operation cancelled for security reasons  (Read 284 times)

compumatter

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Hello and thank you for the use of this great product.

I have created a video on Youtube https://www.youtube.com/watch?v=esFxzF7NLKc to make it easier to understand the problem but also explain it in detail below.

I have placed my zentyal installation https://xx.xx.xxx.xxx:8443 under its own domain name for ease of use ie; https://control.mydomain.com

I am using Nginx standard virtual host setup coupled with putting a secure server cert in place.

The Zentyal UI comes up just fine.

However, when you login and click on Network > Interfaces and select any of the Interfaces ie; eno1, eno2 you will get an error

Wrong HTTP referer detected, operation cancelled for security reasons

I have found this error appears at many places in Zentyal only when used under the domain name.

It continues to behave normally if you login under the IP address.

This error can be seen also appearing in a zentyal log: sudo tail -f /var/log/zentyal/zentyal.log

Do you know a reason or solution for this issue?

Here is my Nginx server block with IP and Domain masked out
Code: [Select]
server {
    listen      80;
    server_name control.mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name control.mydomain.com;
    location / {
        proxy_pass https://xx.xx.xxx.xxx:8443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; # allow websockets
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
    }
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
}

What sayeth the group ?

Jay

doncamilo

  • Zen Samurai
  • ****
  • Posts: 257
  • Karma: +63/-0
    • View Profile
Re: Wrong HTTP referer detected, operation cancelled for security reasons
« Reply #1 on: September 17, 2019, 01:16:24 pm »
 :)
I never have configured webadmin in order to being accessed from an external interface. I ever thought that it's a dangerous decision (I prefer to give access to the internal server through a VPN)
However I think that is interesting to know these subtilities (and possibilities) of Zentyal.
I'll see your video and I'll give you some feedback in some days. I like a lot to meet some other people that are learning Zentyal too.
Cheers!

compumatter

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Re: Wrong HTTP referer detected, operation cancelled for security reasons
« Reply #2 on: September 24, 2019, 09:33:00 pm »
Thanks Don,

It would seem if the IP:8443 can be reached publicly it's no more / less dangerous to access via subdomain.   It's certainly easier to remember if I have multiple clients and I know they are all at the same subdomain ie; control.theirdomain.ext. In addition, clients will at times want to administer their own user accounts and it provides an easier way for them to access their own UI.

No substitutes for having good backups of everything for the worst case scenario - either way.

Look forward to hearing if you've got a solution in mind to this.

Jay

doncamilo

  • Zen Samurai
  • ****
  • Posts: 257
  • Karma: +63/-0
    • View Profile
Re: Wrong HTTP referer detected, operation cancelled for security reasons
« Reply #3 on: December 02, 2019, 05:36:39 pm »
 :)

This is the code which checks HTTP referer: /usr/share/perl5/EBox/CGI/Base.pm

Code: [Select]
sub _validateReferer
{
    my ($self) = @_;

    # Only check if the client sends params that can trigger actions
    # It is assumed that the meaning of the accepted parameters does
    # no change in CGIs
    my $hasActionParam = 0;
    my $noActionParams = any('directory', 'page', 'pageSize', 'backview');
    foreach my $param (@{ $self->params() }) {
        if ($param eq $noActionParams) {
            next;
        } else {
            $hasActionParam = 1;
            last;
        }
    }
    if (not $hasActionParam) {
        return;
    }

    my $request = $self->request();
    my $referer = $request->referer();
    my $hostname = $request->env->{HTTP_HOST};

    my $rshostname = undef;

    if ($referer) {
        # proxy is a valid subdomain of {domain}
        if ($referer =~ m/^https:\/\/$hostname(:[0-9]*)?\//) {
            return; # from another page
        }
    }

    throw EBox::Exceptions::WrongHTTPReferer();
}

After reading the code I don't understand because zenadmin throws this error. Check these parameters in your system

Code: [Select]
    my $request = $self->request();
    my $referer = $request->referer();
    my $hostname = $request->env->{HTTP_HOST};

You could "play" with the  ~ m/^https:\/\/$hostname(:[0-9]*)?\//) regex if the problem is related with the use of a subdomain.

Cheers!