Error calling the previous page from forbidden one.

stepit · 2012-07-20 13:35:30

Hello,

after i install glpi 0.8.31 i see the login screen. I typed the "glpi" user with the standard glpi PW at the loginscreen. After return i get the following message:

"Error calling the previous page from forbidden one"

Whats wrong?

Thanks for help.

jaferrer · 2012-07-23 18:42:02

Hello,

During this past weekend we upgraded our GLPI to version 0.83.31.- We tested and everything work Right then.
But today we started to have the same problem, we couldn't log in.

Any hint on what could be wrong?

Thanks
Jaime Ferrer

wawa · 2012-07-23 19:15:13

hello
have you updated all plugins to the latest releases ?

jaferrer · 2012-07-23 19:23:17

Thanks for your reply.
Yes, I updated all plugins after the migration. Since all of them disappear from the plugin menu just after the upgrade, I downloaded and reinstall all of them.

jaferrer · 2012-07-24 23:04:06

Anyway, I removed the plugin directory contents just to be sure that it doesn't cause the problem, but the problem continues.

The hint on what this error means?

frefol · 2012-07-25 14:32:04

Hello,

I have the same problem as you.

I updated today to the latest version of GLPI (0.83.31). When I access it directly, no issue.

But if I access from an external Apache server (with mod_proxy), the error appears... With the old versions of GLPI, it has always worked!

Is it relating to the new security enhancement (CSRF & XSS) ?

Thanks

jmdumont · 2012-07-25 14:41:16

Hello,

I have the same problem as frefol.

JM

jaferrer · 2012-07-25 15:08:41

Thanks frefol!

That gave me the idea to test it from several places! And I came out to the conclusion that every time that I login from a computer behind a proxy (ISA Server or Squid), the error appears. If you connect directly or throught a nat'ed network only it works!

Does anyone knows how to disable this security rule, if there is any?

JF

Last edited by jaferrer (2012-07-25 16:37:06)

MoYo · 2012-07-25 16:39:24

Yes it is due to new XSS / CSRF checks.

You could comment the following part of inc/includes.php :

// Security : Check HTTP_REFERRER : need to be in GLPI.
if (!defined('DO_NOT_CHECK_HTTP_REFERER') && !isCommandLine()
&& isset($_POST) && is_array($_POST) && count($_POST)) {
// Do not applyed for plugins on 0.83
if (strstr($_SERVER['REQUEST_URI'],$CFG_GLPI['root_doc'].'/plugins/') === FALSE) {
if (!isset($_SERVER['HTTP_REFERER'])
|| !is_array($url=parse_url($_SERVER['HTTP_REFERER']))
|| !isset($url['host'])
|| ($url['host']!=$_SERVER['SERVER_NAME'])
|| !isset($url['path'])
|| (!empty($CFG_GLPI['root_doc']) && strpos($url['path'], $CFG_GLPI['root_doc'])!==0)) {
Html::displayErrorAndDie("Error calling the previous page from forbidden one.", true);
}
}
}

We will to more checks to manage proxy users.

MoYo · 2012-07-25 16:44:02

Could you give us $_SERVER datas when you have troubles ?

I do some check using a proxy and have no trouble...

jmdumont · 2012-07-25 17:06:49

All is correct with comment the part of inc/includes.php.

example : troubles with "preference" :
proxy host servA -> host servB
URL = http://aliasA:8180/glpi/
aliasA = serveralias servA

_SERVER["HTTP_HOST"] servB:8180
_SERVER["HTTP_USER_AGENT"] Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0.1
_SERVER["HTTP_ACCEPT"] text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
_SERVER["HTTP_ACCEPT_LANGUAGE"] fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
_SERVER["HTTP_ACCEPT_ENCODING"] gzip, deflate
_SERVER["HTTP_X_REQUESTED_WITH"] XMLHttpRequest
_SERVER["CONTENT_TYPE"] application/x-www-form-urlencoded; charset=UTF-8
_SERVER["HTTP_REFERER"] http://aliasA:8180/glpi/front/preference.php
_SERVER["HTTP_COOKIE"] s_sv_112_p1=1@192@d/7894/7893/7145/7144/7141/7140/7115/7083/7081/7054&s/9934/9882/8689/8113/7907/7133/8112/7410/7409/7407/7404/7397/7208/7203/7164/7163/7143/7139/7082/6884/6831/6514/6400/6338/6077/6399/4964&e/9; bn_u=7520073496002039650; s_hwp=null%7C%7Cnull%7C%7C18%3A10%3A2011%3A7%3A30%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; PHPSESSID=ST104446aNLVA7RCQDTXZaBWkDTadsivm03
_SERVER["HTTP_PRAGMA"] no-cache
_SERVER["HTTP_CACHE_CONTROL"] no-cache
_SERVER["HTTP_X_FORWARDED_FOR"] ipClient
_SERVER["HTTP_X_FORWARDED_HOST"] aliasA:8180
_SERVER["HTTP_X_FORWARDED_SERVER"] aliasA
_SERVER["HTTP_CONNECTION"] Keep-Alive
_SERVER["CONTENT_LENGTH"] 74
_SERVER["PATH"] /bin:/sbin:/usr/bin:/usr/sbin
_SERVER["SERVER_SIGNATURE"] <address>Apache/2.2.13 (Linux/SUSE) Server at servB Port 8180</address>
_SERVER["SERVER_SOFTWARE"] Apache/2.2.13 (Linux/SUSE)
_SERVER["SERVER_NAME"]servB
_SERVER["SERVER_ADDR"] ipB
_SERVER["SERVER_PORT"] 8180
_SERVER["REMOTE_HOST"] servA
_SERVER["REMOTE_ADDR"] ipA
_SERVER["DOCUMENT_ROOT"] /srv/www/site/test
_SERVER["SERVER_ADMIN"] servA@domain
_SERVER["SCRIPT_FILENAME"] /srv/www/site/test/glpi/ajax/common.tabs.php
_SERVER["REMOTE_PORT"] 40535
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["REQUEST_METHOD"] POST
_SERVER["QUERY_STRING"] _dc=1343228121886
_SERVER["REQUEST_URI"] /glpi/ajax/common.tabs.php?_dc=1343228121886
_SERVER["SCRIPT_NAME"] /glpi/ajax/common.tabs.php
_SERVER["PHP_SELF"] /glpi/ajax/common.tabs.php
_SERVER["REQUEST_TIME"] 1343228121

Last edited by jmdumont (2012-07-25 17:07:24)

frefol · 2012-07-25 17:14:46

For me, it is test of the value $url['host'] and $url['path'] that cause the failure.

These variables are empty, and the security check failed

When I remove the host check, it works:

// Security : Check HTTP_REFERRER : need to be in GLPI.
// modified by FREFOL
if (!defined('DO_NOT_CHECK_HTTP_REFERER') && !isCommandLine()
   && isset($_POST) && is_array($_POST) && count($_POST)) {
   // Do not applyed for plugins on 0.83
   if (strstr($_SERVER['REQUEST_URI'],$CFG_GLPI['root_doc'].'/plugins/') === FALSE) {
      if (!isset($_SERVER['HTTP_REFERER'])
          || !is_array($url=parse_url($_SERVER['HTTP_REFERER']))
          || !isset($url['path'])
          || (!empty($CFG_GLPI['root_doc']) && strpos($url['path'], $CFG_GLPI['root_doc'])!==0)) {
         Html::displayErrorAndDie("Error calling the previous page from forbidden one.", true);
      }
   }
}

MoYo · 2012-07-25 17:33:59

Could yo utry with this fix : https://forge.indepnet.net/projects/glp … 19014/diff

Thnaks for all information

MoYo · 2012-07-25 17:35:56

move the thread to bug section to have more visibility

jaferrer · 2012-07-25 17:53:41

Thank you very much, for your help. Commenting those lines out help me to solve the problem.
I can't send my $_SERVER data, the forum is not allow me to do it (To many links its said!) , sorry.

MoYo · 2012-07-25 18:02:13

Could you try the fix proposed ?
https://forge.indepnet.net/projects/glp … 19014/diff

jaferrer · 2012-07-25 18:39:16

I'm sorry, but I tested it and gave the folowing error:
PHP Parse error: syntax error, unexpected T_BOOLEAN_OR in glpi/inc/includes.php on line 145

I double checked the sintax but it seems right.

MoYo · 2012-07-25 19:12:13

Really strange I have no syntax error.
Could you try downloading directly this file :
https://forge.indepnet.net/projects/glp … cludes.php

jaferrer · 2012-07-25 19:22:40

Thanks. I tested with the modified file, and it worked!

The only thing that I need to correct is that I have a permanent redirect in the web server that is still causing the same problem, I will take that out.

So, for me the problem is solved.

Thank you all.
JF

MoYo · 2012-07-25 19:24:30

Thanks for all your tests.
The 0.83.4 will be released soon including all the fixes.

frefol · 2012-07-26 08:13:19

Thanks. It works perfectly now!

jmdumont · 2012-07-26 08:55:07

Hello,

It's not ok for me, because I used port 8180 and $ _SERVER ['HTTP_X_FORWARDED_HOST'] included the port.
$ _SERVER ['HTTP_X_FORWARDED_SERVER'] is better.

JM

MoYo · 2012-07-26 11:08:56

ok thanks for the information.
I do the changes : https://forge.indepnet.net/projects/glp … ions/19041

Could you try it ?

jmdumont · 2012-07-26 15:45:18

It works perfectly now
Thank's

MoYo · 2012-07-26 16:19:38

great?.

Thanks for your tests.
Really sorry that this fix was not included in 0.83.4.

Forum GLPI-Project

Announcement

#1 2012-07-20 13:35:30

Error calling the previous page from forbidden one.

#2 2012-07-23 18:42:02

Re: Error calling the previous page from forbidden one.

#3 2012-07-23 19:15:13

Re: Error calling the previous page from forbidden one.

#4 2012-07-23 19:23:17

Re: Error calling the previous page from forbidden one.

#5 2012-07-24 23:04:06

Re: Error calling the previous page from forbidden one.

#6 2012-07-25 14:32:04

Re: Error calling the previous page from forbidden one.

#7 2012-07-25 14:41:16

Re: Error calling the previous page from forbidden one.

#8 2012-07-25 15:08:41

Re: Error calling the previous page from forbidden one.

#9 2012-07-25 16:39:24

Re: Error calling the previous page from forbidden one.

#10 2012-07-25 16:44:02

Re: Error calling the previous page from forbidden one.

#11 2012-07-25 17:06:49

Re: Error calling the previous page from forbidden one.

#12 2012-07-25 17:14:46

Re: Error calling the previous page from forbidden one.

#13 2012-07-25 17:33:59

Re: Error calling the previous page from forbidden one.

#14 2012-07-25 17:35:56

Re: Error calling the previous page from forbidden one.

#15 2012-07-25 17:53:41

Re: Error calling the previous page from forbidden one.

#16 2012-07-25 18:02:13

Re: Error calling the previous page from forbidden one.

#17 2012-07-25 18:39:16

Re: Error calling the previous page from forbidden one.

#18 2012-07-25 19:12:13

Re: Error calling the previous page from forbidden one.

#19 2012-07-25 19:22:40

Re: Error calling the previous page from forbidden one.

#20 2012-07-25 19:24:30

Re: Error calling the previous page from forbidden one.

#21 2012-07-26 08:13:19

Re: Error calling the previous page from forbidden one.

#22 2012-07-26 08:55:07

Re: Error calling the previous page from forbidden one.

#23 2012-07-26 11:08:56

Re: Error calling the previous page from forbidden one.

#24 2012-07-26 15:45:18

Re: Error calling the previous page from forbidden one.

#25 2012-07-26 16:19:38

Re: Error calling the previous page from forbidden one.

Board footer