april 2015
sun mon tue wed thu fri sat
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30

« August 2014 | Main | September 2015 »


April 28, 2015
vTiger non-standard port forward ssl/https 'illegal request'

Using vTiger, if you change the port Apache uses for SSL from 443 to a non-standard port such as 999, it will error out with 'Illegal Request' based on an incorrect referrer.

To modify the validation vTiger uses, edit line 209 of includes/http/Request.php to add a check for SERVER_PORT.

Before:
protected function validateReferer() {
$user= vglobal('current_user');
// Referer check if present
if (isset($_SERVER['HTTP_REFERER'])) && $user) {//Check for user post authentication.
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');
}
}
return true;
}

After:
protected function validateReferer() {
$user= vglobal('current_user');
// Referer check if present - add port check
if (isset($_SERVER['HTTP_REFERER']) && isset($_SERVER['SERVER_PORT']) && $user) {//Check for user post authentication.
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && (stripos($_SERVER['SERVER_PORT'], '999') !==0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');
}
}
return true;
}

crit?: 0