Project

General

Profile

Bug #1027

Config restore triggers HTTP_REFERER check on interface mismatch

Added by Seth Mos over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Backup/restore
Target version:
Start date:
11/19/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

An HTTP_REFERER was detected other than what is defined in System -> Advanced (https://10.0.3.190/diag_backup.php). You can disable this check if needed in System -> Advanced -> Admin.

The page I see this on is https://10.0.3.190/interfaces_assign.php

This is what the UI navigates to when a interface mismatch is detected.

Associated revisions

Revision 0f806eca (diff)
Added by Erik Fonnesbeck over 8 years ago

Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027

Revision ed32aef7 (diff)
Added by Erik Fonnesbeck over 8 years ago

Don't consider the HTTP referrer check as passing if it was skipped. Ticket #1027

History

#1 Updated by Erik Fonnesbeck over 8 years ago

This happens when the IP address has changed because of the restore.

#2 Updated by Erik Fonnesbeck over 8 years ago

This also needs to be tested restoring a configuration that changes the host or domain, because that might trigger the DNS rebind check, too.

#3 Updated by Erik Fonnesbeck over 8 years ago

  • Status changed from New to Feedback

This workaround should prevent that from happening now.

#4 Updated by Ermal Lu├ži over 8 years ago

  • Status changed from Feedback to Resolved

#5 Updated by Braden McGrath almost 8 years ago

This is happening to me on 2.0 RC3, nanobsd, with a clean install.

Steps to reproduce:
changed interface defs via serial after initial boot (was initially LAN / WAN, I swapped them)
Defined static IP for LAN via serial
initial setup wizard worked, but when I saved the settings, webGUI breaks.

Rebooting the box seems to resolve the issue, but something weird is happening behind the scenes. I was also seeing an incorrect IP address on the LAN interface after enabling DHCP via the serial console. (The LAN interface was showing the initial address from the DHCP pool??) Again, reboot fixed that.

#6 Updated by jikjik lim almost 8 years ago

2.0-RC3 (i386)
built on Sun Jul 31 05:05:32 EDT 2011

Same as Braden, changed interface, swap WAN and OPT1. Change WAN from DHCP to Static, through webgui. After reboot, all the settings of the packages were set to default.

If the LAN IP address is entered in the URL: An HTTP_REFERER was detected other than what is defined in System -> Advanced (http://192.168.100.1/pkg_edit.php?xml=squidguard.xml&id=0). You can disable this check if needed in System -> Advanced -> Admin.

If the domain name is entered in the URL: Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding. Try accessing the router by IP address instead of by hostname.

Also available in: Atom PDF