Project

General

Profile

Actions
Copy link

Bug #5939

closed

webgui login denied with message 'An HTTP_REFERER was detected other than what is defined in System'

Added by Pi Ba almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
02/28/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

I sometimes get the following 'error' when trying to login to the webgui. (Today after performing a firmware upgrade to currentversion, comming from snapshot version of +-10 days old..) But ive seen it happen also after a regular reboot sometimes..(with 2.2.x also..)

Currently running: 2.3-BETA (amd64) built on Sat Feb 27 13:27:14 CST 2016 FreeBSD 10.3-BETA2

An HTTP_REFERER was detected other than what is defined in System -> Advanced (https://192.168.0.133:444/). You can disable this check if needed in System -> Advanced -> Admin.

.133 is the ip assigned by dhcp, which i normally use to access the webgui
.222 a virtualip of type alias
.111 is a carp-ip

In ifconfig output below it can be seen that the ipalias is configured 'first', but that should imho not cause the configured interface-ip to reject login attempts..

[2.3-BETA][root@pfSense.localdomain]/root: ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:e0:ed:8a
        inet6 fe80::a00:27ff:fee0:ed8a%em0 prefixlen 64 scopeid 0x1
        inet6 2001:470:XX:XX::10 prefixlen 64
        inet 192.168.0.222 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.133 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255 vhid 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: MASTER vhid 1 advbase 10 advskew 254

It might be that its related to my weird test environment with mixed dhcp and static ips on the same subnet.. But still i think all ip's on 'this-firewall' should be allowed to use for the webgui referer check.. Or at least that interface-ip which is supposedly configured 'on' the interface. As you can see the order changed, but that should be irrelevant..

[2.3-BETA][root@pfSense.localdomain]/root: ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:e0:ed:8a
        inet6 fe80::a00:27ff:fee0:ed8a%em0 prefixlen 64 scopeid 0x1
        inet 192.168.0.133 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 2001:470:XX:XX::10 prefixlen 64
        inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255 vhid 1
        inet 192.168.0.222 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: MASTER vhid 1 advbase 10 advskew 254
Actions
Copy link

Also available in: Atom PDF