Hi all,
I have deployed the SuiteCRM 7.8.5 script and I should list this config in config_override.php: $sugar_config[‘http_referer’][‘actions’].
How to whitelist all actions in SuiteCRM?
Could you have the list of all actions?
Or is there any wildcard to whitelist them?
Thanks.
You have to include that setting in the forums’ “code” tags, otherwise the brackets are lost, with everything inside them. I don’t know what option your are referring to.
And perhaps explain better what you’re trying to do and why do you think you need to do it. There have been recent posts about CSRF and recent security fixes (many). Although I don’t know much about CSRF, I’d like to try to understand better what concerns you might have.
Thanks for the reply. I think you are right that whitelisting all actions is vulnerable thing.
I need to know the list of actions because user always get errors when they need to do something and need to ask developer to whitelist the action.
if I could choose which actions should be whitelisted for them, users don’t have to face this problem and everyone would happy.
So, could you help me to show the list of all actions for this config?
$sugar_config['http_referer']['actions']Thanks.
I think you are right that whitelisting all actions is vulnerable thing.Did I say that? Where?
I need to know the list of actions because user always get errors when they need to do something and need to ask developer to whitelist the action.I’ve never heard of anyone having this problem with SuiteCRM. Are you referring to any deliberate special limitation in your site’s configuration? Or maybe you simply have a problem that needs fixing.
So, could you help me to show the list of all actions for this config?I’m sorry, I don’t know of any single place where that list can be found. If you could avoid needing the list altogether, it really sounds like a better option…
If you could avoid needing the list altogether, it really sounds like a better option...How to avoid that?
Here are the steps:
If that’s not acceptable, please explain what your problem is that you’re trying to fix.
I think the problem is we are using network load balancer so there are multiple instances of web server.
For example, user sees suiteCRM from instance A for the first time.
After that, user interacts with the system (e.g. create lead, update account, etc) and the load balancer distributes it to another instance.
So, CSRF is detected.
Is there any way to make suiteCRM could run well even using network load balancer?
Thanks.
I must say I am not knowledgeable of load-balancing, but I would say: deal with this as a load-balancer configuration issue, not a SuiteCRM issue.
You need something like sticky-sessions or memcached:
https://stackoverflow.com/questions/994935/php-sessions-in-a-load-balancing-cluster-how
You can try repeating the question here, with reference to load-balancing in the title (better: your specific kind of load-balancer hardware/software). Or perhaps you can better replies in that load-balancer’s support site.
We have removed the load balancer and using 1 instance only. But, the SuiteCRM still produce CSRF message. We don’t find this problem in local machine. One more thing, we deploy SuiteCRM automatically using Jenkins from GitHub push. Is there any setting for SuiteCRM to allow Jenkins CI/CD?
I have installed SuiteCRM dozens of times and I never had any CSRF messages. Maybe it’s something peculiar in your set up, maybe it’s one of the recent security fixes.
How exactly do you deploy (I don’t know what Jenkins is)?
You can pull the files from GitHub, but then you always have to set permissions, and run the installer (although there is a silent install option that you can run automatically). Only then SuiteCRM is installed.
Another couple of things you can check:
Hi pgr,
Thanks for the reply. We have solved CSRF issue, now. The problem is not about load balancer or the CI/CD. CSRF issue was detected because we don’t set the alias name in the web server config (e.g. nginx / apache). So, every time we access the suiteCRM using domain name, it would detect CSRF issue.