Possible Cross Site Request Forgery (XSRF) Attack Detected
If you think this is a mistake please ask your administrator to add the following site to the acceptable referer list
www.suitecrm2.compositeautomation.com
Click here for directions to add this site to the acceptable referer list
I edited the files as instructed and it still did not stop it.
Thanks in advance!
John
In config.php check these values
host_name
site_url
I am not sure these are the source of the problem, but it is a misunderstanding between the location of your SuiteCRM installation
http://www.suitecrm2.compositeautomation.com/dir
and the location that some part of the code thinks is correct:
Thank you very much for replying. I am copying and pasting the contents below for you to see. They are the similar but not identical.
Can you advise which one I should use?
Also, None of the documents that I had uploaded to Accounts or Opportunities are available.
'host_name' => 'suitecrm2.compositeautomation.com',
'site_url' => 'http://suitecrm2.compositeautomation.com/dir'
One references http:// and the other does not.
Sorry about the double post. Senior moment.
I am deeply appreciative of your help. I purposely moved to a more expensive hosting system so that the CRM would perform better and that I would be able to run updates. I like this software quite alot and I show it to every one of my small to medium size principle partners and tell them to install it instead of SF or Zoho! I’m spreading the word and am a total apostle of this application.
Merry Christmas to all that read this!!
John
Thanks for promoting SuiteCRM, I am glad you like it! 
You settings look correct to me (including all the minor details like http:// and trailing slashes), although I never installed SuiteCRM in a subdirectory, so I am not sure if it is supposed to be included in site_url.
You might have some different configuration problem, see if this helps: http://support.sugarcrm.com/Knowledge_Base/Troubleshooting/Troubleshooting_Cross-Site_Forgery_Messages/
About the Documents, have you migrated your complete “upload” directory? Are the ownerships and permissions ok so that SuiteCRM can read it?
… and Merry Christmas to you too!
Greetings
You wrote:
About the Documents, have you migrated your complete “upload” directory?
I see the directory but am not understanding what I need to do to migrate it.
Are the ownerships and permissions ok so that SuiteCRM can read it?
Again, I don’t know where to set ownerships and permissions.
Hate to be such a bother!
Thanks
John
An interesting behavior is that the Cross site Forgery message does not occur in Microsoft Edge but does in Chrome. Curious.
Anyway, I implemented the suggested code but that did not seem to work. Do I need to ask the host to reboot?
Thank you,
John
Are there any redirections in HTACESS file. (This is located on your root directory or the install location). Did you ran Repair/Rebuild to check if that fixes the URLs?
If you inspect the Module Links ( Press F12 and then in the panel popped, click on the arrow located on extreme left side and select a menu option in SuiteCRM just clicking on it, it will show its html in the panel) What URL does that show.
Can you just point the domain to the DIR rather than mentioning the Dir in the end? (http://suitecrm2.compositeautomation.com/dir)
My HTACESS file contents:
RedirectMatch 403 ..log$
RedirectMatch 403 /+not_imported_..txt
RedirectMatch 403 /+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules)/+.*.(php|tpl)
RedirectMatch 403 /+emailmandelivery.php
RedirectMatch 403 /+upload
RedirectMatch 403 /+custom/+blowfish
RedirectMatch 403 /+cache/+diagnostic
RedirectMatch 403 /+files.md5$
# --------- DEPRECATED --------
RewriteRule ^api/(.*?)$ lib/API/public/index.php/$1 [L]
RewriteRule ^api/(.*)$ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# -----------------------------
RewriteRule ^Api/access_token$ Api/index.php/access_token [L]
RewriteRule ^Api/V8/(.*?)$ Api/index.php/V8/$1 [L]
RewriteRule ^Api/(.*)$ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
When I run the repair utility I get this error:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 20480 bytes) in /home/compos24/suitecrm2.compositeautomation.com/dir/cache/modules/AOS_Contracts/AOS_Contractsvardefs.php on line 3
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 98304 bytes) in Unknown on line 0
I can only run it in Edge as Chrome give me the “Possible Cross Site Request Forgery (XSRF) Attack Detected” screen.
This is the module link (hope I did this right) : Repair
You asked: "Can you just point the domain to the DIR rather than mentioning the Dir in the end? (suitecrm2.compositeautomation.com/dir)?
Honestly don’t know the answer.
At this point, do you think it may make sense to do a fresh install and point the new install to the existing databases or import them accordingly?
Still not working in Chrome.
This is my config_override.php contents:
<?php
/***CONFIGURATOR***/
$sugar_config['http_referer']['list'][] = 'http://www.suitecrm2.compositeautomation.com';
$sugar_config['http_referer']['actions'] =array( 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal', 'ajaxui', 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal', 'Logout', 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal', 'SubPanelViewer' );
$sugar_config['http_referer']['list'][0] = 'vps45273.inmotionhosting.com';
$sugar_config['http_referer']['actions'][0] = 'index';
$sugar_config['http_referer']['actions'][1] = 'ListView';
$sugar_config['http_referer']['actions'][2] = 'DetailView';
$sugar_config['http_referer']['actions'][3] = 'EditView';
$sugar_config['http_referer']['actions'][4] = 'oauth';
$sugar_config['http_referer']['actions'][5] = 'authorize';
$sugar_config['http_referer']['actions'][6] = 'Authenticate';
$sugar_config['http_referer']['actions'][7] = 'Login';
$sugar_config['http_referer']['actions'][8] = 'SupportPortal';
$sugar_config['http_referer']['actions'][9] = 'ajaxui';
$sugar_config['http_referer']['actions'][10] = 'index';
$sugar_config['http_referer']['actions'][11] = 'ListView';
$sugar_config['http_referer']['actions'][12] = 'DetailView';
$sugar_config['http_referer']['actions'][13] = 'EditView';
$sugar_config['http_referer']['actions'][14] = 'oauth';
$sugar_config['http_referer']['actions'][15] = 'authorize';
$sugar_config['http_referer']['actions'][16] = 'Authenticate';
$sugar_config['http_referer']['actions'][17] = 'Login';
$sugar_config['http_referer']['actions'][18] = 'SupportPortal';
$sugar_config['http_referer']['actions'][19] = 'Logout';
$sugar_config['disable_persistent_connections'] = false;
$sugar_config['email_allow_send_as_user'] = true;
$sugar_config['email_xss'] = 'YToxMzp7czo2OiJhcHBsZXQiO3M6NjoiYXBwbGV0IjtzOjQ6ImJhc2UiO3M6NDoiYmFzZSI7czo1OiJlbWJlZCI7czo1OiJlbWJlZCI7czo0OiJmb3JtIjtzOjQ6ImZvcm0iO3M6NToiZnJhbWUiO3M6NToiZnJhbWUiO3M6ODoiZnJhbWVzZXQiO3M6ODoiZnJhbWVzZXQiO3M6NjoiaWZyYW1lIjtzOjY6ImlmcmFtZSI7czo2OiJpbXBvcnQiO3M6ODoiXD9pbXBvcnQiO3M6NToibGF5ZXIiO3M6NToibGF5ZXIiO3M6NDoibGluayI7czo0OiJsaW5rIjtzOjY6Im9iamVjdCI7czo2OiJvYmplY3QiO3M6MzoieG1wIjtzOjM6InhtcCI7czo2OiJzY3JpcHQiO3M6Njoic2NyaXB0Ijt9';
$sugar_config['passwordsetting']['SystemGeneratedPasswordON'] = '1';
$sugar_config['passwordsetting']['generatepasswordtmpl'] = '79d04cf9-c414-ad1d-811a-58743779e3af';
$sugar_config['passwordsetting']['lostpasswordtmpl'] = '79d04cf9-c414-ad1d-811a-58743779e3af';
$sugar_config['passwordsetting']['factoremailtmpl'] = '';
$sugar_config['passwordsetting']['forgotpasswordON'] = '1';
$sugar_config['passwordsetting']['systexpiration'] = '0';
$sugar_config['passwordsetting']['systexpirationtime'] = '';
$sugar_config['passwordsetting']['oneupper'] = '0';
$sugar_config['passwordsetting']['onelower'] = '0';
$sugar_config['passwordsetting']['onenumber'] = '0';
$sugar_config['passwordsetting']['onespecial'] = '0';
$sugar_config['SAML_loginurl'] = '';
$sugar_config['SAML_logouturl'] = '';
$sugar_config['SAML_X509Cert'] = '';
$sugar_config['authenticationClass'] = '';
$sugar_config['upload_maxsize'] = '70000000';
$sugar_config['default_module_favicon'] = false;
$sugar_config['dashlet_auto_refresh_min'] = '30';
$sugar_config['stack_trace_errors'] = false;
/***CONFIGURATOR***/This is config.php
<?php
// created: 2018-12-24 16:17:32
$sugar_config = array (
'addAjaxBannedModules' =>
array (
0 => 'SecurityGroups',
),
'admin_access_control' => false,
'admin_export_only' => false,
'aod' =>
array (
'enable_aod' => true,
),
'aop' =>
array (
'distribution_method' => 'roundRobin',
'case_closure_email_template_id' => '1837543d-bf76-9c8e-da56-5c0b4743c57c',
'joomla_account_creation_email_template_id' => '183aef81-302a-1c82-4a76-5c0b4725fad6',
'case_creation_email_template_id' => '183ecdbe-7e61-3bb2-46d5-5c0b4791024e',
'contact_email_template_id' => '18424f59-32f2-4934-0290-5c0b47d4417c',
'user_email_template_id' => '1845b588-906b-0ba0-c610-5c0b47cc936a',
),
'aos' =>
array (
'version' => '5.3.3',
'contracts' =>
array (
'renewalReminderPeriod' => '14',
),
'lineItems' =>
array (
'totalTax' => false,
'enableGroups' => true,
),
'invoices' =>
array (
'initialNumber' => '1',
),
'quotes' =>
array (
'initialNumber' => '1',
),
),
'cache_dir' => 'cache/',
'calculate_response_time' => true,
'calendar' =>
array (
'default_view' => 'week',
'show_calls_by_default' => true,
'show_tasks_by_default' => true,
'show_completed_by_default' => true,
'editview_width' => 990,
'editview_height' => 485,
'day_timestep' => 15,
'week_timestep' => 30,
'items_draggable' => true,
'items_resizable' => true,
'enable_repeat' => true,
'max_repeat_count' => 1000,
),
'chartEngine' => 'Jit',
'common_ml_dir' => '',
'create_default_user' => false,
'cron' =>
array (
'max_cron_jobs' => 10,
'max_cron_runtime' => 30,
'min_cron_interval' => 30,
'allowed_cron_users' =>
array (
0 => 'apache',
),
),
'currency' => '',
'dashlet_display_row_options' =>
array (
0 => '1',
1 => '3',
2 => '5',
3 => '10',
),
'date_formats' =>
array (
'Y-m-d' => '2010-12-23',
'm-d-Y' => '12-23-2010',
'd-m-Y' => '23-12-2010',
'Y/m/d' => '2010/12/23',
'm/d/Y' => '12/23/2010',
'd/m/Y' => '23/12/2010',
'Y.m.d' => '2010.12.23',
'd.m.Y' => '23.12.2010',
'm.d.Y' => '12.23.2010',
),
'datef' => 'm/d/Y',
'dbconfig' =>
array (
'db_host_name' => 'localhost',
'db_host_instance' => 'SQLEXPRESS',
'db_user_name' => 'compos24_suit615',
'db_password' => 'dS9Si5p!)3',
'db_name' => 'compos24_suit615',
'db_type' => 'mysql',
'db_port' => '',
'db_manager' => 'MysqliManager',
),
'dbconfigoption' =>
array (
'persistent' => true,
'autofree' => false,
'debug' => 0,
'ssl' => false,
),
'default_action' => 'index',
'default_charset' => 'UTF-8',
'default_currencies' =>
array (
'AUD' =>
array (
'name' => 'Australian Dollars',
'iso4217' => 'AUD',
'symbol' => '$',
),
'BRL' =>
array (
'name' => 'Brazilian Reais',
'iso4217' => 'BRL',
'symbol' => 'R$',
),
'GBP' =>
array (
'name' => 'British Pounds',
'iso4217' => 'GBP',
'symbol' => '£',
),
'CAD' =>
array (
'name' => 'Canadian Dollars',
'iso4217' => 'CAD',
'symbol' => '$',
),
'CNY' =>
array (
'name' => 'Chinese Yuan',
'iso4217' => 'CNY',
'symbol' => '¥',
),
'EUR' =>
array (
'name' => 'Euro',
'iso4217' => 'EUR',
'symbol' => '€',
),
'HKD' =>
array (
'name' => 'Hong Kong Dollars',
'iso4217' => 'HKD',
'symbol' => '$',
),
'INR' =>
array (
'name' => 'Indian Rupees',
'iso4217' => 'INR',
'symbol' => '₨',
),
'KRW' =>
array (
'name' => 'Korean Won',
'iso4217' => 'KRW',
'symbol' => '₩',
),
'YEN' =>
array (
'name' => 'Japanese Yen',
'iso4217' => 'JPY',
'symbol' => '¥',
),
'MXN' =>
array (
'name' => 'Mexican Pesos',
'iso4217' => 'MXN',
'symbol' => '$',
),
'SGD' =>
array (
'name' => 'Singaporean Dollars',
'iso4217' => 'SGD',
'symbol' => '$',
),
'CHF' =>
array (
'name' => 'Swiss Franc',
'iso4217' => 'CHF',
'symbol' => 'SFr.',
),
'THB' =>
array (
'name' => 'Thai Baht',
'iso4217' => 'THB',
'symbol' => '฿',
),
'USD' =>
array (
'name' => 'US Dollars',
'iso4217' => 'USD',
'symbol' => '$',
),
),
'default_currency_iso4217' => 'USD',
'default_currency_name' => 'US Dollars',
'default_currency_significant_digits' => 2,
'default_currency_symbol' => '$',
'default_date_format' => 'm/d/Y',
'default_decimal_seperator' => '.',
'default_email_charset' => 'UTF-8',
'default_email_client' => 'sugar',
'default_email_editor' => 'html',
'default_export_charset' => 'UTF-8',
'default_language' => 'en_us',
'default_locale_name_format' => 's f l',
'default_max_tabs' => 10,
'default_module' => 'Home',
'default_navigation_paradigm' => 'gm',
'default_number_grouping_seperator' => ',',
'default_password' => '',
'default_permissions' =>
array (
'dir_mode' => 493,
'file_mode' => 420,
'user' => '',
'group' => '',
),
'default_subpanel_links' => false,
'default_subpanel_tabs' => true,
'default_swap_last_viewed' => false,
'default_swap_shortcuts' => false,
'default_theme' => 'SuiteP',
'default_time_format' => 'h:ia',
'default_user_is_admin' => false,
'default_user_name' => '',
'demoData' => 'no',
'developerMode' => false,
'disable_convert_lead' => false,
'disable_export' => false,
'disable_persistent_connections' => 'false',
'display_email_template_variable_chooser' => false,
'display_inbound_email_buttons' => false,
'dump_slow_queries' => false,
'email_address_separator' => ',',
'email_confirm_opt_in_email_template_id' => '1831cdfe-0631-1ef4-a4cc-5c0b474c14a4',
'email_default_client' => 'sugar',
'email_default_delete_attachments' => true,
'email_default_editor' => 'html',
'email_enable_auto_send_opt_in' => false,
'email_enable_confirm_opt_in' => 'not-opt-in',
'enable_action_menu' => true,
'enable_line_editing_detail' => true,
'enable_line_editing_list' => true,
'export_delimiter' => ',',
'export_excel_compatible' => false,
'filter_module_fields' =>
array (
'Users' =>
array (
0 => 'show_on_employees',
1 => 'portal_only',
2 => 'is_group',
3 => 'system_generated_password',
4 => 'external_auth_only',
5 => 'sugar_login',
6 => 'authenticate_id',
7 => 'pwd_last_changed',
8 => 'is_admin',
9 => 'user_name',
10 => 'user_hash',
11 => 'password',
12 => 'last_login',
13 => 'oauth_tokens',
),
'Employees' =>
array (
0 => 'show_on_employees',
1 => 'portal_only',
2 => 'is_group',
3 => 'system_generated_password',
4 => 'external_auth_only',
5 => 'sugar_login',
6 => 'authenticate_id',
7 => 'pwd_last_changed',
8 => 'is_admin',
9 => 'user_name',
10 => 'user_hash',
11 => 'password',
12 => 'last_login',
13 => 'oauth_tokens',
),
),
'hide_subpanels' => true,
'history_max_viewed' => 50,
'host_name' => 'http://www.suitecrm2.compositeautomation.com/dir/',
'import_max_execution_time' => 3600,
'import_max_records_per_file' => 100,
'import_max_records_total_limit' => '',
'installer_locked' => true,
'jobs' =>
array (
'min_retry_interval' => 30,
'max_retries' => 5,
'timeout' => 86400,
),
'js_custom_version' => 1,
'js_lang_version' => 1,
'languages' =>
array (
'en_us' => 'English (US)',
),
'large_scale_test' => false,
'lead_conv_activity_opt' => 'donothing',
'list_max_entries_per_page' => 20,
'list_max_entries_per_subpanel' => 10,
'lock_default_user_name' => false,
'lock_homepage' => false,
'lock_subpanels' => false,
'log_dir' => '.',
'log_file' => 'suitecrm.log',
'log_memory_usage' => false,
'logger' =>
array (
'level' => 'fatal',
'file' =>
array (
'ext' => '.log',
'name' => 'suitecrm',
'dateFormat' => '%c',
'maxSize' => '10MB',
'maxLogs' => 10,
'suffix' => '',
),
),
'max_dashlets_homepage' => '15',
'name_formats' =>
array (
's f l' => 's f l',
'f l' => 'f l',
's l' => 's l',
'l, s f' => 'l, s f',
'l, f' => 'l, f',
's l, f' => 's l, f',
'l s f' => 'l s f',
'l f s' => 'l f s',
),
'passwordsetting' =>
array (
'SystemGeneratedPasswordON' => '',
'generatepasswordtmpl' => '182659d8-8213-c5a6-c66d-5c0b470097ce',
'lostpasswordtmpl' => '182a0f29-aa95-8a3c-855b-5c0b47029990',
'factoremailtmpl' => '182db137-2e20-534e-b9af-5c0b47a996a8',
'forgotpasswordON' => false,
'linkexpiration' => '1',
'linkexpirationtime' => '30',
'linkexpirationtype' => '1',
'systexpiration' => '1',
'systexpirationtime' => '7',
'systexpirationtype' => '1',
'systexpirationlogin' => '',
),
'portal_view' => 'single_user',
'require_accounts' => true,
'resource_management' =>
array (
'special_query_limit' => 50000,
'special_query_modules' =>
array (
0 => 'Reports',
1 => 'Export',
2 => 'Import',
3 => 'Administration',
4 => 'Sync',
),
'default_limit' => 20000,
),
'rss_cache_time' => '10800',
'save_query' => 'all',
'search_wildcard_char' => '%',
'search_wildcard_infront' => false,
'securitysuite_additive' => true,
'securitysuite_filter_user_list' => false,
'securitysuite_inherit_assigned' => true,
'securitysuite_inherit_creator' => true,
'securitysuite_inherit_parent' => true,
'securitysuite_popup_select' => false,
'securitysuite_strict_rights' => false,
'securitysuite_user_popup' => true,
'securitysuite_user_role_precedence' => true,
'securitysuite_version' => '6.5.17',
'session_dir' => '',
'showDetailData' => true,
'showThemePicker' => true,
'site_url' => 'http://www.suitecrm2.compositeautomation.com/dir/',
'slow_query_time_msec' => '100',
'sugar_version' => '6.5.25',
'sugarbeet' => false,
'suitecrm_version' => '7.10.11',
'system_email_templates' =>
array (
'confirm_opt_in_template_id' => '1831cdfe-0631-1ef4-a4cc-5c0b474c14a4',
),
'time_formats' =>
array (
'H:i' => '23:00',
'h:ia' => '11:00pm',
'h:iA' => '11:00PM',
'h:i a' => '11:00 pm',
'h:i A' => '11:00 PM',
'H.i' => '23.00',
'h.ia' => '11.00pm',
'h.iA' => '11.00PM',
'h.i a' => '11.00 pm',
'h.i A' => '11.00 PM',
),
'timef' => 'H:i',
'tmp_dir' => 'cache/xml/',
'tracker_max_display_length' => 15,
'translation_string_prefix' => false,
'unique_key' => '717ee96da8f82dad7add8ac31ef4a88a',
'upload_badext' =>
array (
0 => 'php',
1 => 'php3',
2 => 'php4',
3 => 'php5',
4 => 'pl',
5 => 'cgi',
6 => 'py',
7 => 'asp',
8 => 'cfm',
9 => 'js',
10 => 'vbs',
11 => 'html',
12 => 'htm',
13 => 'phtml',
),
'upload_dir' => 'upload/',
'upload_maxsize' => 30000000,
'use_common_ml_dir' => false,
'use_real_names' => true,
'vcal_time' => '2',
'verify_client_ip' => true,
);The cross site forgery message seems to be less frequent in Edge than Chrome.
Again, thank you very much for any insight. I have a lot invested in the database(3 years of work) and can’t just walk away.
This started to happen once I moved to a VPS instead of shared hosting so I could upgrade when new versions came out.
Happy holidays!
John
Can you add following to config_override.php and run RR to check. Maybe logout and then login again.
$sugar_config['http_referer']['list'][] = 'http://www.suitecrm2.compositeautomation.com/dir';