Skip to content

Allow users logged in accessing home module with referer

The CSRF protection of vtigerCRM is done by checking the referer field. If a user with logged-in session is accessing vtigerCRM with referer URL other than the $site_URL, the request could be a result of CSRF attack (e.g. clicking on malicious link that ask the victim browser to send request with logged-in session to perform some privileged operation). This checking is safe and usually necessary.

However, for users opens vtigerCRM from a normal hyperlink, the user will be blocked. Here is the detail scenario:

  • The company established an internal website with shortcuts for all internal services.
  • The website (e.g. https://internal.my.com) contains a hyperlink for vtigerCRM service (e.g. https://vtigercrm.my.com).
  • A vtigerCRM user logged in to the vtigercrm.my.com and he/she finished his/her job on the vtigerCRM and closed the browser tab.
  • A few minutes later. He/She clicked hyperlink for https://vtigercrm.my.com from https://internal.my.com, and he/she will see the https://vtigercrm.my.com showing Illegal request since the browser is still carrying valid login session and the browser inserted referer: https://internal.my.com that not match the URL specified by $site_URL.

The CSRF checking is sometimes not necessary for home module since the home module is just an entrance page. By checking there should be no other post or get parameters, I can ensure the accessing for home module via hyperlink from any other website is safe.

Merge request reports