#60 AvantFAX gives "Illegal operation" incorrectly

v1.0 (example)
closed
nobody
5
2009-01-06
2008-09-20
xurizaemon
No

We have an internal AvantFAX server and expose the AvantFAX app via a mod_rewrite rule. On our front-facing server, we have this Apache2 rule:

## hylafax
<IfModule mod_rewrite.c>
RewriteRule ^hylafax/$ http://192.168.2.65/hylafax/ [P,QSA]
RewriteRule ^hylafax(.*)$ http://192.168.2.65/hylafax$1 [P,QSA]
RewriteRule ^faxes(.*)$ http://192.168.2.65/hylafax/faxes$1 [P,QSA]
</IfModule>

Although AvantFAX is available at this URL, any attempt to log in would fail with the error message "Illegal operation".

I found that this was because AvantFAX was attempting to match the HTTP_REFERER with a calculated TLD. AvantFAX had calculated our TLD as "2.65"

So:

1. AvantFAX may fail if the browser is configured not to send a REFERER
2. REFERER is easily faked, so this offers no additional protection
3. If the TLD calculation relates to any country-specific DNS space, the TLD calculation will be so wide-open as to be futile, and match any domain in that country's matching namespace (eg, .co.uk or .com.au)

This appears to be a new bug in the 3.x series, as we were previously running the same setup on 2.x without this issue.

I disabled the code which caused this issue by replacing the first line of FormRules::ProcessForm() with,

if (false && $checkRef && array_key_exists ('SERVER_NAME', $_SERVER)) {

I did look (via grep and reading the function comments for FormRules::ProcessForm() to see if $checkRef is configurable on a global basis, but there was no indication that this is the case.

Thanks

Discussion

  • xurizaemon
    xurizaemon
    2008-09-20

    AvantFAX 3.1.2

     
  • Dave
    Dave
    2009-01-06

    • status: open --> closed
     
  • Dave
    Dave
    2009-01-06

    $checkRef is not globally configurable. You would've needed set it to false in FormRules. However, this bit of code will be removed in v3.1.6.