fail to login

[lwkiong]

Hi,

I just installed SugarCRM CE v6.1.2 and I unable to login with error message below: -

Possible Cross Site Request Forgery (XSRF) Attack Detected

Directions
On your file system go to the root of your SugarCRM instance
Open the file config_override.php. If it does not exist, create it. (it should be at the same level as index.php and config.php)
Make sure the file starts with
<?php
followed by a new line
Add the following line to your config_override.php file

$sugar_config['http_referer']['list'][] = 'support.maxmulia.com';
Save the file and it should work
Attempted action (Authenticate)
If you feel this is a valid action that should be allowed from any referer, add the following to your config_override.php file
$sugar_config['http_referer']['actions'] =array( 'index', 'ListView', 'DetailView', 'EditView', 'Authenticate' );



I tried create config_override.php by adding above line but does not work.

Appreciate any body and advice ..

[AlexAv]

Is it solved your problem?
As I understand support.maxmulia.com is link to your SugarCRM instance

[lwkiong]

Hi,

Nope. I tried and it does not work and I still cannot login.

Pleaes advise

[kbrill]

Can you post your config_override.php file here

[allstarimage]

It's working very well and i also working on it... Cool

[m00uze]

The XSRF popup message would keep coming up, despite the fact that I tried all these suggestions

1. I tried the suggested "create a config_override.php file" and that worked for a little while, until I went to the Dropdown Editor under the Admin section. Then I got the popups back again. This is what my config_override.php looked like:

Code:

<?php
/***CONFIGURATOR***/
$sugar_config['default_module_favicon'] = false;
$sugar_config['dashlet_auto_refresh_min'] = '30';
$sugar_config['stack_trace_errors'] = false;
$sugar_config['developerMode'] = false;
$sugar_config['dbconfigoption']['collation'] = 'utf8_general_ci';
$sugar_config['default_currency_iso4217'] = 'CAD';
$sugar_config['default_currency_name'] = 'Canadian Dollars';
$sugar_config['default_date_format'] = 'Y-m-d';

// avoids the Cross-site forgery attack blocker
$sugar_config['http_referer']['list'][] = 'localhost';
$sugar_config['http_referer']['actions'] =array( 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'Authenticate', 'Login', 'Save2' ); 

/***CONFIGURATOR***/

?>

2. I also tried a blank config_override.php file, and that didn't work

The last straw for me was to just find the place where the logic was checking for XSRF and comment it out. I found that by commenting out two sections of SugarApplication.php that this would work

comment out line 529 to line 540

Code:

/**
            if ( $dieIfInvalid ) {
                header("Cache-Control: no-cache, must-revalidate");
                $ss = new Sugar_Smarty;
                $ss->assign('host', $http_host[0]);
                $ss->assign('action',$this->controller->action);
                $ss->assign('whiteListString',$whiteListString);
                $ss->display('include/MVC/View/tpls/xsrf.tpl');
                sugar_cleanup(true);
            }
            return false;
            **/

and

comment out line 547 to line 561

Code:

/**
                if ( $dieIfInvalid ) {
                    header("Cache-Control: no-cache, must-revalidate");
                    $whiteListActions[] = $this->controller->action;
                    $whiteListString = "'" . implode("', '", $whiteListActions) . "'";

                    $ss = new Sugar_Smarty;
                    $ss->assign('host',$http_ref['host']);
                    $ss->assign('action',$this->controller->action);
                    $ss->assign('whiteListString',$whiteListString);
                    $ss->display('include/MVC/View/tpls/xsrf.tpl');
                    sugar_cleanup(true);
                }
                return false;
                **/

I wish this security feature actually worked, but I have no time to debug it.