[BlueOnyx:24926] Re: 5210r AlmaLinux and API CSRF issue

[Fungal Style]

Slight update, I tried in a private session, same results… however…

I tired logging in for the second attempt and I logged in to the main page of the BO interface, then I changed the tab back to the WHMCS tab and tried again, this time when the login went through it was successful showing the site management tab of the BO interface, but there was another tab open and logged in already…  I tried in a normal session and it did the same as before.

So to recap…

From WHMCS, select to open the BO gui, upon entering the credentials, it fails with a CSRF message
Click on the address bar, hit enter, log in, all ok, and loads up normal start page of the BO gui.

The same happens in a private browser session… however
I log in to the BO gui (in the private browser session),
flip back to the WHMCS gui’s tab (in the private browser session),
select to open the BO gui from WHMCS (note there is still the original BO login open on a tab in the private browser session)
log in to the newly opened tab opened from the WHMCS action and can log in, it takes me to the Site Management tab of BO gui.

It would seem like the CSRF issue is being caused somehow by the link being opened trying to access the Site Management tab on login. As it only fails the login if it is being opened from WHMCS. The only really weird bit is the private browser session, if there is a tab logged in already it will log in when a new tab is opened by WHMCS to log in, which I thought CSRF would be blocking…

Regards
Brian

From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> on behalf of Fungal Style <wayin at hotmail.com>
Reply to: Blueonyx mailing list <blueonyx at mail.blueonyx.it>
Date: Thursday, 22 April 2021 at 9:07 pm
To: Blueonyx mailing list <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:24925] 5210r AlmaLinux and API CSRF issue

Here is a weird one. I have checked the time and it is pointing to the ESXI as a time server (which is sync'd over the internet, but it means all machines are based on the ESXI to avoid drift), the time also matches my Windows desktop machine and my mobile phone time also (so it is pretty close to correct well as much as you can expect).

https://ior.ad/7xKa?iframeHash=trysteps-1
[https://www.iorad.com/api/tutorial/sharingScreenshot?tutorial_id=1798010&sharing_type=default&cache=1619088240000]<https://ior.ad/7xKa?iframeHash=trysteps-1>
Console - How to untitled task name<https://ior.ad/7xKa?iframeHash=trysteps-1>
Check out this tutorial on iorad.com
ior.ad


I try to open the BlueOnyx gui from WHMCS and it brings the login page as expected, but when entering the username and password it then provides a CSRF message, but when I click on the address bar, press enter to reload the page, I can log in manually. I turn off CSRF and there are no issues with the initial attempt (which would be as expected) unlike in the screen grab where it fails with CSRF enabled and I have to reload the page manually and log in is then successful.

Any specific logs I can provide to help with this?

Regards
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20210422/19d9224f/attachment.html>