Possible cross-site request forgery - How to fix?

Hi There,

I’m getting this cross-site issue when navigating on RT, my server is on 192.168.4.27, can anyone help on how to fix this?

Regards,

Pipa

Possible cross-site request forgery

RT has detected a possible cross-site request forgery for this request, because the Referrer header supplied by your browser (192.168.4.27:80) is not allowed by RT’s configured hostname (127.0.0.1:80). A malicious attacker may be trying to modify RT’s configuration on your behalf. If you did not initiate this request, then you should alert your security team.

As the message says the problem is in your configuration. Without knowing your configuration it’s hard to say much. As the error message says you have configured RT with hostname 127.0.0.1 (localhost) which seems not what you want…

In your RT_SiteConfig.pm you should have:

Set( $WebDomain, '192.168.4.27' );

`

1 Like

That worked perfect!

Thanks Craig!

1 Like

Hello All,

Sorry for coming again to this thread.

I’m having exactly the same issue… I don’t know what I’m doing wrong

[1683624] [Fri Aug 13 14:02:59 2021] [notice]: Possible CSRF: the Referrer header supplied by your browser (desk.soc.gemcorp.local:80) is not allowed by RT’s configured hostname (127.0.0.1:80) (/opt/rt5/sbin/…/lib/RT/Interface/Web.pm:1715).

cat etc/RT_Config.pm | grep “WebDomain”

Set($WebDomain, ''desk.soc.gemcorp.local")

Even when navigating through the website, I receive the Warning below

[1689152] [Fri Aug 13 14:17:00 2021] [warning]: The requested host (desk.soc.gemcorp.local) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, ‘desk.soc.gemcorp.local’); in RT_SiteConfig.pm, otherwise your internal hyperlinks may be broken. (/opt/rt5/sbin/…/lib/RT/Interface/Web.pm:1382)

etc/RT_SiteConfig.pm

You may also split settings into separate files under the etc/RT_SiteConfig.d/

directory. All files ending in “.pm” will be parsed, in alphabetical order,

after this file is loaded.

Set( $rtname, ‘gemcorp.co.ao’);
Set( $WebDomain, ‘desk.soc.gemcorp.local’);
Set( $host, ‘desk.soc.gemcorp.local’);

When you say etc/RT_SiteConfig.pm are you just using short hand for the full path /opt/rt5/local/etc/RT_SiteConfig.pm? Because if not, you might find the file you’re editing isn’t being read by RT.

Hi @GreenJimll thanks for your reply.

I have RT5 installed in /home/sartuser/rt-5.0.1

and the file that I’m dealing with is at /home/sartuser/rt-5.0.1/etc/RT_SiteConfig.pm and /home/sartuser/rt-5.0.1/etc/RT_Config.pm

The location that have mentioned is empty in my installation /opt/rt5/local/etc

I’ve installed RT5 from the source and I’m running on RedHat8.

Found that I had another file in the same folder RT_Config.pm.in renaming this file solved the issue. because instead of RT reading the RT_Config.pm was reading the .pm.in

The /opt/rt5/local/etc/ will be empty at first - that’s where you’re supposed to put your local RT_SiteConfig.pm. Any local modifications to RT go into the /opt/rt5/local/ directory space - local versions of the libraries, Mason/HTML, CSS, Javascript, images, etc. That way when you update RT these don’t get nuked by the upgrade process.

1 Like

This issue is present in the docker container

https://hub.docker.com/r/netsandbox/request-tracker

The cross-site issue you are encountering when navigating on RT (Request Tracker) is likely related to the domain or IP address mismatch between your server and the website you are accessing RT from. Cross-site scripting (XSS) and cross-site request forgery (CSRF) protections are in place to prevent malicious activities.