Trust links from unknown referrers box gone!

Hi,

Today I tried to refresh the System Information Page by using the /recollect.cgi in the URL since the refresh system information button no longer exists. When I tried this I got a security varning and was recommended this: If your browser does not send the Referer header needed, you can turn off this check as follows :

Login to Webmin normally.
Go to the Webmin Configuration module.
Click on the Trusted Referrers icon.
Check the Trust links from unknown referrers box, and click Save.

I did that and tried to refresh the page again by using /recollect.cgi but I got the same security warning, so I went back to un-check the Trust links from unknown referrers box and now the option is gone!!?? Why is the option gone? how do I change the it back to un-checked?

There was a warning about xss if I check this option, but I should have it checked for a few seconds during the "refresh" and then un-check it again. Why was I not warned that this only could be done once???

I also have tried to changed the System Information Configuration "Show quotas and bandwidth use as" to use "Percentage of limit" but the infornation is still showing by Bytes used??

I really need to un-check the Trust links from unknown referrers box!!! And I also want to be able to refresh the system information again!!

Virtualmin Proffessional, The server is running CentOS 5.11, Kernel Linux 2.6.18-402.el5 on x86_64, Webmin version 1.730, No Virtualmin version info in System Information Page

Regards, Leffe

Status: 
Active

Comments

That option was removed because it opens the system up to horrible XSS attacks.

However, clicking on a link within Virtualmin should never trigger a referrer warning. Which browser and version are you running there?

Hi Jamie,

I'm using Firefox, version 36 (latest) but the referrer warning did NOT triigger from a link in Virtualmin, the warning was trigged by me when I manually tried to refresh the System Information with /recollect.cgi in the URL. I somehow need to refresh the system information page now when the refresh button is gone.

And my big concern when the Trust links from unknown referrers box dissapered after I hade checked it and clicked save, was that I could not uncheck it again! I just wanted to check it for a few seconds while I did the refresh on the System Information. When I went back to un-check in is was gone, leaving me unable to un-check. But I manually did look in the Config file and the referers_none=1 so I think i'm good.

And btw, if you change the Config file according to the warning: referers_none=0 the option is still checked, you have to have a empty value referers_none= to "un-check" the box.

I also want to change the quota and bandwith display to Percentage of limit, but the display is still Bytes used.

Regards, Leffe

Yeah, you can manually disable referrer checking by putting referers_none=1 into /etc/webmin/config

The refresh button going missing seems like a separate bug though. Which Webmin, Virtualmin and theme package versions do you have installed there? You can check by running :

rpm -q webmin wbm-virtual-server wbt-virtual-server-theme

Hi,

Here is the output:

webmin-1.730-1 wbm-virtual-server-4.14-1 wbt-virtual-server-theme-9.0-2

Can you please look at this issue also: I have tried to changed the System Information Configuration "Show quotas and bandwidth use as" to use "Percentage of limit" but the infornation don't change and always show Bytes used.

Thanks you!

// Leffe

I just had a look at a test system with the exact same packages, and it shows the "Refresh" link just fine!

Are you logging in as root, or as a domain owner?

Hi Jamie,

Yes I always log in as root.

I have tried a a few things. First I changed the theme to the Gray Framed Theme (there are two off them) and then changed back to Virtualmin Framed Theme, everything was a bit messed up, so I logged of and in again. And now... now the theme looked like it previously have done, for a long time, all information and so on is on the page, and also, the Refresh button is there!!! But, if I then click Refresh, the look of right frame changes a bit, some new information is shown and some other is gone, and also... the Refresh button is gone, and instead a "Virtualmin documentation" button is on its spot, and a new button "Re-check Virualmin license" is added.

I have flushed all browser cache and so manually also. (I clear cache, cockies and all data on browser exit as standard)

I have attached a screeen dump on before and after refresh. Ok... No i don't...

Validation error, please try again. The file you attempted to upload may be too large. If this error persists, please contact the site administrator.

The file is a standard jpg and file size is 277kB

The image is here instead:

http://www.indecta.se/leffe/before_after_refresh.jpg

Regards, Leffe

Wow, that is very very odd - I can't see how this could happen, even though I wrote all the code involved!

Is there any chance I could login to your system to look at what's happening internally?

Hi Jamie,

Yes of course you can. Just let me know when you can do it, I usually have SSH shut down, so let me know when you can log in. Ill start up SSH and send you a temporary password for root access. How do I send you the password?

Regards, Leffe

Hi again,

I have sent you the email. Let me know when you are done!

//Leffe

Ok, it looks like there were two problems :

  1. Background collection of system information wasn't enabled, which means that the System Information page was always showing up-to-date info and so didn't need a refresh button. I turned this back on though, at Webmin -> Webmin Configuration -> Background Status Collection.

  2. A Virtualmin bug is preventing quotas and BW from being shown based on the percent used. This will be fixed in our next release.

Thanks Jamie,

You say that the refresh button is not needed and the information is up-to-date if Background Status Collection is disabled. But, for example, when I need SSH I start it up and when done I stop it again, and when returning to information page the status icon for SSH still indicates "running", even if I refresh the browser, and clicking some other link and refreshing browser and then returning to System Information page in hope that the information is refreshed, but no, still wrong status. And I want to make sure that SSH is not running, to do this I have to go to Bootup and Shutdown and really make sure that it's not running, and after clicking "Show Status" and then returning to System Information page the status icon sometimes show the right status. This is one of the reasons why I needed the Refresh button.

I have intentionally not enabled Background collection in hope of having the information "live" or up-to-date, I don't know why the information is cached, and where it's done. I have my browser set to not cache any data, the cache is set to 0MB, all history and data is cleared on browser exit. But if enabling the background collection gives me the Refresh button I will have it enabled, even though I don't understand why anyone would have "old" cached data on System Information page, okay, maybee for the page to load faster, but even this I don't understand... if I need the information, i want it live/up-to-date and are willing to wait a few seconds for collecting "live data", but that's maybee just me smile

Anyway, thank you Jamie for helping me get the Refresh button back, and also for finding the quota/bandwidth bug!

As allways, you guys on Virtualmin are the best!

Best Regards, Leffe

The info like running servers not being refreshed is a separate bug - but it will also be fixed in the upcoming 4.15 Virtualmin release.