[SECURITY] Trusted referrers for webmin/usermin have no effect

This is not a configuration issue.

My browser sends referrer headers. The module config is perfectly set up.

I get no warnings about invalid referrers. Not at Webmin/Virtualmin. Not at Usermin.

Their checks are both bugged.

Status: 
Closed (works as designed)

Comments

Can you give more details about exactly how the referrer checking isn't working for you?

The browser is sending a referrer of https://panel..com, and the Webmin module is at https://.subnet.mysite.com/

I've enabled all options in the Trusted Referrers section, but did NOT add "panel.mysite.com" to trusted referrers. I wanted to verify that the module works first.

The thing is - it doesn't. It doesn't warn at all. About anything. Not on the landing page, nor after login. It just doesn't work.

I verified that my browser is sending Referrer headers, so it's not at fault.

In fact, the referrer checking works fine in Cloudmin, but not in Virtualmin and Usermin.

If I try to open a Cloudmin tunnel via "open in a new tab," my browser omits the referrer, and it complains loudly. So hey at least the referrer checking code works in one place! ;)

The referring checking is only enforced if you link to a page inside Webmin that performs some action - linking to the first page or the index page of most modules is considered safe, and so won't trigger any referrer warning.

Oh. That behavior needs to be in the docs ("Help" page). Wasn't obvious from the description.

I'll add that to the help..