Fixing VTiger "Illegal request" for links from other domains
Problem:
You’ve got a link to your VTiger installation from another domain, but any time you open it, you get an Illegal request error message, even though you are logged in correctly.
Solution:
The reason for this error message is that vtiger validates the Referer (i.e. source URL of the request) as a protection layer against certain security issues, for example CSRF (cross-site request forgery). We will disable the referer check. Be sure to understand the implications before you do as suggested.
Disabling involves only editing a single code line. I tested this with VTiger 6.5.0, but likely only minor adjustments have to be made for other versions.
Steps to fix:
- Open
<your vtiger directory>/includes/http/Request.phpin a text editor - In the editor. search for Illegal request. You will see a code block like this:
protected function validateReferer() {
$user= vglobal('current_user');
// Referer check if present - to over come
if (isset($_SERVER['HTTP_REFERER']) && $user) {//Check for user post authentication.
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');
}
}
return true;
}
- Comment outÂ
throw new Exception('Illegal request');with//(results in//throw new Exception('Illegal request');) - The code block should now look like this:
protected function validateReferer() {
$user= vglobal('current_user');
// Referer check if present - to over come
if (isset($_SERVER['HTTP_REFERER']) && $user) {//Check for user post authentication.
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
//throw new Exception('Illegal request');
}
}
return true;
}
- Save the file
- The fix should be in effect immediately, else restart your webserver.