Details

    • Bug
    • Resolution: Fixed
    • Minor
    • None
    • Professional Edition
    • Web Interface
    • None
    • Observium Professional 17.10.8879

    Description

      Attempting to delete a user does not work. The confirm page appears, but "Click to confirm" results in being redirected back to the edit user page with a pair of messages that both read:

      WARNING. Possible CSRF attack with EMPTY request token.

       

      The logs show this URL being requested:

      clientIPremoved [06/Oct/2017:11:09:38 +0100] "GET /edituser/action=deleteuser/user_id=8/confirm=yes/ HTTP/1.1" 200 151653

       

      Adding the /requesttoken=f08d0etcetcetc/ to the URL results in the user being deleted successfully. 

       

       

      Attachments

        Activity

          [OBS-2451] Unable to delete user
          csabka Csaba Lack added a comment -

          Workaround:

          After click to "Delete User", do not click to confirm just paste "confirm=yes/"  (without quotes) before requesttoken=........ and after user_id=N/ to browser address bar.

          Result should be something like this, then Enter

          OBSERVIUM_URI/edituser/action=deleteuser/user_id=USER_ID/confirm=yes/requesttoken=GENERATED_TOKEN/

          This will successfully delete user as Click to confirm url should do.

          csabka Csaba Lack added a comment - Workaround: After click to "Delete User", do not click to confirm just paste "confirm=yes/"  (without quotes) before requesttoken=........ and after user_id=N/ to browser address bar. Result should be something like this, then Enter OBSERVIUM_URI /edituser/action=deleteuser/user_id= USER_ID / confirm=yes/ requesttoken= GENERATED_TOKEN / This will successfully delete user as Click to confirm url should do.
          vita.law Vita added a comment -

          hi, 

           

          may i know how to fix it ?

          i have same issue here. 

          vita.law Vita added a comment - hi,    may i know how to fix it ? i have same issue here. 

          Ok, found.

          Fixed in r8894.

           

          But issue with contacts not confirmed (more describe for reproduce steps and create new issue if required).

          landy Mike Stupalov added a comment - Ok, found. Fixed in r8894.   But issue with contacts not confirmed (more describe for reproduce steps and create new issue if required).

          From the user list, pick the user, then hit "Delete" (top right). This sends me to:

          /edituser/action=deleteuser/user_id=5/requesttoken=f42419c4a8b8466fb9a7051babaffa17347e4db6bebba43blahblahblah558beb/

           

          Click the "Click to confirm" link and it redirects you back to the edit user page, without the token, and gives a WARNING. Possible CSRF attack with EMPTY request token message at the top of the page. 

          stevenr Steven Robson added a comment - From the user list, pick the user, then hit "Delete" (top right). This sends me to: /edituser/action=deleteuser/user_id=5/requesttoken=f42419c4a8b8466fb9a7051babaffa17347e4db6bebba43blahblahblah558beb/   Click the "Click to confirm" link and it redirects you back to the edit user page, without the token, and gives a WARNING. Possible CSRF attack with EMPTY request token message at the top of the page. 

          Same issue here, when we remove a contact from Contacts page in Alerting section seems that everything works fine but contact is still there.

          joriveiro Jorge Riveiro added a comment - Same issue here, when we remove a contact from Contacts page in Alerting section seems that everything works fine but contact is still there.

          stevenr from which page you get issue?

           

          and yes, requesttoken param required for delete.

          landy Mike Stupalov added a comment - stevenr from which page you get issue?   and yes, requesttoken param required for delete.

          Mike will probably want to look at this, since I'm not quite sure how this should be done with the CSRF

          adama Adam Armstrong added a comment - Mike will probably want to look at this, since I'm not quite sure how this should be done with the CSRF

          People

            landy Mike Stupalov
            stevenr Steven Robson
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: