Sugarcrm 8 XSRF

Question

I've backup of ondemand instance for sugarcrm version 8.0.0 Enterprise Edition

It works normal for CRUD records and other stuff, but when I try to upload module via Zip it gives me following error

Cross Site Request Forgery (XSRF) Attack Detected

Form authentication failure (Administration -> UpgradeWizard). Contact your administrator.

I've tried following article Troubleshooting Cross-Site Forgery Messages

But the problem still persists. The problem only occurs for BWC modules IMO.

What did you try doing when you followed the article? More specifically, what did you do when you tried following the last section (Add Additional Actions)? — Michael Agarenzo, Aug 15 '18 at 20:09

Jay · Accepted Answer · 2019-03-30T02:42:08.460

3

EDIT: Before trying this work-around, check if you have the HTTP referer header disabled in your web browser, as that might be the reason for having the described problem in the first place.

If this is a local test/dev-instance you might want to add

['csrf']['soft_fail_form'] = true,

to your $sugar_config in config.php or config_override.php. That should cause the error to be logged only instead of aborting the action.

Note: This works on Sugar 7.9. I have yet to test it on 8.0.

Source: https://community.sugarcrm.com/community/developer/blog/2017/10/11/upcoming-security-changes-to-sugar

edited Mar 30 '19 at 02:42

answered May 26 '18 at 20:07

Jay

3,640
12
17

Thank you very much, this worked like a charm. I was trying to solve this issue using http_referer but that didn't work for me. – Indrajeet Latthe May 28 '18 at 08:07
Glad to hear! Thanks for your feedback about it working in Sugar 8 - now I've learned something as well :) – Jay May 28 '18 at 09:26
@Jay, do you know how the `http_referer` works? I'm trying to work with it in `config_override.php` to add an unregistered action, but I am having trouble. My question is [here](https://stackoverflow.com/questions/51864605/unregistered-action-via-custom-module-leads-to-xsrf-attack-detected-error). – Michael Agarenzo Aug 15 '18 at 20:02

score 0 · Answer 2 · edited Jan 20 '21 at 22:44

0

Add this lines in your config_override.php file

$sugar_config['http_referer']['list'][] = 'http://CHANGE_TO_YOUR_LOCAL_URL/';
$sugar_config['csrf']['soft_fail_form'] = true;

edited Jan 20 '21 at 22:44

user14678216

2,886
2
16
37

answered Jan 19 '21 at 09:26

jcalabria

1

Sugarcrm 8 XSRF

2 Answers2

Linked