Fatal Error After Upgrade

Here is the error…

FATAL ERROR
POTENTIAL SECURITY BREACH: an attempt was made to modify settings from a URL that did not come from a FreePBX page. This action has been blocked because the HTTP_REFERER does not match your current SERVER. If you require this access, you can set CHECKREFERER=false in amportal.conf to disable this security check

I am running CentOS Ver 5.2 final
Asterisk Ver 1.4.21.2
Running front end applications from PBIF.

This is a production machine that has been in service for 2 years with no problems. All of the FreePBX updates that I have done ALL came off without a hitch until I upgraded to 2.5.1.3. and now when I try to make a change in programming and try to apply the changes I get the above error.

I did a locate on amportal.conf which came back with several locations and none of these match what is in FreePBX SVN and none of them give me the option to disable. The difference beteen the SVN copy and mine is the last section that is supposed to allow me to disable.

It does not matter if I use IE or Firefox. The result is the same. I am also on the same LAN trying to program.

My question is what is the best way to handle this on a production server?

What is the url you use to access the server, what is the name of the server, and what is defined in amportal.conf for AMPWEBADDRESS= ?

All three should match.

You can add the following line to /etc/amportal.conf:

CHECKREFERER=false

however, more importantly what are you trying to do exactly that is resulting in this error so we can make sure that there is not a bug in what has been implemented?

The new code, which is disabled by the above setting, simply checks to make sure that the HTTP REFERRER of any URL that results in changing something in FreePBX was generated by the GUI and not manually input into the URL or otherwise coming from elsewhere. (basically anything we an ‘action=xyz’ in the URL.)

As far as the above not being in your amportal.conf, that file is never updated from upgrades as it controls the state of your installation. When new parameters are added to FreePBX you will find them in SVN for future new installs, but existing configs will use default values unless you add them to your config.

Just finished the upgrade and had to add a trunk extension when I hit submit gave me the same error. In addition as I went to config edit from freepbx to mod ammportal.conf hit update received write failed.

web browser url was www.mydomain.com:myport/admin/config.php?
name of server is pbx.mydomain.com
AMPWEBADDRESS=

AMPWEBADDRESS= has always been blank and work fine up until the upgrade. I would love to have the fix but like to know the difference in the code or the code that has changed to cause the particular problem.

what browser are you using? Do you have any plugins that are hiding the HTTP_REFFERER or anything of the sort?

Here is the URL: http://192.168.1.70:9080/menu.php?id=admin

The below is a copy of my /etc/amportal.conf. Just a side not on this is that the below line has the following …

AMPWEBADDRESS: the IP address or host name used to access the AMP web admin

#AMPWEBADDRESS=192.168.1.101
AMPWEBADDRESS=

The commented out line has the address of my HP switch???

This file contains settings for components of the Asterisk Management Portal

Spaces are not allowed!

Run /usr/src/AMP/apply_conf.sh after making changes to this file

SSHPORT=9022

AMPDBHOST: the host to connect to the database named ‘asterisk’

AMPDBHOST=localhost

AMPDBUSER: the user to connect to the database named ‘asterisk’

AMPDBUSER=asteriskuser

AMPDBENGINE: the type of database to use

AMPDBENGINE=mysql

AMPDBPASS: the password for AMPDBUSER

AMPDBPASS=amp109

AMPENGINE: the telephony backend engine to use

AMPENGINE=asterisk

AMPMGRUSER: the user to access the Asterisk manager interface

AMPMGRUSER=admin

AMPMGRPASS: the password for AMPMGRUSER

AMPMGRPASS=amp111

AMPBIN: where command line scripts live

AMPBIN=/var/lib/asterisk/bin

#AMPSBIN: where (root) command line scripts live
AMPSBIN=/usr/local/sbin
#AMPSBIN=/usr/sbin

AMPWEBROOT: the path to Apache’s webroot (leave off trailing slash)

AMPWEBROOT=/var/www/html

AMPCGIBIN: the path to Apache’s cgi-bin dir (leave off trailing slash)

AMPCGIBIN=/var/www/cgi-bin

AMPWEBADDRESS: the IP address or host name used to access the AMP web admin

#AMPWEBADDRESS=192.168.1.101
AMPWEBADDRESS=

FOPWEBROOT:web root for the Flash Operator Panel

FOPWEBROOT=/var/www/html/panel

FOPPASSWORD: the secret code for performing transfers and hangups in the Flash Operator Panel

FOPPASSWORD=passw0rd

FOPSORT: FOP should sort extensions by Last Name [lastname] or by Extension [extension]

FOPSORT=extension

FOPRUN: set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise

FOPRUN=true

AUTHTYPE: authentication type to use for web admin

If type set to ‘database’, the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above

valid: none, database

AUTHTYPE=none

AMPADMINLOGO: Defines the logo that is to be displayed at the TOP RIGHT of the admin screen.

This enables you to customize the look of the administration screen.

NOTE: images need to be saved in the …/admin/images directory of your AMP install

This image should be 55px in height

AMPADMINLOGO=logo.png

USECATEGORIES: Controls if the menu items in the admin interface are sorted by category (true),

or sorted alphebetically with no categories shown (false). Defaults to true.

#USECATEGORIES=false

AMPEXTENSIONS: the type of view for extensions admin

If set to ‘deviceanduser’ Devices and Users will be administered seperately, and Users will be able to “login” to devices.

If set to ‘extensions’ Devices and Users will me administered in a single screen.

AMPEXTENSIONS=extensions

ENABLECW: Enable call waiting by default when an extension is created (DEFAULT is yes)

Set to ‘no’ to if you don’t want phones to be commissioned with call waiting already

enabled. The user would then be required to dial the CW feature code (*70 default) to

enable their phone. Most installations should leave this alone. It allows multi-line

phones to receive multiple calls on their line appearances.

ENABLECW=yes

#CWINUSEBUSY: Set to yes for extensions that have CW enabled to report as busy if

they don’t answer (resulting in busy voicemail greeting). Otherwise they simply

report as no-answer (e.g. busy greeting servers no purpose

CWINUSEBUSY=yes

AMPBADNUMBER: Set to false if you do not want the bad-number context generated which

traps any bogus number or freature code and plays a message to the effect. If you use

the Early Dial feature on some Grandstream phones, you will want to set this to false

AMPBADNUMBER=true

The following are used to optionally have the freepbx backup program optionally

send the generated backup to an ftp server

FTPBACKUP=YES to enable

FTPUSER, FTPPASSWORD, FTPSERVER must be set

FTPSUBDIR is an optional subdirectory at the ftp server, it will cause ftp to do a cd

There is no error checking so you should check to make sure these are set correctly. The

ftp is saved after the backup, so it will not cause the local backup file to be effected

FTPBACKUP=yes

#FTPUSER=asterisk
#FTPPASSWORD=password
#FTPSUBDIR=mybackupfolder
#FTPSERVER=myftpserver

SSH BACKUP INFO: must have a valid SSHRSAKEY file and server, only supported through

ssh. SUBDIR is optional and will be created if it does not exist.

If SSHUSER is not set, it will default to the current user which is asterisk in any

standard configuration.

#SSHBACKUP=yes
#SSHUSER=backups
#SSHRSAKEY=/etc/asterisk/backup_rsa
#SSHSUBDIR=mysubdir
#SSHSERVER=mybackupserver.com

AMPPROVROOT=/var/ftp /tftpboot

One or more directories where there are provisioning files that should be included in the backup. Currently

these get backed up only, the FreePBX utility does not automatically restore them.

#AMPPROVROOT=/var/ftp /tftpboot

AMPPROVEXCLUDE=/var/ftp/exclude-from-file-list

a list of files to exclude, to be used in tar’s --exclude-from argument

#AMPPROVEXCLUDE=/var/ftp/exclude-from-file-list

If CUSTOMASERROR is set to false, then the Destination Registry will not report unknow destinations as errors

this should be left to the default true and custom destinations should be moved into the new custom apps registry

CUSTOMASERROR=false

if DYNAMICHINTS is set to true, Core will not statically generate hints. Instead it will make a call to the

AMPBIN php script, generate_hints.php, through an Asteirsk’s #exec call. This requires Asterisk.conf to be

configured with “execincludes=yes” set in the [options] section.

DYNAMICHINTS=true

XTNCONFLICTABORT, BADDESTABORT

setting either of these to true will result in retrieve_conf aborting during a reload if an extension

conflict is detected or a destination is detected. It is usually better to allow the reload to go

through and then correct the problem but these can be set if a more strict behavior is desired

both default to false if not set

XTNCONFLICTABORT=false
BADDESTABORT=false

SERVERINTITLE if set to true, the browser title will be preceded with the server name. default false

SERVERINTITLE=false

USEDEVSTATE = true|false # DEFAULT VALUE false

If this is set, it assumes that you are running Asterisk 1.4 or higher and want to take advantage of the

func_devstate.c backport available from Asterisk 1.6 which allows custom hints to be created to support

BLF for server side feature codes such as daynight, followme, etc.

USEDEVSTATE=true

MODULEADMINWGET=true|false # DEFAULT VALUE false

Module Admin normally tries to get its online information through direct file open type calls to URLs that

go back to the freepbx.org server. If it fails, typically because of content filters in firewalls that don’t

like the way PHP formats the requests, the code will fall back and try a wget to pull the information.

This will often solve the problem. However, in such environemnts there can be a significant timeout before

the failed file open calls to the URLs return and there are often 2-3 of these that occur. Setting this value

will force FreePBX to avoid the attempt to open the URL and go straight to the wget calls.

MODULEADMINWGET=true

AMPDISABLELOG=true|false # DEFAULT VALUE true

Whether or not to invoke the freepbx log facility

AMPSYSLOGLEVEL=LOG_EMERG|LOG_ALERT|LOG_CRIT|LOG_ERR|LOG_WARNING|LOG_NOTICE|LOG_INFO|LOG_DEBUG|LOG_SQL|SQL # DEFAULT VALUE LOG_ERR

Where to log if enabled, SQL, LOG_SQL logs to old MySQL table, others are passed to syslog system to determine where to log

AMPENABLEDEVELDEBUG=true|false # DEFAULT VALUE false

Whether or not to include log messages marked as ‘devel-debug’ in the log system

AMPMPG123=true|false # DEFAULT VALUE true

When set to false, the old MoH behavior is adopted where MP3 files can be loaded and WAV files converted to MP3

The new default behavior assumes you have mpg123 loaded as well as sox and will convert MP3 files to WAV. This is

highly recommended as MP3 files heavily tax the system and can cause instability on a busy phone system.

CDR DB Settings: Only used if you dont use the default values provided by freepbx.

CDRDBHOST: hostname of db server if not the same as AMPDBHOST

CDRDBPORT: Port number for db host

CDRDBUSER: username to connect to db with if its not the same as AMPDBUSER

CDRDBPASS: password for connecting to db if its not the same as AMPDBPASS

CDRDBNAME: name of database used for cdr records

CDRDBTYPE: mysql or postgres mysql is default

CDRDBTABLENAME: Name of the table in the db where the cdr is stored cdr is default

AMPVMUMASK: defaults to 077 allowing only the asterisk user to have any permissions on VM files. If set to something

like 007, it would allow the group to have permissions. This can be used if setting apache to a different

user then asterisk, so that the apache user (and thus ARI) can have access to read/write/delete the

voicemail files. If changed, some of the voicemail directory strucuters may have to be manually changed.

DASHBOARD_STATS_UPDATE_TIME=integer_seconds

DEFAULT VALUE: 6

DASHBOARD_INFO_UPDATE_TIME=integer_seconds

DEFAULT VALUE: 20

These can be used to change the refresh rate of the System Status Panel. Most of

the stats are updated based on the STATS interval but a few items are checked

less frequently (such as Astersisk Uptime) based on the INFO value

FOPDISABLE=true|false # DEFAULT VALUE false

Disables FOP in interface and retrieve_conf. Usefull for sqlite3 or if you don’t want FOP.

ZAP2DAHDICOMPAT=true|false

DEFAULT VALUE: false

If set to true, FreePBX will check if you have chan_dadhi installed. If so, it will

automatically use all your ZAP configuration settings (devices and trunks) and

silently convert them, under the covers, to DAHDI so no changes are needed. The

GUI will continue to refer to these as ZAP but it will use the proper DAHDI channels.

This will also keep Zap Channel DIDs working.

#Piaf specific section
AMPDBUSER=asteriskuser
AMPDBPASS=amp109
AMPDBNAME=asterisk
ASTETCDIR=/etc/asterisk
ASTMODDIR=/usr/lib/asterisk/modules
ASTVARLIBDIR=/var/lib/asterisk
ASTAGIDIR=/var/lib/asterisk/agi-bin
ASTSPOOLDIR=/var/spool/asterisk
ASTRUNDIR=/var/run/asterisk
ASTLOGDIR=/var/log/asterisk
AMPDISABLELOG=true

Adding CHECKREFERER=false does fix the problem and I can now program but seems to defeat the the security risk.

Further note: I have used Firefox and IE with the same response.

G711,

the amportal.conf file does not matter other than you can set this new parameter if you want to disable this security check.

the URL is not a proper URL. That is a PIAF URL where FreePBX is inside of an iframe that PIAF is controlling. You can navigate straight to freepbx if you use:

http://192.168.1.70:9080/admin

and then determine what is not working from there.

(It’s possible to the the iframe’s url. From firefox you right click within the page (not on a link) and choose “This Frame => View Frame Info” and it should show you the actual address of the frame.)

The issue is likely something in your browser that is blocking the HTTP_REFFERER, which browser are you using and do you have any plugins that are designed to do that (there are such plugins available).

check for a new version of framework, it should fix the issue

That did the trick. Thanks.

Removed CHECKREFERER=false from amportal.cofn and eveerything is working just fine.