404 error on notifications/mark_read

[themr0c]

On the home page, when clicking on the "Mark all read" button, I get a 404 error the notifications/mark_read page.

127.0.0.1 - - [18/Nov/2015:13:45:56 +0100] "GET /404 HTTP/1.1" 404 728 0.0041

[Zapotek]

You didn't by any change try to open it in a new tab or something instead of just clicking it, did you?

[Zapotek]

Another reason could be disabled JS.

[themr0c]

No, regular clicking on it. Apache is in front of arachni. BTW, all href links in the page are http://arachni.tld links. Not if the issue is at apache level or at arachni level. Investigating.

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile      /etc/ssl/arachni.cer
  SSLCertificateKeyFile   /etc/ssl/arachni.key
  SSLCACertificateFile    /etc/ssl/arachni.ca
  SSLProtocol             all -SSLv3 -TLSv1
  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  SSLHonorCipherOrder     on

  ServerName arachni.tld
  ServerAdmin webmaster@localhost
  DocumentRoot /srv/arachni/arachni/system/arachni-ui-web/public/

  # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg.
  # It is also possible to configure the loglevel for particular
  # modules, e.g.
  LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/arachni_error.log
  CustomLog ${APACHE_LOG_DIR}/arachni_access.log combined

  ProxyPassMatch "/assets" !
  ProxyPass "/" "http://localhost:9292/"
  ProxyPassReverse "/" "http://localhost:9292/"

  <Directory /srv/arachni/arachni/system/arachni-ui-web/public/>
    Options FollowSymLinks
    AllowOverride All
    DirectoryIndex index.html
    Require all granted
  </Directory>
</VirtualHost>

<VirtualHost *:80>
  ServerName arachni.tld
  Redirect / https://arachni.tld/
</VirtualHost>

[Zapotek]

That link should issue a PATCH, not GET -- happens via JS hackery, not sure about the internals.

[Zapotek]

I'm closing this since I couldn't reproduce it when Arachni is deployed in the way that it was intended, but feel free to ask for any info you need to debug this.

[themr0c]

Fine.

On the same page, links are handled differently.

Some of them are relative links, and they are OK, like:

    <a href="/scans/3/issues/89">

Some other are using absolute URL, and they are broken:

            <a class="btn btn-inverse" rel="nofollow" data-method="patch" href="http://arachni.tld/notifications/mark_read">

Sure, adding the apache layer has triggerd the issue, but I need a proxy in front to have some LDAP authentication on top of the application at some point.

[Zapotek]

I don't think it's the relative vs absolute that's causing the issue but the PATCH method. Check what request is sent when just using Arachni and what happens when you do the same with the proxy in front. It probably has to do with the way PATCH is emulated/performed, something is not reaching the origin sever or it is reaching it incorrectly.

[themr0c]

Was not limited to the patch / data-refresh-url links. I had it also on:

<a href="http://arachni.emakina.com/scans/new">

I managed to fix it by using apache mod_proxy_html.

https://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html#proxyhtmlurlmap http://www.apachetutor.org/admin/reverseproxies http://apache.webthing.com/svn/apache/filters/proxy_html/proxy_html.conf

Virtualhost modifications:

  ProxyRequests off
  ProxyPassMatch "/assets" !
  ProxyPass "/" "http://localhost:9292/"

  ProxyHTMLEnable On
  # fix links issue as referenced on https://github.com/Arachni/arachni-ui-web/issues/96
  ProxyHTMLURLMap http://arachni.tld/ /
  # standard reverse proxy
  ProxyHTMLURLMap http://localhost:9292/ /
  # links must be defined
  ProxyHTMLLinks        div             data-refresh-url
  ProxyHTMLLinks        a               href
  ProxyHTMLLinks        area            href
  ProxyHTMLLinks        link            href
  ProxyHTMLLinks        img             src longdesc usemap
  ProxyHTMLLinks        object          classid codebase data usemap
  ProxyHTMLLinks        q               cite
  ProxyHTMLLinks        blockquote      cite
  ProxyHTMLLinks        ins             cite
  ProxyHTMLLinks        del             cite
  ProxyHTMLLinks        form            action
  ProxyHTMLLinks        input           src usemap
  ProxyHTMLLinks        head            profile
  ProxyHTMLLinks        base            href
  ProxyHTMLLinks        script          src for

So basically it works behind an apache 2.4 ;)

[Zapotek]

That's really good to know man, glad you got it working.

[themr0c]

Hmm, now something new, but maybe related.

I have created a scan with User1. I have shared the scan with User2. Now I login with User2. From the menu, i can access to the scan in the list: that's fine. But i can't see the list of shared scans from the /scans page. The navigation to "Shared" doesn't work.

The application log is happy, though:

127.0.0.1 - - [18/Nov/2015:16:15:39 +0100] "GET /scans.js?action=index&controller=scans&filter_active=yours&filter_finished=yours&filter_suspended=yours HTTP/1.1" 200 - 0.0787

In the HTML, the link is following:

<a onclick="loading();" data-remote="true" href="https://arachni.tld/scans?action=index&amp;controller=scans&amp;filter_active=yours&amp;filter_finished=shared&amp;filter_suspended=yours">

Does is sound like a logical behaviour to you ?

[Zapotek]

The AJAX behind the tabs must be broken, I remember it happening to another place after a dependency upgrade. Should be easy enough to sort out, if I understood the issue correctly.

[Zapotek]

Hm, works for me, must be a proxy thing again. Can you retry without the proxy and see what happens?

[Zapotek]

Btw, if it helps, I'm pretty sure I could just switch to using paths in the trouble areas instead of URLs.

[themr0c]

i guess paths everywhere should be fine, and would add more consistency in the whole app.

[Zapotek]

Nightlies are up, I switched all URLs in the views to absolute paths, I hope it helps. Try them out and let me know if you spot any bugs.

Cheers

[themr0c]

Hi, just tested the nightly, with apache proxy:

• notifications/mark_read page is OK,
• share: behaviour s quite strange:
• project from user 1 is in a group containing user2, but not explicitely shared with user 2: user2 has no view on homepage / menus, but can still access the project.
• project from user 1 is in a group containing user2, and explicitely shared with user 2: project is listed on homepage / menus for user2.

[Zapotek]

Hm, does that happen without the proxy?

[themr0c]

Just checked again, both behind apache and standalone. I believe that the problem is that i di'dn't understand correctly what i should expect to see in the Scans summary page, without selecting a group. I'll try to be as clear as possible.

• For user2, Unshared scan from user1 doesn't appear in the Scans top menu.
• If user2 go on /scans without selecting any group => cannot see the unshared scan, but can see shared scan.
• If user2 go on /scans, then navigate to group => can see both shared and unshared scans in the group ; unshared scan is visible in "Others" section. Message present: "You are seeing scans of the group group: "

So it means the behaviour is different for shared and unshared scans when you didn't select a group on the /scans summary page. A message like the one displayed when a group is selected could be a good thing to make clear which scans the user should expect to see on the page.