IP access limitation exposes too many information (Referrer error mismatch)

[nolimitdev]

When I have IP access limited to some IP and when I access webmin from another not allowed IP it gives correct http status code 403 but also large amount of html code that says that this error is Referer error which is false. Also in title tag and in source code is shown webmin version and OS version which is not safe. Old version of webmin correcly outputed to body just <h1>Error - Access denied for ...</h1>. Could you fix it please? This strange body output is in 1.920 and also in 1.930 maybe in some other also.

[jcameron]

Do you perhaps have a custom error handler setup, via a line like error_handler_403= in /etc/webmin/miniserv.conf ?

[iliajie]

Authentic Theme sets/unsets it.

https://github.com/authentic-theme/authentic-theme/issues/1047#issuecomment-461925837

[jcameron]

@rostovtsev seems like this doesn't work properly, because the referrer check is triggered when 403.cgi is run. You should set the global $trust_unknown_referers = 1 at the top of your script, and also make extra sure it doesn't make use of any input!

[iliajie]

correct http status code 403 but also large amount of html code that says that this error is Referer error which is false.

That is odd. It doesn't give any referrer error at all. I have in Webmin config:

referer=192.168.122.33
referers_none=1

..and miniserv.conf has the following:

allow=192.168.122.33

Meanwhile, I accessed Webmin using 192.168.122.30 address and I had expected output:

---

Doing more tests I have noticed, that if you remove from Webmin config:

referer=192.168.122.33

..then this error appears (I suppose what initially was reported).

---

I carefully checked this and related parts of the code but didn't notice any use of user input, only if messages and status code received from miniserv, that are placed inside of HTML, so I just escaped it to be extra sure. Could that be tricked into an attack, Jamie?

https://github.com/authentic-theme/authentic-theme/commit/7068c4009fb3a85c852568f09dd16f3fbdec067d

[jcameron]

Escaping is good practice, but in this case it's still safe regardless because those inputs come only from miniserv.pl

[chris001]

Question: Is this referer= and allow= work correctly when you use IPv6 addresses as values?

[jcameron]

Yes, they should.

[chris001]

Do you have to enclose the IPv6 address in square brackets [aa:bb:cc:dd:ee:ff:11:22]or is it supposed to work without the brackets?

[nolimitdev]

Exactly as @rostovtsev posted image

---

---

is the main issue of this topic. In my case I have the same result:

---

---

In case of IP access limitation enabled I should get just:

---

[iliajie]

@nolimitdev Have you installed the patch for the theme?

[nolimitdev]

I have just tested to switch from "Authentic Theme" to "Gray Framed Theme" and there is a correct error message just Error - access denied for .... I think that "Authentic Theme" is default theme now and it should be working by default. @rostovtsev what patch do you think please?

[iliajie]

Try just the latest git version. Can be installed using theme configuration.

[nolimitdev]

Interesting finding... after I switched from "Authentic Theme" to "Gray Framed Theme" and again back to "Authentic Theme" it works now as expected. Instead of referrer warning in HTML output is now just <h1>Error - access denied for ...</h1>. So I did not try latest git version.