View Issue Details

IDProjectCategoryView StatusLast Update
0026275mantisbtauthorizationpublic2024-02-28 10:43
Reportertraynaud Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionunable to reproduce 
OSwindowsOS Version10 
Product Version2.1.0 
Summary0026275: ERROR 403 Forbidden on Chrome and Firefox cause of cookies
Description

Many times a day we have this error.
We try to analyse but the problem seems to be link to cookies.
Working in same times with Mantis and a Prima solution web app reproduce systematically this error.
We suppose that there is a conflict between their owns cookies

TagsNo tags attached.
Attached Files
capture.jpg (1,066,506 bytes)

Activities

dregad

dregad

2019-10-16 12:28

developer   ~0062985

The provided information is not sufficient to provide any help in resolving the issue. A complete and detailed description is required for the support team to get a clear understanding of the problem, starting with the URL being accessed that is throwing the 403 error. Your screenshot does not help at all.

Note that Mantis 2.1.0 is nearly 3 years old. I strongly recommend that you upgrade to the latest release. At least you need to confirm that the problem can be reproduced in 2.22.1.

Please explain what you do, what are the results you expect to get and what you actually get.

Also provide detailed, step-by-step instructions to reproduce the issue; the additional information listed below may also be useful:

  • Exact version of MantisBT, PHP, Database, Web server, Browser and Operating System
  • Relevant customizations (e.g. changes in config_inc.php, etc)
  • Installed plugins or custom functions ?
  • Was the MantisBT source code modified in any way ?
traynaud

traynaud

2019-10-17 08:52

reporter   ~0062989

Sorry for missing informations :

Infos Server OS:
cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

uname -r
3.10.0-862.14.4.el7.x86_64

Infos Mantis:

Version de MantisBT 2.1.0
Version du schéma 209
Chemin du site /var/www/html/mantisbt-2.1.0/
Chemin du répertoire principal /var/www/html/mantisbt-2.1.0/core/
Chemin des plugins /var/www/html/mantisbt-2.1.0/plugins/

Greffon Description Dépendances Priorité Protégé Actions
Avatars via Gravatar 2.1.0 Description
Auteur : Victor Boctor
Site web : http://www.mantisbt.org MantisBT Core 2.0.0

Email Reporting 0.10.0 Offers the functionality to add issues and notes by email.
Auteur : Indy and various people after him.
Site web : http://www.mantisbt.org/wiki/doku.php/mantisbt:emailreporting MantisBT Core 1.3.0, <2.99.99

Formatage de MantisBT 2.1.0 Plugin officiel de traitement et de formatage du texte.
Auteur : MantisBT Team
Site web : http://www.mantisbt.org MantisBT Core 2.1.0

Graphiques Mantis 2.1.0 Plugin de graphiques officiel.
Auteur : MantisBT Team
Site web : http://www.mantisbt.org MantisBT Core 2.0.0

MantisBT Core 2.1.0 Core Plugin API for the Mantis Bug Tracker.
Auteur : MantisBT Team
Site web : http://www.mantisbt.org Aucune dépendance
MantisStats 2.4.0 Plugin de la statistique pour MantisBT
Auteur : Avetis Avagyan
Site web : https://www.mantisstats.org MantisBT Core 2.0.0

Greffon Description Dépendances Actions
Importer / Exporter des bugs 2.1.0 Permet d'importer et exporter des fichiers au format XML compatible avec MantisBT.
Auteur : MantisBT Team
Site web : http://www.mantisbt.org MantisBT Core 2.0.0
MantisBT Markdown 1.1.2 Markdown processing plugin.
Auteur : Frank Bültge
Site web : http://bueltge.de MantisBT Core 1.2.0
Formatage de MantisBT 1.0a

Infos php :

php --version
PHP 5.4.16 (cli) (built: Oct 30 2018 19:30:51)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

Browsers version :
Google chrome 72.0.3626.109
Firefox ESR 68.1.0

In google chrome there this message in console "Active resource loading counts reached a per-frame limit while the tab was in background. Network requests will be delayed until a previous loading finishes, or the tab is brought to the foreground. See https://www.chromestatus.com/feature/5527160148197376 for more details"

Mantis Forbidden.png (31,582 bytes)   
Mantis Forbidden.png (31,582 bytes)   
traynaud

traynaud

2019-10-17 09:10

reporter   ~0062991

I find two config files

config_inc.php (47 bytes)   
<?php
require_once('custom_config_inc.php');
?>
config_inc.php (47 bytes)   
dregad

dregad

2019-10-17 09:32

developer   ~0062992

@traynaud I deleted your custom config file, as it contained a lot of sensitive information (passwords, crypto salt, etc). I strongly suggest you immediately change these passwords since they have potentially been compromised. Feel free to upload the file again, after removing anything that should not be available on a public web site.

dregad

dregad

2019-10-17 09:32

developer   ~0062993

Last edited: 2019-10-17 09:34

confirm that the problem can be reproduced in 2.22.1.

You have not responded on that

Please check also, if problem persists without any 3rd party plugins (i.e. uninstall Email Reporting , MantisStats, MantisBT Markdown)

PHP 5.4.16

Please note that we require PHP 5.5 or later (although this is unlikely to be causing the problem you're facing)

You may also want to check if there is anything in the webserver / PHP logs.

traynaud

traynaud

2019-10-17 10:38

reporter   ~0062995

We can't upgrade because we are using squash test and the compatibility is compromise for us after this version of mantis

traynaud

traynaud

2019-10-17 10:41

reporter   ~0062996

I'm asking for PHP updating

dregad

dregad

2019-10-17 10:57

developer   ~0062997

Last edited: 2019-10-17 10:58

We can't upgrade

It's your decision. Just consider 47 security issues fixed since 2.1.0...

Also you need to demonstrate that the problem is reproducible in the latest release, because we don't support 2.1.0 anymore.

traynaud

traynaud

2019-10-17 11:24

reporter   ~0063000

Can you change the visibility of the ticket to private ?

dregad

dregad

2019-10-17 11:32

developer   ~0063002

Can you change the visibility of the ticket to private ?

I could, but don't see the point - I already removed the file.

traynaud

traynaud

2019-10-17 11:41

reporter   ~0063003

Thank's you a lot for this fast removing
But it's a request of my hierarchy

dregad

dregad

2019-10-17 11:55

developer   ~0063004

Well I'm sorry but this is a public support channel for open-source software, and our policy is to leave everything visible for the benefits of the community. I'm willing to selectively edit out or remove other sensitive data as necessary if you tell me what it is, but not to hide the whole issue.

mtulodzi

mtulodzi

2019-10-18 01:41

reporter   ~0063006

Hi,
we have the same issue in some specific conditions. We are on 2.22.1 version.
Steps to reproduce it:

  1. Report Issue
  2. Set Summary: Why mantis throw 403 https://www.mantisbt.org/bugs/view.php?id=26275 ?
  3. Set Description: Why mantis throw 403 https://www.mantisbt.org/bugs/view.php?id=26275 ?
  4. Submit Issue
  5. Edit
  6. Set Status: Resolved
  7. Set Resolution: No change required
  8. Update information
  9. Receive 403 [Forbidden] to bug_update.php
traynaud

traynaud

2019-10-18 03:27

reporter   ~0063007

Hi dregad,
I understood and agree with your policy
I'll send more carefully informations from now on

Thank's you mtulodzi for your example

arouillere

arouillere

2019-11-19 04:25

reporter   ~0063111

Last edited: 2019-11-19 04:51

Hello,

It seems we have an issue with Dynatrace. In fact, Dynatrave creates a dtSa cookie. When it's populated, we have the 403 error, each time. The domains used by Dynatrace an Mantis are the same.

We are actually testing this issue by configuring Dynatrace not to create this cookie (See attached image to do this). I'll keep you informed.

Additional information to access this parameter :
disable dtSa cookie (enable debug mode (CTRL+SHIFT+F9 and see how below) - dtSa cookie is used to track so-called "delayed user actions" (e.g. a click on 1 page results in another page being loaded) if we can't use browser's localstorage to persist this info. The consequence of disabling the cookie is that such delayed user actions will not longer be reported.

disable-dtsacookie.png (152,639 bytes)   
disable-dtsacookie.png (152,639 bytes)   
dregad

dregad

2024-02-16 20:24

developer   ~0068552

I was never able to reproduce this problem. Based on the last post 0026275:0063111 it would appear the offending behavior was caused by external software.

Feel free to reopen with further details if the problem still exists today.