Announcement

Collapse
No announcement yet.

Loading.. bug/error

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Loading.. bug/error

    On a fresh install we cannot create any users, calls accounts etc...
    For all tasks that require the creation of a record it just gets stuck at Loading...

    Any idea on how to solve this?

    Chrome console says:

    This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar. For more information, see https://goo.gl/zmWq3m.
    /client/src/views/fields/varchar.js?r=1518717397 Failed to load resource: the server responded with a status of 406 (Not Acceptable)
    espo.min.js?r=1518717397:17 Uncaught Error: Could not load file 'client/src/views/fields/varchar.js?r=1518717397'
    at Object.error (espo.min.js?r=1518717397:17)
    at j (espo.min.js?r=1518717397:3)
    at Object.fireWith [as rejectWith] (espo.min.js?r=1518717397:3)
    at x (espo.min.js?r=1518717397:4)
    at XMLHttpRequest.<anonymous> (espo.min.js?r=1518717397:4)

  • #2
    Seems you have some security configuration not allowing some request to be sent.

    Comment


    • KevinK
      KevinK commented
      Editing a comment
      where would this security setting/config be ?

  • #3
    On this particular configuration, wordpress, joomla, drupal, zurmo and other cms and erp work without issue.
    I don't see any error logs on the server itself just the js error in chrome.

    Error: Could not load file 'client/src/views/fields/varchar.js?r=1518758250'
    What specifically could be causing this?
    Last edited by anlicor; 02-16-2018, 05:44 AM.

    Comment


    • tanya
      tanya commented
      Editing a comment
      Check permission, please
      if file client/src/views/fields/varchar.js exists, but couldn't be loaded, seams this file is not readable for server user

  • #4
    The culprit can be in htaccess file of wordpress, joomla, drupal or in separate htaccess file.

    Comment


    • #5
      This is the .htaccess file for the associated account:

      <ifModule mod_headers.c>
      Header always set Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE"
      </ifModule>

      DirectoryIndex index.php index.html

      <IfModule mod_rewrite.c>
      RewriteEngine On

      # PROTECTED DIRECTORIES
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^/?(data|api)/ - [F]

      RewriteRule ^/?data/config\.php$ - [F]
      RewriteRule ^/?data/logs/ - [F]
      RewriteRule ^/?data/cache/ - [F]
      RewriteRule ^/?data/upload/ - [F]
      RewriteRule ^/?data/\.backup/ - [F]
      RewriteRule ^/?application/ - [F]
      RewriteRule ^/?custom/ - [F]
      RewriteRule ^/?vendor/ - [F]
      #END PROTECTED DIRECTORIES

      RewriteRule .* - [E=HTTP_ESPO_CGI_AUTH:%{HTTP:Authorization}]

      RewriteRule reset/?$ reset.html [QSA,L]
      </IfModule>
      See any issues?

      Comment


      • #6
        In my case it turned out to be Apache's ModSecurity blocking SQL injection attempts.

        This is what I found on the Apache error log:

        [Thu Aug 02 12:10:40.150882 2018] [:error] [pid 15334:tid 139847905761024] [client x.x.x.x:33353] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(??:s(?:elect\\\\b(?:.{1,100}?\\\\b(??:length|count|top)\\\\b.{1,100}?\\\\bfrom|from\\\ \b.{1,100}?\\\\bwhere)|.*?\\\\b(?:d(?:ump\\\\b.*\\ \\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ??:addextendedpro|sqlexe)c|(?acreat|prepar)e|execute(?:sql)?|makewebt ..." at REQUEST_FILENAME. [file "/etc/apache2/conf.d/imh-modsec/05_additional_directives.conf"] [line "38"] [id "950001"] [msg "SQL Injection Attack"] [data "varchar"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "crm.xxxxxxx.com"] [uri "/client/src/views/fields/varchar.js"] [unique_id "W2M7EMifb1cOYrVibxVvnwAAAhU"], referer: http://crm.xxxxxxx.com/

        So I had to comment out a section of file /etc/apache2/conf.d/imh-modsec/05_additional_directives.conf (id "950001") and restart Apache.

        Yes, this leaves a security hole, but my coding skills are not good enough to suggest a permanent in-code fix (If it is indeed possible). Maybe developers can look into it?

        Hope this is still useful

        Comment

        Working...
        X