Skip to main content
Kofax

Unable to update user profile in MarkView

Article # 3028995 - Page views: 48

Article # 3028995 - Page views: 48

Issue

When updating a user's details in Administration -> MarkView Admin -> User Profiles, an HTTP 500 error occurs when clicking on "Save".

The mvplsql.log file contains an error like:

2021-04-15 06:52:01,770 ERROR markview.plsqlservlet.PlSqlServlet:106 - Request has unexpected Origin value: nullor Referer value: https://<server>:<port>/markview/MV_Admin_User.UserMasterRecord

There is a possibility of a CSRF attack.

Cause

CSRF stands for Cross-Site Request Forgery.

A security vulnerability was identified in MarkView 10.1 and resolved in Fix Pack 10.1.0.3

From 10.1.0.3, MarkView believes that there is a CSRF attack occurring in the following circumstances:
- if the "origin" of a URL to a form in MarkView does not appear to be from MarkView: e.g. if someone has simply pasted the URL for the user profile tab into a browser rather than navigating from MarkView Home.
- if the header Origin exists and its URL value is not contained within either the Referer URL or the Request URL

The error in the mvplsql.log file can also occur if an unsupported browser is used.

 

Solution

Ensure that:
a) The user is accessing MarkView using a supported browser.

If the value of the PLQLSERVLET_LOGGING_LEVEL preference is set to "All", the mvplsql.log file records the useragent string for the browser used. e.g.:

2021-04-15 06:52:01,764 TRACE markview.plsqlservlet.PlSqlServlet:355 - Request Header User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; EN; rv:11.0) like Gecko

This useragent string can be checked using http://useragentstring.com/


b) The load balancer or proxy server are configured appropriately so that header Origin URL value is contained within both Referer URL and the Request URL

 

Level of Complexity 

Moderate

 

Applies to  

Product Version Build Environment Hardware
MarkView for Oracle 10.1.0.3 and later      

 

  • Was this article helpful?