Unable to update user profile in MarkView
Issue
When updating a user's details in Administration -> MarkView Admin -> User Profiles, an HTTP 500 error occurs when clicking on "Save".
The mvplsql.log file contains an error like:
2021-04-15 06:52:01,770 ERROR markview.plsqlservlet.PlSqlServlet:106 - Request has unexpected Origin value: nullor Referer value: https://<server>:<port>/markview/MV_Admin_User.UserMasterRecord
There is a possibility of a CSRF attack.
Cause
CSRF stands for Cross-Site Request Forgery.
A security vulnerability was identified in MarkView 10.1 and resolved in Fix Pack 10.1.0.3
From 10.1.0.3, MarkView believes that there is a CSRF attack occurring in the following circumstances:
- if the "origin" of a URL to a form in MarkView does not appear to be from MarkView: e.g. if someone has simply pasted the URL for the user profile tab into a browser rather than navigating from MarkView Home.
- if the header Origin exists and its URL value is not contained within either the Referer URL or the Request URL
The error in the mvplsql.log file can also occur if an unsupported browser is used.
Solution
Ensure that:
a) The user is accessing MarkView using a supported browser.
If the value of the PLQLSERVLET_LOGGING_LEVEL preference is set to "All", the mvplsql.log file records the useragent string for the browser used. e.g.:
2021-04-15 06:52:01,764 TRACE markview.plsqlservlet.PlSqlServlet:355 - Request Header User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; EN; rv:11.0) like Gecko
This useragent string can be checked using http://useragentstring.com/
b) The load balancer or proxy server are configured appropriately so that header Origin URL value is contained within both Referer URL and the Request URL
Level of Complexity
Moderate
Applies to
Product | Version | Build | Environment | Hardware |
---|---|---|---|---|
MarkView for Oracle | 10.1.0.3 and later |