Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QUESTION CSRF detected!
#1
Hello, I experimented something that I want to share with you.

I was editing a page, and when I clicked on "Save the Page", something went wrong: I just have a blak page with this sentence :
CSRF detected!

It seems by doing a quick search that this means "Cross-site request forgery", a type of attack. I think that this occurs because I had many differents tabs opened, I'm not sure but I even may had several tab on editing this page... ^^'

Anyway, the page has'nt been saved, so I could have lost all my work... Confused

By chance, I'm using a Firefox plugin (called Lazarus, but there are other like this one) which recover all text filed if something goes wrong.

I think that GS could return the text field when this error occurs, so the user can copy/paste the text and don't lose is work.

Have a good day!
__
Contact me if you need a french translation file for your plugin.
Reply
#2
(2016-02-23, 18:38:27)Charpy1 Wrote: I think that GS could return the text field when this error occurs, so the user can copy/paste the text and don't lose is work.

Why don't you use the standard toolbar buttons of your browser then click Back? - and see what happened
Reply
#3
This happens when your nonce timesput to prevent old pages from being replayed or sent later. So maybe the page expired. This should not normally happen unless the page was open for hours, or something changed whoch could indicate a problem. Let us know if if happens repeatedly. You can also disable this in gsconfig
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
(2016-02-23, 18:38:27)Charpy Wrote: CSRF detected!

I also have this happen once or twice in a 6-10hr period of  intensely editing my GS site.

Here is what is happening:
"CSRF is an attack that tricks the victim into submitting a malicious request. Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated."

1) At the very least, the browser has made a mistake or corrupted the request being sent to the server and the server thinks your browser has been hijacked. This might happen with something as simple as a corrupt CRC checksum error.

2) At the worst, you have a rogue program that is adding material to what your browser is sending from your computer, or outside your computer a sniffer program has edited packets of information you have sent.

If this is an actual malicious attack, this type of attack can only send information, it has no way of receiving information - - so what it will do is send a link to be clicked on or something like that  (This is what the server thinks is happening so it refuses the page you just sent).

Workaround
My experience has been, if this error occurs you will loose all of your edited material. So, if I have done extensive editing, I first copy the whole page to the clip board by doing this: I switch to [source] view, do a ctrl-a (select all), then ctrl-c (copy-all) then hit the send/update button. If the error occurs, hit the back button, goto [source] view and press ctrl-a (select all), ctrl-v (insert) and hit the send/update again.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#5
(2016-02-24, 01:57:14)jwzumwalt Wrote: Workaround
My experience has been, if this error occurs you will loose all of your edited material. So, if I have done extensive editing, I first copy the whole page to the clip board by doing this: I switch to [source] view, do a ctrl-a (select all), then ctrl-c (copy-all) then hit the send/update button. If the error occurs, hit the back button, goto [source] view and press ctrl-a (select all), ctrl-v (insert) and hit the send/update again.

All this is not really necessary, your browser caches all field values automatically, that is why I have written about „Back“ button
Reply
#6
(2016-02-24, 02:12:59)Bigin Wrote: All this is not really necessary, your browser caches all field values automatically, that is why I have written about „Back“ button

I do not know what happens with your system, but on mine, "back" does not return to the "edited" page. It reverts to the "old" unedited page. So, the above process is necessary.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#7
Most of that is wrong, this is GSs csrf detection, it has nothing to do with an actual csrf or server or browser interception.
It simply means that the nonce we sent on the page has expired or no longer matches the one we generate, a nonce is not really a nonce in GS since we use stateless sessions, but is calculated based on some predictable stuff. ( a nonce is a use once token, to prevent action replays or hijacks, ours is not really a nonce but a nonce good for 1-2 hours )

$hash=sha1($action.$file.$uid.$USR.$SALT.$time);

If your http user agent changes during it breaks, if your php_self is calculated wrong it breaks, if it expires 1-2 hours, it breaks.


I have an issue to deal with this in a somewhat better manner to at least not lose data.
https://github.com/GetSimpleCMS/GetSimpl...ssues/1014

and there are also some fixes in 3.4 such as settable timeouts etc.

Browsers are good at preserving textareas, but ckeditor and other js stuff is sometimes lost

It might be easier to just turn this off if you encounter it or are rapidly developing or are local and do not care, or have enhanced ip restrictions in apache for example.

in gsconfig.php

# Turn off CSRF protection. Uncomment this if you keep receiving the error message "CSRF error detected..."
#define('GSNOCSRF', TRUE);
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#8
(2016-02-24, 03:15:32)shawn_a Wrote: Most of that is wrong, this is GSs csrf detection, it has nothing to do with an actual csrf or server or browser interception.
It simply means that the nonce we sent on the page has expired or no longer matches the one we generate, a nonce is not really a nonce in GS since we use stateless sessions, but is calculated based on some predictable stuff. ( a nonce is a use once token, to prevent action replays or hijacks, ours is not really a nonce but a nonce good for 1-2 hours )
...
Thank you for the additional information.

However, it has happened to me following a recent edit so at least it does not appear to always be a timout... I do on occasion have lengthy editing sessions where I am researching material, so those occasions may be a timeout. I am going to disable it for a while and see what happens. If something is being injected, it should be immediately recognizable. (I might add, GS is the only program that has ever given me this error.)

It appears there is a bug but given the stellar performance and stability of GS I don't care - I am very happy with it.
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#9
Thanks all for these precisions, specially shawn_a !

Bigin, I know very well about the browser cache for the text fields. It works all the time.. exept when your really need it to work Big Grin

That's why I recommand "Lazarus" or "Text Area Cache", which are good plugin who do a very good job as textarea content saver. There may be other plugins like this, but I know only these two. I recommand it to you, jwzumwalt, so you won't need to remember to copy your content anymore!
__
Contact me if you need a french translation file for your plugin.
Reply
#10
I'm not sure all browser behaves the same way, but it doesn't matter, wether a CKEditor or textarea, when I click the back Button (Sometimes multiple clicks are necessary) it will reload page from browser cache. That is browser's default behavior, is to naturally cache pages. But when you want to be sure to explicitly grab sites from cache -which is natural when someone is filling out a form- for instance you could try to forcing pragma-cache in header as follows:

Code:
header("Content-Type: text/html; charset: UTF-8");
header("Cache-Control: max-age=400, public, s-maxage=400“);
header("Pragma: ");
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 400) . ' GMT');

There a link for more info: http://www.sitepoint.com/caching-php-performance/
Reply
#11
interesting
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#12
(2016-02-24, 07:19:22)Bigin Wrote:
Code:
header("Content-Type: text/html; charset: UTF-8");
header("Cache-Control: max-age=400, public, s-maxage=400“);
header("Pragma: ");
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 400) . ' GMT'

So where should this code be added?
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#13
Ohh sorry, I forgot to mention that, this can and should only be done by core developer and the code is for information purposes only. I have just replied to shawn_a comment above.
Reply
#14
Word of advice never allow caching on edit pages, you will wind up editing old versions of a page and lose stuff.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#15
(2016-02-24, 03:15:32)shawn_a Wrote: ...

in gsconfig.php

# Turn off CSRF protection. Uncomment this if you keep receiving the error message "CSRF error detected..."
#define('GSNOCSRF', TRUE);

I have tried this for about a month now, and all my problems went away - no more lost pages Smile
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply




Users browsing this thread: 1 Guest(s)