miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Specific miniBB Support Forums / Specific /  
 

help - Can not proceed: possible CSRF/XSRF attack!

 
Author benluke4
Partaker
#1 | Posted: 3 Feb 2015 20:58 
Hi,

We re trying to edit the name and description of one of our forums whilst logged into the admin panel.

We get this error message...

Can not proceed: possible CSRF/XSRF attack!

Any advice?
Ben

Author Paul
Lead Developer 
#2 | Posted: 3 Feb 2015 23:52 
Make sure your $main_url setting corresponds to the primary URL you enter the forum.
Specially, if the primary URL contains 'www' in it, $main_url also should contain it.
If the primary URL doesn't contain 'www', $main_url should start with 'https://url_to_forum' without 'www.'

Author Patriboom
Partaker
#3 | Posted: 21 Feb 2015 01:59 
I have the same problem online. On developpement server it's ok, but on the production never pass the addnewforum command.
Here, maybe, something helpfull for many: Cookie names cannot contain any of the following '=,; \t\r\n\013\014' in addon_whosonline.php on line 59

My $cookiename='DecouvertePlongeeQuebecoise='; (from setup_options.php) may be too long.

Author Patriboom
Partaker
#4 | Posted: 21 Feb 2015 02:59 
Correction: I was still working on an old cookie.
As my MiniBB is integrated to website, i have to work on line 125 of bb_admin.php which I've renamed. I don't use the MiniBB login system.

To do properly, I have to get into bb_admin.php by submitting a form with admin_usr and admin_psw which form must perform under method=POST
Here the code:
<?php
include_once "DIrectory/MiniBB/setup_options.php";
$_POST["mode"] = "login";
$_POST["adminusr"] = $admin_usr;
$_POST["adminpwd"] = $admin_pwd;
include_once "DIrectory/MiniBB//bb_admin.php";

Author Patriboom
Partaker
#5 | Posted: 21 Feb 2015 05:23 
I worked long, very long before i could find this clue:

setup_options.php must have a
cookiedomain value different than ''
and cookiepath a value = ''

otherwise my browser (opera) negate to record any cookie
Now, my setup_options.php has this about cookies:

$cookiedomain='plongee.rcmission.net';
$cookiename='DecouvPlongQueb';
$cookiepath='';
$cookiesecure=FALSE;
$cookie_expires=108000;
$cookie_renew=1800;
$cookielang_exp=2592000;

the cookiedomain corresponding to the actual domain name used for the website where is the miniBB .

Author Patriboom
Partaker
#6 | Posted: 21 Feb 2015 05:26 
Paul:
If the primary URL doesn't contain 'www', $main_url should start with 'https://url_to_forum' without 'www.'
Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.

Author Paul
Lead Developer 
#7 | Posted: 23 Feb 2015 15:28 
Patriboom:
Cookie names cannot contain any of the following
This is mentioned in miniBB Manual as well. If you want less problems, avoid more tricks. They don't affect security anyway.

miniBB Manual:
Use only latin letters, digits and underscore sign specifying it. No spaces, dots or special symbols are allowed, this will make the login impossible to proceed. Should begin with a latin letter.

Author Paul
Lead Developer 
#8 | Posted: 23 Feb 2015 15:29 
Patriboom:
As my MiniBB is integrated to website, i have to work on line 125 of bb_admin.php which I've renamed.
If you miniBB is integrated, you should work on bb_cookie.php and optionally bb_func_login.php. Admin's file is also based on these codes.
Guide.

Author Paul
Lead Developer 
#9 | Posted: 23 Feb 2015 15:32 
Patriboom:
Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.
It was just an example; of course if you don't have https connection, there should be 'http://'.

Actually, CSRF/XSRF issue is related to this thing: you should have the same value in $main_url as you're entering the forum from. If it starts with a subdomain, then only subdomain without www should be listed there. It should be absolutely equal to the domain you're entering credentials from. And yes, if you system is tied up with another logins system, you may modify cookie settings so they correspond to the system you're using.

Specific miniBB Support Forums / Specific /
 help - Can not proceed: possible CSRF/XSRF attack!
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑