miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
Specific miniBB Support Forums / Specific /   

help - Can not proceed: possible CSRF/XSRF attack!

Author benluke4
Registered
#1 | Posted: 3 Feb 2015 20:58 
Hi,

We re trying to edit the name and description of one of our forums whilst logged into the admin panel.

We get this error message...

Can not proceed: possible CSRF/XSRF attack!

Any advice?
Ben

Author Paul
Lead Developer
#2 | Posted: 3 Feb 2015 23:52 
Make sure your $main_url setting corresponds to the primary URL you enter the forum.
Specially, if the primary URL contains 'www' in it, $main_url also should contain it.
If the primary URL doesn't contain 'www', $main_url should start with 'https://url_to_forum' without 'www.'

Author Patriboom
Registered
#3 | Posted: 21 Feb 2015 01:59 
I have the same problem online. On developpement server it's ok, but on the production never pass the addnewforum command.
Here, maybe, something helpfull for many: Cookie names cannot contain any of the following '=,; \t\r\n\013\014' in addon_whosonline.php on line 59

My $cookiename='DecouvertePlongeeQuebecoise='; (from setup_options.php) may be too long.

Author Patriboom
Registered
#4 | Posted: 21 Feb 2015 02:59 
Correction: I was still working on an old cookie.
As my MiniBB is integrated to website, i have to work on line 125 of bb_admin.php which I've renamed. I don't use the MiniBB login system.

To do properly, I have to get into bb_admin.php by submitting a form with admin_usr and admin_psw which form must perform under method=POST
Here the code:
<?php
include_once "DIrectory/MiniBB/setup_options.php";
$_POST["mode"] = "login";
$_POST["adminusr"] = $admin_usr;
$_POST["adminpwd"] = $admin_pwd;
include_once "DIrectory/MiniBB//bb_admin.php";

Author Patriboom
Registered
#5 | Posted: 21 Feb 2015 05:23 
I worked long, very long before i could find this clue:

setup_options.php must have a
cookiedomain value different than ''
and cookiepath a value = ''

otherwise my browser (opera) negate to record any cookie
Now, my setup_options.php has this about cookies:

$cookiedomain='plongee.rcmission.net';
$cookiename='DecouvPlongQueb';
$cookiepath='';
$cookiesecure=FALSE;
$cookie_expires=108000;
$cookie_renew=1800;
$cookielang_exp=2592000;

the cookiedomain corresponding to the actual domain name used for the website where is the miniBB .

Author Patriboom
Registered
#6 | Posted: 21 Feb 2015 05:26 | Edited by: Patriboom 
Paul:
If the primary URL doesn't contain 'www', $main_url should start with 'https://url_to_forum' without 'www.'

Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.

Author Paul
Lead Developer
#7 | Posted: 23 Feb 2015 15:28 
Patriboom:
Cookie names cannot contain any of the following

This is mentioned in miniBB Manual as well. If you want less problems, avoid more tricks. They don't affect security anyway.

miniBB Manual:
Use only latin letters, digits and underscore sign specifying it. No spaces, dots or special symbols are allowed, this will make the login impossible to proceed. Should begin with a latin letter.


Author Paul
Lead Developer
#8 | Posted: 23 Feb 2015 15:29 
Patriboom:
As my MiniBB is integrated to website, i have to work on line 125 of bb_admin.php which I've renamed.

If you miniBB is integrated, you should work on bb_cookie.php and optionally bb_func_login.php. Admin's file is also based on these codes.
Guide.

Author Paul
Lead Developer
#9 | Posted: 23 Feb 2015 15:32 
Patriboom:
Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.

It was just an example; of course if you don't have https connection, there should be 'http://'.

Actually, CSRF/XSRF issue is related to this thing: you should have the same value in $main_url as you're entering the forum from. If it starts with a subdomain, then only subdomain without www should be listed there. It should be absolutely equal to the domain you're entering credentials from. And yes, if you system is tied up with another logins system, you may modify cookie settings so they correspond to the system you're using.

Specific miniBB Support Forums / Specific / help - Can not proceed: possible CSRF/XSRF attack! Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Try the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB