Home General support

Cross sit request forgery blocked

zippy Member
in General support
I have just updated to Zenphoto 1.4.0.3

When I try to change some settings I constantly get the following message,
Cross site request forgery blocked.

The log says,
2011-04-13 21:16:36 124.185.67.77, 60.254.143.111 XSRF access blocked zippy Wayne Andrews Failed refresh

Installation information is below.

Can anyone help please?

Zenphoto version 1.4.0.3 [6817] (Official Build)
Current locale setting: en_US.UTF8
Current gallery theme: Default
PHP version: 5.2.17
Graphics support: PHP GD library bundled (2.0.34 compatible)
PHP memory limit: 96M (Note: Your server might allocate less!)
MySQL version: 5.0.91
Database name: zippy_zen_2010
Table prefix: zp_
Spam filter: none
CAPTCHA generator: zenphoto

Comments

  • acrylian Administrator, Developer
    That happens if you try to access a admin subpage directly for example (other than the toolbox).

    It may also happen if you hit the refresh button of your browser (which your message indicates).

    What exactly did you do?
  • zippy Member
    When ever I try to do do anything. I always go through the toolbox.

    eg. refresh the database, rest hit counters, add a new tag.
  • acrylian Administrator, Developer
    Hm, that should not happen. Do you have the Zenphoto install set to cookies or sessions? (Needless to say that it works for me without issues).
  • zippy Member
    It was set to cookies. I've just changed it to sessions and still the same problem.
    Not sure what to do.
  • acrylian Administrator, Developer
    Try to clear cookies in your browser (what do you use?). If that does not help I have to pass that to my collegue to respond later today.
  • zippy Member
    I use Safari. Has worked ok before I upgraded to the current version.

    I just deleted my cookies, but still no change.
  • acrylian Administrator, Developer
    So Safari 5, Mac or Win? Sadly I can't test 5 currently, as it does not run on my Mac currently. Anyway, I don't think this should be browser dependent (cookies are cookies), DId you check the settings?
  • zippy Member
    Sarfari 5 on a Mac.

    Check what settings? Browser settings?
  • acrylian Administrator, Developer
    Sorry, I meant hte Cookie settings in the browser. I am not sure right now but maybe the are disable by default or somehow changes (as the ones in > 4 are quite basic).
  • zippy Member
    They are set to - Accept cookies, Only from sites I visit.
  • zippy Member
    Just looking at the code in the file " admin-functions.php"

    This is what is causing the problem.

    /**
    * Checks for Cross Site Request Forgeries
    * @param string $action
    */
    function XSRFdefender($action) {
    $token = getXSRFToken($action);
    if (!isset($_REQUEST['XSRFToken']) || $_REQUEST['XSRFToken'] != $token) {
    zp_apply_filter('admin_XSRF_access',false, $action);
    header("HTTP/1.0 302 Found");
    header("Status: 302 Found");
    header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php?action=external&error&msg='.sprintf(gettext('"%s" Cross Site Request Forgery blocked.'),$action));
    exit();
    }
    unset($_REQUEST['XSRFToken']);
    if (isset($_POST['XSRFToken'])) {
    unset($_POST['XSRFToken']);
    }
    if (isset($_GET['XSRFToken'])) {
    unset($_GET['XSRFToken']);
    }
  • acrylian Administrator, Developer
    Sorry, out of my area. My collegue sbillard will respond later.
  • zippy Member
    Ok, many thanks for your help.

    Regards,
    Wayne
  • sbillard Member
    This has nothing to do with cookies, so we can discount that. Zenphoto genrates a token that it posts and then checks that the token is valid when processing the posts. This is to prevent rogue websites from making posts to Zenphoto and catching you "logged in".

    Of course, the code you cite is not "causing" the problem, it is detecting the cross site reference violation. The token is built from your IP address, User data, and the current session. So if one of these has changed, a violation will be indicated. None should change, but maybe sessions are not working on your site. (I see no way for the other two to "legitimately" be different.

    Of course the reason that your earlier version of Zenphoto did not throw this error is that it did not protect against this security violation.
  • zippy Member
    Sorry, I did not mean the code was causing a problem, the code is fine. The problem is somewhere at my end..................

    I have managed to identify what is causing the conflict of IP addresses.

    I use Fat Cow to host my web site. A feature that can be used with Fat Cow is Akamai.

    Akamai is an edge server caching solution, aimed to speed up your site's load times across the globe. When you add a subdomain to point to Akamai's servers, your site's images, CSS and javascript will be cached for up to 4 hours on Akamai's edge servers around the world - which means faster retrieval of your site's content for visitors who aren't close proximity to FatCow's servers located in Boston, MA.

    This is giving the second IP address. Of course Akamai is of no use if you use dynamic content served from a SQL database. I have now turned of that feature and problem is solved.

    My Zenphoto is now working perfectly. I just have to add some more content, and fine tune.

    Oh, and thanks for the prompt replies! www.wayneandrews.net/zenphoto
  • sbillard Member
    The cross site issues would be only for back-end saves, etc. So maybe Akamai is configurable to not cache those? Just a thought.
Sign In or Register to comment.