XSRF access blocked

Hi Guys,
i am unable to update any options on my zenphoto website, if i logout and login again i can update any options for the first time, if change anything again and try to update i get following messafe "albumedit" Cross Site Request Forgery blocked. i get this error even if i try to change my theam.

please help.

refer to the following log from my zenphoto.

012-07-25 09:10:25 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:14:18 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:15:45 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:18:03 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:26:56 218.186.xxx.xx Blocked access Failed /zen/zp-core/admin-logs.php?page=logs
2012-07-25 09:27:45 218.186.xxx.xx Blocked access Failed /zen/zp-core/admin-logs.php?page=logs
2012-07-25 09:27:48 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:28:04 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:29:32 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:30:04 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:32:23 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:40:22 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveplugins
2012-07-25 09:53:44 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:54:01 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:57:25 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:57:44 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:58:05 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions

Comments

  • I have not heard of specifically what you describe--being able to change something after a login, but not then again without loggin out and back in.

    But from the description I am guessing that there is some problem with session variables or IP addresses.

    The cross site reference forgery detection is based on posting an encrypted "key" and in the post handling testing that the passed key is valid.

    The formula to generate the key is based on:

    1. What you are trying to save
    2. Your IP address as reported by the browser
    3. The particular user doing the save
    and
    4. The admin session ID

    Numbers 1 and 3 are not likely to change. If your browser is doing something to hide your IP address and is not doing it consistently, then #2 might vary. #4 could vary if sessions are not working correctly on your server.
  • Hi Sbillard,

    is there any way to trace this? like capturing the detailed logs?
  • You would have to instrument Zenphoto, but that should not be too hard.

    Find in `functions.php` the function `getXSRFToken()` and add to it some debug code:

    `debugLogVar('debugXSRF', array('action'=>$action,'IP'=>getUserIP(),'user'=>serialize($_zp_current_admin_obj), 'sessionID'=>session_id()));`

    Warning, I have just typed this in, so no guarantees on "spelling".

    This will log all the generations of the token providing the input to the computation. Clear your log and then go through your save. Note that you will have to reload the page in order to get the "POST" version of the token logged. You should have two entries in the debug log then, one for the page creation and one for the check on the token.

    That should tell you what is different.

    [edit] It might also help to put a line in `XSRFdefender()` in `admin-functions.php` to tell what call on the `getXSRFToken()` is what. Maybe `debugLog('Checking XSRF');` as the first line of the function.
  • Hi Sbillard,

    i am able to capture some logs but not sure if they are proper, i am completely new to php. here i was trying to save changes in the plugins, i can see different ip address is passed, i am not sure why is this happening.

    {Thu, 26 Jul 2012 02:01:29 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(11) "saveplugins"
    ["IP"]=>
    string(14) "210.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 06:58:12";s:12:"lastloggedin";s:19:"2012-07-26 02:12:19";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 02:01:38 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(11) "saveplugins"
    ["IP"]=>
    string(14) "210.212.120.33"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 06:58:12";s:12:"lastloggedin";s:19:"2012-07-26 02:12:19";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
  • Well, the different IP address is the problem. Perhaps you can put another line in the debuggind:

    `debugLogVar('_SERVER', $_SERVER);`

    So we can see what the browser is passing.
  • Hi sbillard,

    this is really strange, i think something got to do with my ISP, if i try to edit my zenphoto album at office i have no issue, i am having this issue only at home
  • Hi sbillard,

    Please find the log as below, i am not sure why i am getting a different ip address, i cant even ping this ip address,

    {Thu, 26 Jul 2012 18:22:37 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(11) "saveplugins"
    ["IP"]=>
    string(14) "218.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 18:22:45 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(11) "saveplugins"
    ["IP"]=>
    string(14) "218.212.120.33"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 18:22:45 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(7) "refresh"
    ["IP"]=>
    string(14) "218.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 18:22:45 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(7) "refresh"
    ["IP"]=>
    string(14) "218.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 18:22:45 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(10) "hitcounter"
    ["IP"]=>
    string(14) "218.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
    {Thu, 26 Jul 2012 18:22:47 GMT}
    debugXSRFarray(4) {
    ["action"]=>
    string(11) "saveplugins"
    ["IP"]=>
    string(14) "218.186.18.232"
    ["user"]=>
    string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
    ["sessionID"]=>
    string(32) "51e9f104b5bca5a9f0575b85df02ff86"
    }
  • It might be some kind of IP masking scheme. Anyway, I did not see the `_SERVER` debug in your latest posting. Also, for the sake of brevity, clear the log out before making a test so we get only the most current values.

    You could hack Zenphoto to get around this problem. Simply delete `.getUserIP()` from the computation in `getXSRFToken()`. Not quite as secure, but will avoid the issue you are having. Unfortunately next time you update Zenphoto the code would revert back, so this would be a change you would have to keep applying.

    Zenphoto does not really care what the IP address is so long as it is consistent. (Which in your case, unfortunately, it is not.)
Sign In or Register to comment.