Member
Member
knichel   2018-10-13, 16:41
#1

When I try to rotate an image via zenphoto, i get an error: "“albumedit” Cross Site Request Forgery blocked." What is causing this?

Administrator
Administrator
acrylian   2018-10-13, 17:58
#2

Generally it means the internal XSRFtoken is not matching which is partly based on the session. Just tried locally and on our own site and it is working as expected to me. Any other errors in the logs?

Member
Member
knichel   2018-10-13, 19:57
#3

I don't see anything in the logs that points to zenphoto directory. It here a way to turn off the check to test this theory?

Member
Member
knichel   2018-10-13, 20:05
#4

I found this in the zenphoto security logs:
2018-10-13 16:01:40 #.#.#.# Cross Site Reference admin fName lName Blocked albumedit

Administrator
Administrator
acrylian   2018-10-14, 08:55
#5

Yeah, that is the error if the tokens don't match. Sorry I cannot tell why they won't. Try to clear cookies and caches in the browser used.

You cannot turn of this check expect hacking core files.

Member
Member
knichel   2018-10-14, 18:58
#6

I cleared the browser cache/cookies and restarted the browser (FireFox) and got the same error.

Administrator
Administrator
acrylian   2018-10-14, 19:18
#7

Then I have no idea except that something is wrong with sessions. You could "hack" the XSRFtoken() function and add a debuglog() call to it.

Member
Member
knichel   2018-10-14, 20:10
#8

Where are the sessions stored?

Member
Member
knichel   2018-10-14, 20:25
#9

Looking at the admin screen, I see " PHP Session path: /tmp". Is that inside my public_html folder? ~/public_html/tmp or ~/tmp on my hosting service? I see no session information in either of these locations.

Member
Member
knichel   2018-10-14, 20:41
#10

Further inspection revealed that /tmp is at the root of the server filesystem. My user has rw- and there is no other perms on this session data. Can this be why? doesn't the session data need to be writeable by the web server user?

Administrator
Administrator
acrylian   2018-10-14, 20:44
#11

Actually where the server puts session data is server configuration as is the rights management needed for that. Don't have the code in front of me but ZP only set a path if none is defined by the server or so. Can you maybe check your server config (via phpinfo for example).

Member
Member
knichel   2018-10-14, 21:19
#12

From phpinfo():

sys_temp_dir = ~/public_html/tmp
session.save_path = /tmp

Administrator
Administrator
acrylian   2018-10-15, 10:26
#13

That at least matched what you reported above. Why the permissions are not correct I cannot really tell. Maybe ask your host for assistance?

  
Powered By MyBB, © 2002-2026 MyBB Group.
Made with by Curves UI.