4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
August 17, 2018, 02:43:53 PM

Login with username, password and session length
Search:     Advanced search
Check the new Tutorial subforum with helpfull guides and tutorials for modifications and tweaks.
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7 - 1.7.8] Security fix for CSRF vulnerability
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: «« « 1 [2] Print
Author Topic: [1.7 - 1.7.8] Security fix for CSRF vulnerability  (Read 76970 times)
Jan-Lukas
Addicted member
******
Offline Offline

Posts: 1280

Thank You
-Given: 153
-Receive: 51


View Profile WWW
« Reply #15 on: October 28, 2010, 04:42:04 PM »


Meine Empfehlung:

$csrf_protection_frontend sollte man natürlich am besten auf 1 belassen. Falls es Probleme gibt, kann man hier aber vorrübergehend 0 setzen um die Galerie am Laufen zu halten.


Die Suche von außerhalb klappt aber immer noch nicht
würde ungerne drauf verzichten

LG Harald
Logged

Danke Harald



Jan
Administrator
4images Guru
*****
Offline Offline

Posts: 5024

Thank You
-Given: 0
-Receive: 31


View Profile WWW
« Reply #16 on: October 28, 2010, 05:13:32 PM »

Du musst in dem Suchformular lediglich das method-Attribut auf "get" ändern:

1
<form target="_blank" action="http://www.online-fremdfigurenkatalog.de/search.php" method="get">
Logged

Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Jan-Lukas
Addicted member
******
Offline Offline

Posts: 1280

Thank You
-Given: 153
-Receive: 51


View Profile WWW
« Reply #17 on: October 28, 2010, 05:40:46 PM »

perfekt  Good
LG
Logged

Danke Harald



ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #18 on: October 28, 2010, 09:06:45 PM »

Bitte unter Punkt 1

1
Download the attached file csrf_utils.php file and copy it into includes/ folder of your 4images installation.
die falsche Datei durch die richtige ersetzen (und Anhang unten löschen)

Ich habe mir zuerst die falsche Datei runtergeladen ...
Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
Jan
Administrator
4images Guru
*****
Offline Offline

Posts: 5024

Thank You
-Given: 0
-Receive: 31


View Profile WWW
« Reply #19 on: October 29, 2010, 11:08:30 AM »

Ja, sorry. Ich hatte Kais Post geändert und vergessen den Link im Text anzupassen. Link stimmt jetzt.
Logged

Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Sumale.my
Addicted member
******
Offline Offline

Posts: 1773

Thank You
-Given: 168
-Receive: 85

Neverdie


View Profile
« Reply #20 on: October 29, 2010, 12:29:15 PM »

Das finde ich sehr interessant Very Happy
Quote  [Expand]
Scriptversion: 1.7.9 
Logged
Jan-Lukas
Addicted member
******
Offline Offline

Posts: 1280

Thank You
-Given: 153
-Receive: 51


View Profile WWW
« Reply #21 on: October 29, 2010, 04:34:06 PM »

hmm, was sollte sonst nach 1.7.8 kommen  Wink
Logged

Danke Harald



Sumale.my
Addicted member
******
Offline Offline

Posts: 1773

Thank You
-Given: 168
-Receive: 85

Neverdie


View Profile
« Reply #22 on: October 29, 2010, 07:12:28 PM »

Damit meinte ich, dass es wohl nicht mehr so lange dauern wird.
Mal sehen ob da mal richtig viel verändert wurde Very Happy
Logged
surferboy
Full Member
***
Offline Offline

Posts: 142

Thank You
-Given: 39
-Receive: 2


View Profile
« Reply #23 on: November 03, 2010, 08:55:25 AM »

This is but then is not off topic.

Error message received: "CSRF check failed"

using v1.7.7, with the CSRF security fix obviously installed, on 30 Oct, after the files were updated ...

Action to cause the error message:

performing multiupload of images using V@no's mutliupload form; max setting for file upload is 18000 kb

so I set the number of images to upload at 7, which all told came to about 13 mb.  hitting upload caused the error.

I eventually determined that I needed to change the max upload setting in my php.ini file setting but ....

the looming question:

will all error messages now read as " CSRF check failed?"

Thanks,

Brian

was experiencing a similar issue last week before the csrf security fix when I tried to upload any more than three images at a time.

Tried using V@no's multi upload and Budduke's multiupload that he created for the user category.
Logged
X444X TEAM
Pre-Newbie

Offline Offline

Posts: 7

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #24 on: November 08, 2010, 10:41:53 PM »

Hi

In file admin/admin_global.php

When added

1
2
3
if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}

Can not be approval for the images at waiting list

I got page 404 Upon approval

Is there another solution
Logged
ulrich
Newbie
*
Offline Offline

Posts: 13

Thank You
-Given: 1
-Receive: 0


View Profile
« Reply #25 on: December 05, 2010, 11:21:29 AM »

I am using version 1.7 and had to deviate from these instructions in two cases since I couldn't find those lines:

global.php

In the same file, search for the line:

1
include_once(ROOT_PATH.'includes/captcha_utils.php');

and insert the following code BELOW this line:

1
2
3
4
//-----------------------------------------------------
//--- CSRF protection ---------------------------------
//-----------------------------------------------------
include_once(ROOT_PATH.'includes/csrf_utils.php');


Instead I did this:
Search for
1
include(ROOT_PATH.'includes/functions.php');
and then insert the above code.

admin/admin_global.php

Open admin/admin_global.php and search for the following line:

1
include_once(ROOT_PATH.'admin/admin_functions.php');

and insert the following code BELOW this line:

1
2
3
if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}


Instead I did this:
Search for
1
include(ROOT_PATH.'admin/admin_functions.php');
and then insert the above code.

I hope this doesn't break anything or stop this fix from working.
Logged
Pages: «« « 1 [2] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.041 seconds with 19 queries.