Author Topic: [1.7 - 1.7.8] Security fix for CSRF vulnerability  (Read 96015 times)

0 Members and 1 Guest are viewing this topic.

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #15 on: October 28, 2010, 05:13:32 PM »
Du musst in dem Suchformular lediglich das method-Attribut auf "get" ändern:

Code: [Select]
<form target="_blank" action="http://www.online-fremdfigurenkatalog.de/search.php" method="get">
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline Jan-Lukas

  • Addicted member
  • ******
  • Posts: 1.288
    • View Profile
    • Discover the New World of Kindersurprise
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #16 on: October 28, 2010, 05:40:46 PM »
perfekt  :thumbup:
LG
Danke Harald




Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #17 on: October 29, 2010, 11:08:30 AM »
Ja, sorry. Ich hatte Kais Post geändert und vergessen den Link im Text anzupassen. Link stimmt jetzt.
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline Sunny C.

  • Addicted member
  • ******
  • Posts: 1.804
  • I ♥ 4I
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #18 on: October 29, 2010, 12:29:15 PM »
Das finde ich sehr interessant :D
Quote
Scriptversion: 1.7.9 

Offline Jan-Lukas

  • Addicted member
  • ******
  • Posts: 1.288
    • View Profile
    • Discover the New World of Kindersurprise
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #19 on: October 29, 2010, 04:34:06 PM »
hmm, was sollte sonst nach 1.7.8 kommen  :wink:
Danke Harald




Offline Sunny C.

  • Addicted member
  • ******
  • Posts: 1.804
  • I ♥ 4I
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #20 on: October 29, 2010, 07:12:28 PM »
Damit meinte ich, dass es wohl nicht mehr so lange dauern wird.
Mal sehen ob da mal richtig viel verändert wurde :D

Offline surferboy

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #21 on: November 03, 2010, 08:55:25 AM »
This is but then is not off topic.

Error message received: "CSRF check failed"

using v1.7.7, with the CSRF security fix obviously installed, on 30 Oct, after the files were updated ...

Action to cause the error message:

performing multiupload of images using V@no's mutliupload form; max setting for file upload is 18000 kb

so I set the number of images to upload at 7, which all told came to about 13 mb.  hitting upload caused the error.

I eventually determined that I needed to change the max upload setting in my php.ini file setting but ....

the looming question:

will all error messages now read as " CSRF check failed?"

Thanks,

Brian

was experiencing a similar issue last week before the csrf security fix when I tried to upload any more than three images at a time.

Tried using V@no's multi upload and Budduke's multiupload that he created for the user category.

Offline X444X TEAM

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #22 on: November 08, 2010, 10:41:53 PM »
Hi

In file admin/admin_global.php

When added

if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}


Can not be approval for the images at waiting list

I got page 404 Upon approval

Is there another solution

Offline ulrich

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #23 on: December 05, 2010, 11:21:29 AM »
I am using version 1.7 and had to deviate from these instructions in two cases since I couldn't find those lines:

global.php

In the same file, search for the line:

include_once(ROOT_PATH.'includes/captcha_utils.php');

and insert the following code BELOW this line:

//-----------------------------------------------------
//--- CSRF protection ---------------------------------
//-----------------------------------------------------
include_once(ROOT_PATH.'includes/csrf_utils.php');



Instead I did this:
Search for include(ROOT_PATH.'includes/functions.php'); and then insert the above code.

admin/admin_global.php

Open admin/admin_global.php and search for the following line:

include_once(ROOT_PATH.'admin/admin_functions.php');

and insert the following code BELOW this line:

if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}



Instead I did this:
Search for include(ROOT_PATH.'admin/admin_functions.php'); and then insert the above code.

I hope this doesn't break anything or stop this fix from working.