Author Topic: [1.7 - 1.7.8] Security fix for CSRF vulnerability  (Read 81423 times)

0 Members and 1 Guest are viewing this topic.

Offline Jan-Lukas

  • Addicted member
  • ******
  • Posts: 1.284
    • View Profile
    • Discover the New World of Kindersurprise
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #15 on: October 28, 2010, 04:42:04 PM »

Meine Empfehlung:

$csrf_protection_frontend sollte man natürlich am besten auf 1 belassen. Falls es Probleme gibt, kann man hier aber vorrübergehend 0 setzen um die Galerie am Laufen zu halten.


Die Suche von außerhalb klappt aber immer noch nicht
würde ungerne drauf verzichten

LG Harald
Danke Harald




Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #16 on: October 28, 2010, 05:13:32 PM »
Du musst in dem Suchformular lediglich das method-Attribut auf "get" ändern:

Code: [Select]
<form target="_blank" action="http://www.online-fremdfigurenkatalog.de/search.php" method="get">
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline Jan-Lukas

  • Addicted member
  • ******
  • Posts: 1.284
    • View Profile
    • Discover the New World of Kindersurprise
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #17 on: October 28, 2010, 05:40:46 PM »
perfekt  :thumbup:
LG
Danke Harald




Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #18 on: October 28, 2010, 09:06:45 PM »
Bitte unter Punkt 1

Code: [Select]
Download the attached file csrf_utils.php file and copy it into includes/ folder of your 4images installation.
die falsche Datei durch die richtige ersetzen (und Anhang unten löschen)

Ich habe mir zuerst die falsche Datei runtergeladen ...
greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #19 on: October 29, 2010, 11:08:30 AM »
Ja, sorry. Ich hatte Kais Post geändert und vergessen den Link im Text anzupassen. Link stimmt jetzt.
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline Sumale.my

  • Addicted member
  • ******
  • Posts: 1.786
  • Neverdie
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #20 on: October 29, 2010, 12:29:15 PM »
Das finde ich sehr interessant :D
Quote
Scriptversion: 1.7.9 

Offline Jan-Lukas

  • Addicted member
  • ******
  • Posts: 1.284
    • View Profile
    • Discover the New World of Kindersurprise
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #21 on: October 29, 2010, 04:34:06 PM »
hmm, was sollte sonst nach 1.7.8 kommen  :wink:
Danke Harald




Offline Sumale.my

  • Addicted member
  • ******
  • Posts: 1.786
  • Neverdie
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #22 on: October 29, 2010, 07:12:28 PM »
Damit meinte ich, dass es wohl nicht mehr so lange dauern wird.
Mal sehen ob da mal richtig viel verändert wurde :D

Offline surferboy

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #23 on: November 03, 2010, 08:55:25 AM »
This is but then is not off topic.

Error message received: "CSRF check failed"

using v1.7.7, with the CSRF security fix obviously installed, on 30 Oct, after the files were updated ...

Action to cause the error message:

performing multiupload of images using V@no's mutliupload form; max setting for file upload is 18000 kb

so I set the number of images to upload at 7, which all told came to about 13 mb.  hitting upload caused the error.

I eventually determined that I needed to change the max upload setting in my php.ini file setting but ....

the looming question:

will all error messages now read as " CSRF check failed?"

Thanks,

Brian

was experiencing a similar issue last week before the csrf security fix when I tried to upload any more than three images at a time.

Tried using V@no's multi upload and Budduke's multiupload that he created for the user category.

Offline X444X TEAM

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #24 on: November 08, 2010, 10:41:53 PM »
Hi

In file admin/admin_global.php

When added

if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}


Can not be approval for the images at waiting list

I got page 404 Upon approval

Is there another solution

Offline ulrich

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: [1.7 - 1.7.8] Security fix for CSRF vulnerability
« Reply #25 on: December 05, 2010, 11:21:29 AM »
I am using version 1.7 and had to deviate from these instructions in two cases since I couldn't find those lines:

global.php

In the same file, search for the line:

include_once(ROOT_PATH.'includes/captcha_utils.php');

and insert the following code BELOW this line:

//-----------------------------------------------------
//--- CSRF protection ---------------------------------
//-----------------------------------------------------
include_once(ROOT_PATH.'includes/csrf_utils.php');



Instead I did this:
Search for include(ROOT_PATH.'includes/functions.php'); and then insert the above code.

admin/admin_global.php

Open admin/admin_global.php and search for the following line:

include_once(ROOT_PATH.'admin/admin_functions.php');

and insert the following code BELOW this line:

if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}



Instead I did this:
Search for include(ROOT_PATH.'admin/admin_functions.php'); and then insert the above code.

I hope this doesn't break anything or stop this fix from working.

 

Post your comments here