XSRF access blocked « zenphoto forums

zenphoto forums » Usage Support

XSRF access blocked

(9 posts)

Started 10 months ago by landlcoin
Latest reply from sbillard

landlcoin

Junior
Joined: Jul '12
Posts: 5

Hi Guys,
i am unable to update any options on my zenphoto website, if i logout and login again i can update any options for the first time, if change anything again and try to update i get following messafe "albumedit" Cross Site Request Forgery blocked. i get this error even if i try to change my theam.

please help.

refer to the following log from my zenphoto.

012-07-25 09:10:25 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:14:18 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:15:45 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:18:03 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:26:56 218.186.xxx.xx Blocked access Failed /zen/zp-core/admin-logs.php?page=logs
2012-07-25 09:27:45 218.186.xxx.xx Blocked access Failed /zen/zp-core/admin-logs.php?page=logs
2012-07-25 09:27:48 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:28:04 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:29:32 218.186.xxx.xx Admin login admin Kishore Success zp_admin
2012-07-25 09:30:04 218.186.xxx.xx XSRF access blocked admin Kishore Failed admin-themes
2012-07-25 09:32:23 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:40:22 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveplugins
2012-07-25 09:53:44 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:54:01 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:57:25 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:57:44 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions
2012-07-25 09:58:05 218.186.xxx.xx XSRF access blocked admin Kishore Failed saveoptions

Posted 10 months ago #
sbillard

Chief Developer
Joined: May '07
Posts: 9,771

I have not heard of specifically what you describe--being able to change something after a login, but not then again without loggin out and back in.

But from the description I am guessing that there is some problem with session variables or IP addresses.

The cross site reference forgery detection is based on posting an encrypted "key" and in the post handling testing that the passed key is valid.

The formula to generate the key is based on:

1. What you are trying to save
2. Your IP address as reported by the browser
3. The particular user doing the save
and
4. The admin session ID

Numbers 1 and 3 are not likely to change. If your browser is doing something to hide your IP address and is not doing it consistently, then #2 might vary. #4 could vary if sessions are not working correctly on your server.

Don't forget to read the Forum rules and usage resources

Posted 10 months ago #
landlcoin

Junior
Joined: Jul '12
Posts: 5

Hi Sbillard,

is there any way to trace this? like capturing the detailed logs?

Posted 10 months ago #
sbillard

Chief Developer
Joined: May '07
Posts: 9,771

You would have to instrument Zenphoto, but that should not be too hard.

Find in functions.php the function getXSRFToken() and add to it some debug code:

debugLogVar('debugXSRF', array('action'=>$action,'IP'=>getUserIP(),'user'=>serialize($_zp_current_admin_obj), 'sessionID'=>session_id()));

Warning, I have just typed this in, so no guarantees on "spelling".

This will log all the generations of the token providing the input to the computation. Clear your log and then go through your save. Note that you will have to reload the page in order to get the "POST" version of the token logged. You should have two entries in the debug log then, one for the page creation and one for the check on the token.

That should tell you what is different.

[edit] It might also help to put a line in XSRFdefender() in admin-functions.php to tell what call on the getXSRFToken() is what. Maybe debugLog('Checking XSRF'); as the first line of the function.

Don't forget to read the Forum rules and usage resources

Posted 10 months ago #
landlcoin

Junior
Joined: Jul '12
Posts: 5

Hi Sbillard,

i am able to capture some logs but not sure if they are proper, i am completely new to php. here i was trying to save changes in the plugins, i can see different ip address is passed, i am not sure why is this happening.

{Thu, 26 Jul 2012 02:01:29 GMT}
debugXSRFarray(4) {
["action"]=>
string(11) "saveplugins"
["IP"]=>
string(14) "210.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 06:58:12";s:12:"lastloggedin";s:19:"2012-07-26 02:12:19";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 02:01:38 GMT}
debugXSRFarray(4) {
["action"]=>
string(11) "saveplugins"
["IP"]=>
string(14) "210.212.120.33"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 06:58:12";s:12:"lastloggedin";s:19:"2012-07-26 02:12:19";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}

Posted 10 months ago #
sbillard

Chief Developer
Joined: May '07
Posts: 9,771

Well, the different IP address is the problem. Perhaps you can put another line in the debuggind:

debugLogVar('_SERVER', $_SERVER);

So we can see what the browser is passing.

Don't forget to read the Forum rules and usage resources

Posted 10 months ago #
landlcoin

Junior
Joined: Jul '12
Posts: 5

Hi sbillard,

this is really strange, i think something got to do with my ISP, if i try to edit my zenphoto album at office i have no issue, i am having this issue only at home

Posted 10 months ago #
landlcoin

Junior
Joined: Jul '12
Posts: 5

Hi sbillard,

Please find the log as below, i am not sure why i am getting a different ip address, i cant even ping this ip address,

{Thu, 26 Jul 2012 18:22:37 GMT}
debugXSRFarray(4) {
["action"]=>
string(11) "saveplugins"
["IP"]=>
string(14) "218.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 18:22:45 GMT}
debugXSRFarray(4) {
["action"]=>
string(11) "saveplugins"
["IP"]=>
string(14) "218.212.120.33"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 18:22:45 GMT}
debugXSRFarray(4) {
["action"]=>
string(7) "refresh"
["IP"]=>
string(14) "218.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 18:22:45 GMT}
debugXSRFarray(4) {
["action"]=>
string(7) "refresh"
["IP"]=>
string(14) "218.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 18:22:45 GMT}
debugXSRFarray(4) {
["action"]=>
string(10) "hitcounter"
["IP"]=>
string(14) "218.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}
{Thu, 26 Jul 2012 18:22:47 GMT}
debugXSRFarray(4) {
["action"]=>
string(11) "saveplugins"
["IP"]=>
string(14) "218.186.18.232"
["user"]=>
string(1044) "O:22:"Zenphoto_Administrator":15:{s:7:"objects";N;s:6:"master";b:1;s:3:"msg";N;s:11:"no_zp_login";b:0;s:5:"reset";b:0;s:6:"loaded";b:1;s:5:"table";s:14:"administrators";s:9:"transient";b:0;s:5:"*id";i:7;s:28:"PersistentObjectunique_set";a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}s:26:"PersistentObjectcache_by";s:49:"a:2:{s:4:"user";s:5:"admin";s:5:"valid";s:1:"1";}";s:27:"PersistentObjectuse_cache";b:0;s:26:"PersistentObjecttempdata";a:0:{}s:22:"PersistentObjectdata";a:17:{s:2:"id";s:1:"7";s:4:"user";s:5:"admin";s:4:"pass";s:40:"5706ef6558c6539c8119c96492fd6e40046e4714";s:4:"name";s:7:"Kishore";s:5:"email";s:19:"Kishore@landl.co.in";s:6:"rights";s:10:"1961345013";s:11:"custom_data";N;s:5:"valid";s:1:"1";s:5:"group";N;s:4:"date";s:19:"2012-07-25 09:10:10";s:8:"loggedin";s:19:"2012-07-26 23:48:15";s:12:"lastloggedin";s:19:"2012-07-26 06:58:12";s:5:"quota";N;s:8:"language";N;s:11:"prime_album";N;s:17:"other_credentials";N;s:16:"challenge_phrase";N;}s:25:"PersistentObjectupdates";a:1:{s:6:"rights";i:1961345013;}}"
["sessionID"]=>
string(32) "51e9f104b5bca5a9f0575b85df02ff86"
}

Posted 10 months ago #
sbillard

Chief Developer
Joined: May '07
Posts: 9,771

It might be some kind of IP masking scheme. Anyway, I did not see the _SERVER debug in your latest posting. Also, for the sake of brevity, clear the log out before making a test so we get only the most current values.

You could hack Zenphoto to get around this problem. Simply delete .getUserIP() from the computation in getXSRFToken(). Not quite as secure, but will avoid the issue you are having. Unfortunately next time you update Zenphoto the code would revert back, so this would be a change you would have to keep applying.

Zenphoto does not really care what the IP address is so long as it is consistent. (Which in your case, unfortunately, it is not.)

Don't forget to read the Forum rules and usage resources

Posted 10 months ago #

RSS feed for this topic

Reply

You must log in to post.

Zenphoto Forums

Tags

Problems? Lost?

Need project help?

Like using Zenphoto? Donate!

Share!

zenphoto forums » Usage Support

XSRF access blocked

Reply

RSS feeds!

Social networks

Join the Google Groups!

Information

Legal stuff