Modify

Ticket #1268 (new defect)

Opened 12 months ago

Last modified 3 months ago

../env/request/set_csrf_secret.lua:17: Cross-Site Request Forgery attempt detected

Reported by: alex@… Owned by: dark
Priority: major Milestone:
Component: Frontend Version: 2.0 beta
Keywords: lqfb2, Cross-Site, Forgery, Core 2.0.11 Cc: alex@…

Description

Hi,

I installed LiquidFeedback Core v2.0.11 and LiquidFeedback-Frontend v2.0 on a RHEL 5 (CentOS 5.7) box, adapting the procedure shown here: http://dev.liquidfeedback.org/trac/lf/wiki/installation

Liquid Feedback 2.0 is installed here:  http://www.democraziaweb.com:81/lf/

Sometimes, when logging in, this error appears on this page:  http://www.democraziaweb.com:81/lf/index/login

../env/request/set_csrf_secret.lua:17: Cross-Site Request Forgery attempt detected

Stack trace follows:
[C]: in function 'error'
../env/request/set_csrf_secret.lua:17: in function 'set_csrf_secret'
...id_feedback_frontend/app/main/_filter/20_session.lua:12: in function 'func'
../env/execute/file_path.lua:24: in function 'file_path'
../env/execute/_add_filters_by_path.lua:17: in function 'wrapper_func'
../env/execute/wrapped.lua:21: in function <../env/execute/wrapped.lua:11>
(tail call): ?
../env/execute/multi_wrapped.lua:18: in function 'inner_func'
../env/execute/inner.lua:19: in function 'inner'
..._frontend/app/main/_filter_action/10_transaction.lua:3: in function 'func'
...
../env/execute/wrapped.lua:21: in function <../env/execute/wrapped.lua:11>
(tail call): ?
(tail call): ?
../env/execute/filtered_action.lua:32: in function 'filtered_action'
webmcp.lua:313: in function <webmcp.lua:256>
[C]: in function 'xpcall'
webmcp.lua:255: in main chunk
[C]: in function 'pcall'
/opt/webmcp/cgi-bin/webmcp-wrapper.lua:7: in main chunk
[C]: ?

Configuration "myconfig"

Configuration "init"

REQUESTED ACTION: index/login
/main/_filter_action/10_transaction.lua

BEGIN;;
/main/_filter/20_session.lua

SELECT "session".* FROM "session" WHERE (ident = 'GQw2jq7lFZm7lE8Hb2J2EuXtoPA3wSjh') LIMIT 1;
INSERT INTO "session" ("additional_secret", "ident") VALUES ('byIIqN46IJDsNZpCG3Blqwahm9ZeiObd', 'bVUNtG76MkAtEN02n86IfEddfw5jAGjD') RETURNING ("ident");
UNEXPECTED ERROR

Finished after 51.2 ms (40.0 ms CPU)

I use Firefox 13.0.1 on Windows 7. How to fix?

Attachments

Change History

comment:1 Changed 12 months ago by Democrazia Diretta <alex@…>

This issue is urgent. It happens on various other pages as well.

E.g. from  http://democraziaweb.com:81/lf/index/index.html if I click on "Select Language" and then I select any language, I am redirected to:  http://democraziaweb.com:81/lf/index/set_lang

with this error page:

Ooops, a system error occured

Most probably you found a software bug. Don't panic, you can now choose one of the following options:
Go to start page Retry request Create bug report
Leider ist ein Systemfehler aufgetreten

Du hast vermutlich gerade einen Fehler in der Software entdeckt. Das ist kein Grund zur Panik, dir bleiben die folgenden Optionen:
Weiter zur Startseite Anfrage wiederholen Fehlerbericht erstellen

If you write a bug report, please include the following output in your bug report.
Falls Du einen Fehlerbericht erstellst, füge bitte die folgenden Ausgaben mit ein.

../env/request/set_csrf_secret.lua:17: Cross-Site Request Forgery attempt detected

Stack trace follows:
[C]: in function 'error'
../env/request/set_csrf_secret.lua:17: in function 'set_csrf_secret'
...id_feedback_frontend/app/main/_filter/20_session.lua:12: in function 'func'
../env/execute/file_path.lua:24: in function 'file_path'
../env/execute/_add_filters_by_path.lua:17: in function 'wrapper_func'
../env/execute/wrapped.lua:21: in function <../env/execute/wrapped.lua:11>
(tail call): ?
../env/execute/multi_wrapped.lua:18: in function 'inner_func'
../env/execute/inner.lua:19: in function 'inner'
..._frontend/app/main/_filter_action/10_transaction.lua:3: in function 'func'
...
../env/execute/wrapped.lua:21: in function <../env/execute/wrapped.lua:11>
(tail call): ?
(tail call): ?
../env/execute/filtered_action.lua:32: in function 'filtered_action'
webmcp.lua:313: in function <webmcp.lua:256>
[C]: in function 'xpcall'
webmcp.lua:255: in main chunk
[C]: in function 'pcall'
/opt/webmcp/cgi-bin/webmcp-wrapper.lua:7: in main chunk
[C]: ?

Configuration "myconfig"

Configuration "init"

REQUESTED ACTION: index/set_lang
/main/_filter_action/10_transaction.lua

BEGIN;;
/main/_filter/20_session.lua

SELECT "session".* FROM "session" WHERE (ident = 'axLZgPbdDrES*mHtxrlK6m9') LIMIT 1;
INSERT INTO "session" ("additional_secret", "ident") VALUES ('UpKDm70X*tiS4EHlEfnqX4l4p', 'nHECtYRXY8*5hRlym4Q0') RETURNING ("ident");

UNEXPECTED ERROR

Finished after 45.8 ms (30.0 ms CPU)

comment:2 Changed 3 months ago by mva[PPRu]

Same here.
Currently, commenting "error" line in webmcp/framework/env/request/set_csrf_secret.lua did the trick to get it working, but AFAIU, it is security hole;

View

Add a comment

Modify Ticket

Action
as new
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.