Welcome to Geeklog Tuesday, July 16 2019 @ 08:27 pm EDT

Geeklog Forums

root Admin cant delete or add?


Jeremy

Anonymous
Hi,

Just did a plain install and noticed that the default Admin user cannot delete/add groups/users. I managed to register myself as another user and that worked ok. However the admin user could not change my permissions.

Looks like its a specific admin rights problem that I am missing.

Oh and when you delete or edit it looks like it worked. I mean there was no error it just redirected back to menu page.

Any Ideas?

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Sounds like an issue with the CSRF protection. Are you using the Professional theme?

bye, Dirk

Jeremy

Anonymous

Yes just the standard professional theme.

I am using it on IIS with FastCGI if that makes a difference.

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Hmm, missing referrer headers perhaps? Do you have any entries in your error.log referring to those failed operations?

bye, Dirk

Jeremy

Anonymous
Hi,

I found this in the access.log file

User Admin tried to illegally delete topic Geeklog and failed CSRF checks.

Regards
Jeremy

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Jeremy

User Admin tried to illegally delete topic Geeklog and failed CSRF checks.


As suspected. Since you're using the Professional theme, I suspect that your browser is not sending referrers or you're using a proxy or firewall that filters them out. Check that and try to enable referrers.

bye, Dirk

Jeremy

Anonymous
Did an echo on the ($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']

and the HTTP_REFERER included the query_string and thus did not match urlfor.

Did a little parsing of the REFERER to remove query string and it works now.

$ref = parse_url($_SERVER['HTTP_REFERER']);
$newReferer = $ref['scheme'] . "://" . $ref['host'] . $ref['path'];

However not sure if that is the correct solution Smile

Jeremy

Status: offline

THEMike

Forum User
Moderator
Registered: 25/07/03
Posts: 141
Location:Sheffield, UK
What browser are you using?

I think the referrer sent is controlled by the browser, rather than the web server.

Need to get this happening for me to debug and make sure the fix works, Firefox and IE7 both send the querystring on the referer. The system logs the query string.

Can you check gl_tokens and see if the token created has the query string on it? Maybe IIS + FastCGI isn't setting $_SERVER['QUERY_STRING']?

Mike

All times are EDT. The time is now 08:27 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content