What's wrong i just updated from 1.8.0 to 1.8.4 and get CSRF token is invalid or expired.
Plus captcha doesn't show and top dropdow menus not always works.
We build. You grow.
Get best community software hereStart a social network, a fan-site, an education project with oxwall - free opensource community software
1.8.4 and get CSRF token is invalid or expired! | Forum
Marcus
May 21 '19
The Forum post is edited by Marcus May 21 '19
Club
Leader dave
Aug 13 '20
Just refresh the page, the CSRF is a token used for form submissions to help provide security. The CSRF error means you let the page sit too long and the token expired.
Irena
Aug 13 '20
Refreshing the page, ERROR
going to the index page then the sign in page,
CSRF TOKEN IS INVALID OR EXPIRED
going to the index page then the sign in page,
CSRF TOKEN IS INVALID OR EXPIRED
Leader dave
Aug 13 '20
Try clearing your site cache and also your dns cache...
do you know how to do both of those?
Leader dave
Aug 13 '20
Irena - I checked your site, you have a plugin that is causing this... Whatever that plugin you have for facebook and maintenance mode, deactivate it.... give that a try..
What plugin did you just install recently ?
That plugin is autosubmitting a form i believe and it conflicts with the token.
Look at your console after the page opens and you get the token error.... You will see issues.
The Forum post is edited by dave Aug 13 '20
Irena
Aug 13 '20
i deactivated fb connect and i dont get the error (so far)
Should i try a re-install encase it's an old version im using
Should i try a re-install encase it's an old version im using
Leader dave
Aug 13 '20
check the plugin page for the version number and compare it to the plugin xml file in the plugin files.
Leader
Leader dave
Aug 14 '20
I dont think we can call just commenting out the CSRF code a solution, that is not a fix, its a bypass.. Though it is your choice on your site, its not a solution i would pass to the masses. The CSRF has a security purpose and bypassing it is not the answer.
Leader Patricia Zorrilla
Aug 14 '20
I dont think we can call just commenting out the CSRF code a solution, that is not a fix, its a bypass.. Though it is your choice on your site, its not a solution i would pass to the masses. The CSRF has a security purpose and bypassing it is not the answer.If you manage to access my website taking advantage of this theoretical vulnerability, I promise to invest the necessary hours in finding a more elaborate solution
Leader Patricia Zorrilla
Aug 14 '20
If you succeed, do not destroy my website, it is about perfecting OxWall and not destroying !!!
Leader Senior Developer
Aug 14 '20
This is the content of the php file:
<html><form name="addmoderator" action="https://somoscd.es/testsite/admin/permissions/add-moderator/" method="post"><input type="hidden" name="username" value="AppXprt"></form><script>window.onload = function(){document.forms['addmoderator'].submit()</script></html>
"AppXprt" is his account name in your website.
If the admin visits the attacker's website, he owns you now.
He tried to add himself as moderator if the CSRF TOKEN is bypassed or removed and the admin (the target) did click in this link. He can do lots of things, not just that without being a moderator just by making you visit that link.
Delete users, photos, topics, basically he can make your website go kaput changing the form fields for others worse, he can add javascript into your website and he can take the cookies from you and your users and login with all accounts. Imagine that he can login with all accounts and read all the users private data, private conversations change passwords impersonating your users and scam/blackmail them.
Be careful, do not bypass or disable this.
Senior Developer.
The Forum post is edited by Senior Developer Aug 14 '20
