[SOLVED] A possible CSRF attempt was detected

Quote from: shamblett at Jun 15, 2009, 12:32 PM

There’s a column named ’validate_referer’ in your <prefix>_system_settings table(0.9.6.2 here), use phpMyAdmin or some such to see what this is set to in your database, if its ’1’ set it back to ’0’ and see if the problem persists.

Got my problem solved by your solution. (Thanks for sharing that )

But now I’m getting a warning in the manager:
The configuration setting Validate HTTP_REFERER headers? is Off. We recommend turning it On.

What should I do here?

Quote from: Sylvaticus at Nov 07, 2009, 03:14 PM

But now I’m getting a warning in the manager:
The configuration setting Validate HTTP_REFERER headers? is Off. We recommend turning it On.

What should I do here?

Your options are to get your server to set the HTTP_REFERER header properly so you can turn this feature On, or ignore the warning. Just make sure if you are logged into your manager that you don’t click any suspicious links on web pages that point back to your manager; someone could trick a manager user into deleting Resources or other malicious things using this technique if you are not using the validate_referrers option.

Thanks.

I’m having this issue, too. The fix with resetting both database and cache file works, but only for a short time. After having fixed the problem I log in, edit some text, klick safe, and get the error message "A possible CSRF attempt was detected. No referer was provided by the server."!

What causes the problem is that in the meantime the database has set the validate_referrer to "00" (instead of "0")...

This happens only when I work from home, the login from the office works as it should. Any ideas what causes the db to change the setting?

Does version 1.0.2 fix this issue? I’m working with 1.0.1 a the moment.

1.0.2 fixes other issues, and possibly that one too. It’s a very critical upgrade.

Just to note that I had the same problem as described here after just newly installing 1.0.2 (have not used previous versions).
Had to go through both steps of changing the validate_referer value to 0 through phpMyAdmin, and in the siteCache file. All working fine now though, thanks for the help!

Hello everybody,

I had the same issue and nothing helped me. When i delete cookies i can connect to manager connection window, but not to the administration page. Changing validate_referer in database didnt helped neither.

So i tried to open the index.php in manager folder of my site with notepad++(any other editor works too). I found there the code for CSRF issue (juste do ctrl+F and write CSRF in the window) and i juste put this part of code in comment. And now it works.

I suppose it is not the best solution. I dont even know what does CSRF mean, but apperently it’s related to hackers attempts to acces to your site. So this solution is good only when you work at home.

Heh, i didnt see that message about changing valid referer from siteCache.idx.php...

Now it works !

Hi there,

In my case the line "validate referer" was on line 73. Just in case it help someone.
Thanks for this post!

Sorry for my English.

This error is only in firefox?

If is it, go to "about:conig" and set value network.http.sendRefererHeader; to 2 (default)

it is possible that some addon change automatically this value to 0, look again after change.

Now for me it’s ok!