1 (edited by eirikrye 2013-04-03 18:47)

Topic: Migrated to new web server, CSRF problems

I have been running a punBB 1.3.2 forum for a very long time, and today the time came to migrate the forum to my new VPS. It is running nginx+PHP+mySQL.

I installed punBB 1.4 (latest), upgraded the imported DB to the latest DB revision, edited the config file to match my new system and everything seemed to work flawlessly.

However, the moment I try to log on, I get the CSRF error:

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were.

If I click "Confirm". I get redirected to an HTTPS version of my site, the following URL: ht tps://<base-url>:80/login/. However, my server isn't even running on HTTPS/SSL, so the request obviously fails. If I remove the https:// part of the url, it works fine.

The function in question that determines this behaviour was found in functions.php and the function get_current_url():

$protocol = (!isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off') ? 'ht tp://' : 'htt ps://';

It checks the PHP varbiable _SERVER['HTTPS'] to determine whether I am on a HTTPS connection. The current value in my phpinfo:

_SERVER["HTTPS"]    no value

Surely, it should be unset?

In any case, I modified the function to always point to a regular HTTP connection regardless of what the server says, and I can now log in fine. However, if I try making a post or a reply, I always get the CSRF no matter how many times I press submit:

Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you posted the form. Clicking "Submit" again should solve the problem.

Upon further investigation, I noticed that the CSRF token that is saved in the "online" table of the database never matches the CSRF token it is trying to compare. They are entirely different. I am under the suspicion that this is caused by the above HTTPS-issue but I have no idea where to begin. My web server does not (and should not) have HTTPS support.

Thank you very much for any replies.

EDIT: I had to add spaces in the  "URLs" above, because it wouldn't let me post.

EDIT2: I also tried migrating the 1.3.2 version of the forum. I am getting the exact same errors, so it's definitely not an issue with the version upgrade.

2 (edited by eirikrye 2013-04-03 19:38)

Re: Migrated to new web server, CSRF problems

OK, so I figured it out, sort of.

The tokens in the online table are created from get_current_url(), which returns an url in the format:

ht tp://<base_url>:<port>/<request_uri>

This doesn't match the real URLs (which the tokens are compared to) that my site use, though, which is:

ht tp://<base_url>/<request_uri>

(without the port)

I fixed this by hardcoding get_current_url() to output the url without the port, and now the CSRF verifies properly. This whole issue seems to stem from the fact that $_SERVER['HTTPS'] is set to a null value and seems to be causing issues. Does anyone have any idea how to resolve this?

My current solution is very hackish.

3

Re: Migrated to new web server, CSRF problems

I'm currently having the same issue with mine. The problem is I have no idea on how to resolve it. Dunno if you can be more detailed in what to do.

4

Re: Migrated to new web server, CSRF problems

I fixed this by hardcoding get_current_url() to output the url without the port, and now the CSRF verifies properly.

Can you please post the coding?