Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Possible Csrf Attack On Product Option Add Rate Topic   - - - - -

 
  • thomas
  • Advanced Member
  • Members
  • Join Date: 19-Nov 12
  • 83 posts

Posted 10 August 2015 - 09:00 AM #1

Hello Guys,

I am having a huge problem on product option add.

I have added 60 variantson a single option, although there are 60 more to add. But couldn't add anymore because the after I hit the "SAVE" button, it redirects to dashboard and says "action denied : POSSIBLE CSRF ATTACKED".

I have enable/disable the anti_csrf variable tue/false but in any case it is not working.


Please help me

Thank you
Cheers!
Thomas

 
  • cscartrocks
  • Member
  • Members
  • Join Date: 24-Jan 11
  • 1832 posts

Posted 10 August 2015 - 09:21 AM #2

You can submit this issue to the bug tracker.

One Step Checkout Addon - The ultimate checkout experience
Best CS-Cart SEO addon - CS-Cart SEO Ultimate Addon
PM for 365-day support and custom development service


 
  • Alt-team
  • CS-Cart Developer
  • Authorized Reseller
  • Join Date: 18-Jan 11
  • 2814 posts

Posted 10 August 2015 - 01:50 PM #3

Hello,

Maybe you have some restrictions on your server.

Please check post_max_size setting on your server and try to increase this to solve this issue.

Thank you.

ADD-ONS  Web development service  | CS-Cart dedicated developers

Buy MULTIVENDOR - USD 1250 (14% off)   Buy CS-CART LICENCE - USD 345 (13% off)

 Email - manager@alt-team.com | Skype - Altteam    


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 21367 posts

Posted 11 August 2015 - 08:16 AM #4

With the value of the max_post_size setting, you should also increase the value of the max_input_vars one. It should solve the problem.
GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    Multi-Vendor PLUS           USD 3100 (2775)
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      Multi-Vendor Ultimate       USD 7500 (6000)

 
  • thomas
  • Advanced Member
  • Members
  • Join Date: 19-Nov 12
  • 83 posts

Posted 12 August 2015 - 07:43 AM #5

Thank you. I will do that and let you know.
Cheers!
Thomas

 
  • thomas
  • Advanced Member
  • Members
  • Join Date: 19-Nov 12
  • 83 posts

Posted 12 August 2015 - 07:52 AM #6

Thank you very much guys, It worked.
Cheers!
Thomas

 
  • Party
  • Advanced Member
  • Members
  • Join Date: 01-Sep 12
  • 66 posts

Posted 25 September 2015 - 08:35 AM #7

Appear to be i have the same issue when adding 100 options. However, the steps outlined above does not help. Does anyone has any suggestions?

 

I change them as following:

@ /usr/local/cpanel/3rdparty/etc/php.ini

 

post_max_size = 256M

max_input_vars = 2000



 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 21367 posts

Posted 25 September 2015 - 09:30 AM #8

In fact the amount of input vars for 100 options can be greater than 2000


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    Multi-Vendor PLUS           USD 3100 (2775)
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      Multi-Vendor Ultimate       USD 7500 (6000)

 
  • Party
  • Advanced Member
  • Members
  • Join Date: 01-Sep 12
  • 66 posts

Posted 25 September 2015 - 01:55 PM #9

I have tryed "max_input_vars = 10000" and higher, but still no luck.



 
  • Ralkan
  • Junior Member
  • Members
  • Join Date: 07-Mar 08
  • 87 posts

Posted 11 October 2015 - 04:34 PM #10

Have made the necessary settings changes as mentioned above, cannot add more than 70 options on any product without the CSFR attack error message...

 

Anyone have any other ideas?



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11934 posts

Posted 11 October 2015 - 07:58 PM #11

When you set the value, can yu verify that it is set to the value you expect using ini_get('max_input_vars')?


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Ralkan
  • Junior Member
  • Members
  • Join Date: 07-Mar 08
  • 87 posts

Posted 12 October 2015 - 11:31 AM #12

I have increased the sizes of the attributes mentioned to silly values like "max_input_vars = 100000" and post_max_size = 1024M and yes verified in phpinfo() that the settings have taken...

 

I once managed to get 73 random items added as variables to an option but ever since they have failed... I have deleted cache (that's when it worked for 73 variants) all to pretty much no avail.

 

Very frustrating anyone got any ideas? I'm kind of shooting in the dark here

 

TIA



 
  • Ralkan
  • Junior Member
  • Members
  • Join Date: 07-Mar 08
  • 87 posts

Posted 12 October 2015 - 12:17 PM #13

Ok after some serious messing around it seems I have found it, for anyone that might experience this check whether your server has suhosin hardened extension installed. I had to make some changes in there, I cannot say for sure which ones it was that helped it work but these are the changes I added to my php.ini


; Filtering Options
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 50000
suhosin.cookie.max_vars = 100
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 10000
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 100000
suhosin.post.max_vars = 10000
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 2000
suhosin.request.max_varname_length = 128
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128

Hope this helps someone out

 

Mark