Welcome Guest, Not a member yet? Register   Sign In
Server config causing CSRF triggers
(This post was last modified: 08-22-2017, 03:53 AM by objecttothis.)

FreeBSD 11.0
Apache 2.4
MySQL 5.7
PHP 5.6.31

I've recently built, configured and security hardened this server and I installed opensourcepos which is a project I am contributing to.  With CSRF disabled I have no problems.  When enabled I initially could not login to the app.  I found that the line

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

was causing CI CSRF protection to trigger.  IMO this was not a good design decision for CI to use the cookie for the  CSRF token because it prevents server-wide hardening such as the above to keep JavaScript from reading the cookie. While that may not be a problem on CI code, one has to keep in mind that there are likely other apps on the server which do not check for this sort of thing.  It would be better for CI to use a separate header for the CSRF token.

Alas, after commenting that line out I thought my problems were over because I could now log in, however I found that I was getting a HTTP 403 response when submitting changes in a form.  Like before, I believe it's CSRF triggering because when turned off in config.php the form submits fine.  I've attached a screenshot of the 403 response.

So far I've done the following to try to troubleshoot what was causing the problem:
- Set mod_security to DetectionOnly
- Set suhosin to SimulationMode in php.ini
- Commented out mod_evasive
- Commented out the following lines in my httpd.conf
#Security Directives
# ServerTokens Full
# ServerSignature Off
# FileETag None
# TraceEnable Off
# Header always append X-Frame-Options SAMEORIGIN
# Header set X-XSS-Protection "1; mode=block"
# Timeout 60
# MaxClients 64
# HostnameLookups Off
# RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=1000

#Require HTTP 1.1
# <IfModule mod_rewrite.c>
# RewriteCond %{THE_REQUEST} ^POST(.*)HTTP/(0\.9|1\.0)$ [NC]
# RewriteRule .* - [F,L]
# </IfModule>
- Commented out open_basedir, disable_functions in php.ini

But I'm getting the same behavior.  I've turned on logs in config.php and here is what it generates for the submit

INFO - 2017-08-22 14:39:22 --> Config Class Initialized
INFO - 2017-08-22 14:39:22 --> Hooks Class Initialized
DEBUG - 2017-08-22 14:39:22 --> UTF-8 Support Enabled
INFO - 2017-08-22 14:39:22 --> Utf8 Class Initialized
INFO - 2017-08-22 14:39:22 --> URI Class Initialized
INFO - 2017-08-22 14:39:22 --> Router Class Initialized
INFO - 2017-08-22 14:39:22 --> Output Class Initialized
INFO - 2017-08-22 14:39:22 --> Security Class Initialized
DEBUG - 2017-08-22 14:39:22 --> Global POST, GET and COOKIE data sanitized
INFO - 2017-08-22 14:39:22 --> CSRF cookie sent

No errors are generated by PHP, Suhosin, MySQL or mod_security... presumably because the CI CSRF kicks in with a 403 before that can happen.

Attached Files Thumbnail(s)

Messages In This Thread
Server config causing CSRF triggers - by objecttothis - 08-22-2017, 03:52 AM
SOLUTION - by objecttothis - 09-07-2017, 04:16 AM

Theme © iAndrew 2016 - Forum software by © MyBB