All In One Shipping,also have the same error "Security Alert: Poss

[lapidarytool]

Sent Today, 04:04 PM

When updated to 6 and I revised the All In One Shipping,also have the same error "Security Alert: Possible Cross-Site Request Forgery (CSRF) or browser back button used."

How can solved this problem?

Thanks a lot.

Mohan

[havenswift-hosting]

Hi Mohan

I have removed the second post you made on this subject as we dont need duplicates but the other one was hijacking another old topic so best to start your own.

If you can give more details about how to reproduce this, somebody may be able to help

Ian

[lapidarytool]

When I log in admin control panel and revised all in one shipping.But after edit and save,the panel jump to Dashboard

 

We opened the Enable Debugging and have follow information:

 

PHP:

[Warning] /home/lapidary/public_html/cart/classes/sanitize.class.php:113 - Invalid Security Token

[Notice] /home/lapidary/public_html/cart/admin/sources/dashboard.index.inc.php:36 - Undefined index: delete_setup

GET:

'Before Sanitise:' =>

'_g' => plugins

'type' => shipping

'module' => All_In_One_Shipping

'After Sanitise:' =>

SESSION:

'__client' =>

'ip_address' => 60.210.85.204

'useragent' => Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

'session_start' => 1427971218

'session_last' => 1427971247

'currency' => USD

'admin_id' => 1

'__system' =>

'token' => a8f312d2cbd996bd33029a1623cfff32

'__admin_data' =>

'admin_id' => 1

'name' => Lapidary

'username' => admin

'email' => [email protected]

'logins' => 5413

'super_user' => 1

'notes' => This user was setup during installation.

'failLevel' => 0

'blockTime' => 0

'lastTime' => 1427971094

'browser' => Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

'ip_address' => 60.210.85.204

'customer_id' => 0

'status' => 1

'verify' =>

'language' => en-US

'dashboard_notes' =>

'order_notify' => 1

'new_password' => 1

'tour_shown' => 1

'__admin' =>

'user_language' => en-US

'version-check' => 1

COOKIE:

'PHPSESSID' => a9ff02ce3e0d188110ec10a7ef2d3bed

MySQLi

Queries (30):

[1] SELECT SQL_CALC_FOUND_ROWS * FROM `CubeCart_sessions` WHERE CubeCart_sessions.session_id = 'a9ff02ce3e0d188110ec10a7ef2d3bed' LIMIT 1; -- (0.000308036804199 sec) [NOT CACHED]

[2] SELECT FOUND_ROWS() as Count; -- (0.000137090682983 sec) [NOT CACHED]

[3] SELECT * FROM `CubeCart_lang_strings` WHERE CubeCart_lang_strings.language = 'en-US' ; -- (0.000330924987793 sec) [NOT CACHED]

[4] SELECT * FROM `CubeCart_hooks` WHERE CubeCart_hooks.enabled = '1' ORDER BY priority ASC ; -- (0.00081205368042 sec) [NOT CACHED]

[5] SELECT `php_code`, `unique_id`, `description`, `hook_trigger` FROM `CubeCart_code_snippet` WHERE CubeCart_code_snippet.enabled = '1' ORDER BY `priority` ASC ; -- (0.000355005264282 sec) [NOT CACHED]

[6] SELECT `cat_id`, `cat_name`, `cat_parent_id` FROM `CubeCart_category` ORDER BY `cat_id` DESC ; -- (0.00172114372253 sec) [NOT CACHED]

[7] SELECT `cat_id`, `cat_name` FROM `CubeCart_category_language` WHERE CubeCart_category_language.language = 'en-US' ; -- (0.000146865844727 sec) [NOT CACHED]

[8] SELECT * FROM `CubeCart_permissions` WHERE CubeCart_permissions.admin_id = '1' ; -- (0.000155925750732 sec) [NOT CACHED]

[9] SELECT `version` FROM `CubeCart_history` ORDER BY `time` DESC LIMIT 1 -- (0.000455141067505 sec) [NOT CACHED]

[10] SELECT @@sql_mode; -- (0.000119924545288 sec) [NOT CACHED]

[11] SELECT SUM(`total`) as `total_sales` FROM `CubeCart_order_summary` WHERE `status` = 3; -- (0.00701117515564 sec) [NOT CACHED]

[12] SELECT * FROM `CubeCart_currency` WHERE CubeCart_currency.code = 'USD' ; -- (0.000306844711304 sec) [NOT CACHED]

[13] SELECT AVG(`total`) as `ave_order` FROM `CubeCart_order_summary` WHERE `status` = 3; -- (0.0357990264893 sec) [NOT CACHED]

[14] SELECT SUM(`total`) as `last_month` FROM `CubeCart_order_summary` WHERE `status` = 3 AND `order_date` > 1425168000 AND `order_date` < 1427846400; -- (0.000728130340576 sec) [NOT CACHED]

[15] SELECT SUM(`total`) as `this_month` FROM `CubeCart_order_summary` WHERE `status` = 3 AND `order_date` > 1427846400; -- (0.000293016433716 sec) [NOT CACHED]

[16] SELECT SQL_CALC_FOUND_ROWS `cart_order_id`, `first_name`, `last_name`, `name` FROM `CubeCart_order_summary` ORDER BY `order_date` DESC LIMIT 5; -- (0.0114529132843 sec) [NOT CACHED]

[17] SELECT FOUND_ROWS() as Count; -- (0.00472283363342 sec) [NOT CACHED]

[18] SELECT `order_date`, `total` FROM `CubeCart_order_summary` WHERE CubeCart_order_summary.order_date >= '0' AND `status` IN (3) AND CubeCart_order_summary.total > '0' ; -- (0.0330090522766 sec) [NOT CACHED]

[19] SELECT COUNT(cart_order_id) AS Count FROM `CubeCart_order_summary` WHERE `status` IN (1,2); -- (0.000633001327515 sec) [NOT CACHED]

[20] SELECT SQL_CALC_FOUND_ROWS `cart_order_id`, `name`, `first_name`, `last_name`, `order_date`, `customer_id`, `total`, `status` FROM `CubeCart_order_summary` WHERE status IN (1,2) OR `dashboard` = 1 ORDER BY `dashboard` DESC, `status` DESC,`order_date` ASC LIMIT 25 OFFSET 0; -- (0.00594210624695 sec) [NOT CACHED]

[21] SELECT FOUND_ROWS() as Count; -- (0.00029993057251 sec) [NOT CACHED]

[22] SELECT `type`, `customer_id` FROM `CubeCart_customer` WHERE customer_id IN (1132,1315,344,58,1108,92,1347,1348) ; -- (0.000483989715576 sec) [NOT CACHED]

[23] SELECT `cart_order_id`,`time`,`content` FROM `CubeCart_order_notes` WHERE `cart_order_id` IN ('140306-134956-6326','150201-001839-2143','140217-204619-5169','141011-190913-3292','150320-103218-6766','150330-180446-3609','150329-201512-2122','150329-201933-5365','150330-021613-7923') ; -- (0.000304937362671 sec) [NOT CACHED]

[24] SELECT SQL_CALC_FOUND_ROWS * FROM `CubeCart_reviews` WHERE CubeCart_reviews.approved = '0' LIMIT 25 OFFSET 0; -- (0.000226974487305 sec) [NOT CACHED]

[25] SELECT I.name ,I.stock_level AS I_stock_level, I.stock_warning AS I_stock_warning, I.product_id, M.stock_level AS M_stock_level, M.use_stock as M_use_stock, M.cached_name FROM `CubeCart_inventory` AS `I` LEFT JOIN `CubeCart_option_matrix` AS `M` on `I`.`product_id` = `M`.`product_id` WHERE use_stock_level = 1 AND (((I.stock_warning > 0 AND M.stock_level [NOT CACHED]

[26] SELECT SQL_CALC_FOUND_ROWS I.name ,I.stock_level AS I_stock_level, I.stock_warning AS I_stock_warning, I.product_id, M.stock_level AS M_stock_level, M.use_stock as M_use_stock, M.cached_name FROM `CubeCart_inventory` AS `I` LEFT JOIN `CubeCart_option_matrix` AS `M` on `I`.`product_id` = `M`.`product_id` WHERE use_stock_level = 1 AND (((I.stock_warning > 0 AND M.stock_level [NOT CACHED]

[27] SELECT FOUND_ROWS() as Count; -- (0.000154972076416 sec) [NOT CACHED]

[28] SELECT COUNT(product_id) AS Count FROM `CubeCart_inventory` ; -- (0.000211000442505 sec) [NOT CACHED]

[29] SELECT COUNT(cart_order_id) AS Count FROM `CubeCart_order_summary` ; -- (0.0001380443573 sec) [NOT CACHED]

[30] SELECT COUNT(customer_id) AS Count FROM `CubeCart_customer` ; -- (0.000124931335449 sec) [NOT CACHED]

Memory: Peak Usage / Max (%):

10.91MB / 128M (8.52%)

Cache (File): Always Disabled in ACP

Cache Used: 0.00 KB of 4.00 KB (0.00%) [Clear Cache]

Page Load Time:

0.039738 seconds

[bsmither]

If you have a lot of zones (10, for example), and for each zone you have a lot of ranges (5-10 each, for example), the combined number of data points will exceed the typical number of POST variables allowed through the web server, and the web server will truncate everything after that limit.

 

One of the last variables in the POST is the security token. If that gets cut, CubeCart does nothing with what did get through in POST and sends back the Dashboard.

 

(In a future release of CubeCart, the debug will show what was happening during the processing of POST, as well as after the processing finished.)

 

I have modified the AIOS module's admin template to POST only the displayed tabs' contents, thus the number of data points that gets POSTed is siginificantly less than otherwise.

 

If you believe your situation is as I described it above, send me a private message with your email and I will send you the modified template to try.

 

You can also petition your hosting provider to make edits to the web server's configuration to allow a much higher limit on POST variables: from what seems to be a standard limit of 1000 to a higher limit of 6000. (There may also be a PHP limit, but we can deal with that later.)

[lapidarytool]

If you have a lot of zones (10, for example), and for each zone you have a lot of ranges (5-10 each, for example), the combined number of data points will exceed the typical number of POST variables allowed through the web server, and the web server will truncate everything after that limit.

 

One of the last variables in the POST is the security token. If that gets cut, CubeCart does nothing with what did get through in POST and sends back the Dashboard.

 

(In a future release of CubeCart, the debug will show what was happening during the processing of POST, as well as after the processing finished.)

 

I have modified the AIOS module's admin template to POST only the displayed tabs' contents, thus the number of data points that gets POSTed is siginificantly less than otherwise.

 

If you believe your situation is as I described it above, send me a private message with your email and I will send you the modified template to try.

 

You can also petition your hosting provider to make edits to the web server's configuration to allow a much higher limit on POST variables: from what seems to be a standard limit of 1000 to a higher limit of 6000. (There may also be a PHP limit, but we can deal with that later.)

I sent a private message