Jump to content

CSRF or Browser Back Button Used


James S

Recommended Posts

HI, Have been having an issue with a CC6.1.5 site using php 5.6.

Getting "CSRF or Browser Back Button Used".  It happens at verious times but can be simulated by doing a product search in Admin, having found the product pressing 'enter ' drops the page back to the admin landing page with the error on the top banner.

The odd thing is it seems to happen every other time a product is searched for...?

Am using firefox only open once (back button not being used)

The shop staff get it during the day (different IP) and it stops them or slows them down adding products and completing orders.

It was happening before an upgrade when using 6.1.11 we had hoped the upgrade would fix it!

Any thoughts or ideas greatfully received.

James

CSRF - Feb. 28 19.39.jpg

Link to comment
Share on other sites

Is this the fly-out box that you start entering in a product name or code?

If so, when (if) you get a predictive result, how do you select it? The fly-out box does not accept the Enter key.

For every form submission (the Save button), CubeCart compares the hidden Security Token submitted along with the form data, with what CubeCart expects that token to be. If it's a match, the form data is processed and a new token is generated.

You can have as many browser tabs open as you want, but when any of those pages gets a form submitted, CubeCart now has a new token but all of the other forms on the other browser tabs have the old token.

So, that's why it may be confusing when, for no apparent reason, the Save is discarded and this message comes up.

Another common reason is, if for some reason, the form security token does not make it back to CubeCart. The typical cause is because there is so much data being submitted by the form. The default for PHP is 1000 key/value pairs, but can be changed by the hosting provider.

Hitting this limit can happen easily on two or three known admin pages, and with some effort on other admin pages, but I've never seen it happen when Add/Edit Product is being used.

In admin, PHP Info, scroll to the Core table and look for 'max_input_vars'. This value may be irrelevant if PHP is being run inside a security wrapper, like suPHP or Suhosin.

Edited by bsmither
Link to comment
Share on other sites

Yes it is the fly out box, type a few letters and select the 'predictive text' as you say no 'enter' is required. Sometimes works sometimes not.

I have installed the DB and files on a test domain with an alternative hosting company to test it off the live environment and can't get that to fall over with the same error.  So does seem to be hosting related.

We were forced to a new host a few weeks back (from Ariotek to Krystal )

The Max_input_Vars is 5000 for both fields (local and master)

Link to comment
Share on other sites

Whilst try to find out why we have CSRF warnings I have copied the errors below from the System Error Log, could some one please explain what it means and what I need to do to stop it happening - thanks you in advance.

James

 

Today, 12:29

File: [catalogue.class.php] Line: [1817] "SELECT I.* FROM CubeCart_inventory AS I LEFT JOIN (SELECT product_id, MAX(price) as price, MAX(sale_price) as sale_price FROM CubeCart_pricing_group WHERE group_id = 0 GROUP BY product_id) as G ON G.product_id = I.product_id WHERE I.product_id IN (SELECT product_id FROM `CubeCart_category_index` as CI INNER JOIN CubeCart_category as C where CI.cat_id = C.cat_id AND C.status = 1) AND I.status = 1 AND (I.name RLIKE '[[:<:]]Bow[[:>:]]' OR I.description RLIKE '[[:<:]]Bow[[:>:]]' OR I.product_code RLIKE '[[:<:]]Bow[[:>:]]') ORDER BY Relevance DESC LIMIT 12 OFFSET 0 " - Unknown column 'Relevance' in 'order clause'

 

Today, 08:13

File: [catalogue.class.php] Line: [1817] "SELECT I.* FROM CubeCart_inventory AS I LEFT JOIN (SELECT product_id, MAX(price) as price, MAX(sale_price) as sale_price FROM CubeCart_pricing_group WHERE group_id = 0 GROUP BY product_id) as G ON G.product_id = I.product_id WHERE I.product_id IN (SELECT product_id FROM `CubeCart_category_index` as CI INNER JOIN CubeCart_category as C where CI.cat_id = C.cat_id AND C.status = 1) AND I.status = 1 AND (I.name RLIKE '[[:<:]]Plr[[:>:]].*[[:<:]]500[[:>:]]' OR I.description RLIKE '[[:<:]]Plr[[:>:]].*[[:<:]]500[[:>:]]' OR I.product_code RLIKE '[[:<:]]Plr[[:>:]].*[[:<:]]500[[:>:]]') ORDER BY Relevance DESC LIMIT 12 OFFSET 0 " - Unknown column 'Relevance' in 'order clause'

 

Yesterday, 21:40

File: [catalogue.class.php] Line: [1817] "SELECT I.* FROM CubeCart_inventory AS I LEFT JOIN (SELECT product_id, MAX(price) as price, MAX(sale_price) as sale_price FROM CubeCart_pricing_group WHERE group_id = 0 GROUP BY product_id) as G ON G.product_id = I.product_id WHERE I.product_id IN (SELECT product_id FROM `CubeCart_category_index` as CI INNER JOIN CubeCart_category as C where CI.cat_id = C.cat_id AND C.status = 1) AND I.status = 1 AND (I.name RLIKE '[[:<:]]bag[[:>:]]' OR I.description RLIKE '[[:<:]]bag[[:>:]]' OR I.product_code RLIKE '[[:<:]]bag[[:>:]]') ORDER BY Relevance DESC LIMIT 12 OFFSET 0 " - Unknown column 'Relevance' in 'order clause'

 

Yesterday, 15:17 File: [catalogue.class.php] Line: [1817] "SELECT I.* FROM CubeCart_inventory AS I LEFT JOIN (SELECT product_id, MAX(price) as price, MAX(sale_price) as sale_price FROM CubeCart_pricing_group WHERE group_id = 0 GROUP BY product_id) as G ON G.product_id = I.product_id WHERE I.product_id IN (SELECT product_id FROM `CubeCart_category_index` as CI INNER JOIN CubeCart_category as C where CI.cat_id = C.cat_id AND C.status = 1) AND I.status = 1 AND (I.name RLIKE '[[:<:]]711[[:>:]]' OR I.description RLIKE '[[:<:]]711[[:>:]]' OR I.product_code RLIKE '[[:<:]]711[[:>:]]') ORDER BY Relevance DESC LIMIT 12 OFFSET 0 " - Unknown column 'Relevance' in 'order clause'
Link to comment
Share on other sites

This is a known issue and will not cause any damage to the store. The programmer's are working on it.

CubeCart makes three attempts at searching for a product.

1. Using a complicated (as implemented by the database server) algorithm that searches the database using a 'relevance approach'. The results have a "relevance weighting factor". If nothing found,
2. Using an expression looking for whole words. If nothing found,
3. Looking for the characters entered which may appear anywhere.

The problem with the CubeCart code is that the Advanced Search page has a sort selector that defaults to a sort method (Relevance) that is only applicable to method #1. CubeCart is supposed to drop that sort method and default to another, legal sort criteria for #2 or #3, but doesn't.

Thus, the error message from the database server.

You shouldn't see this error if you choose to sort by something other than Relevance on the Advanced Search page.

  • Like 1
Link to comment
Share on other sites

"CSRF or Browser Back Button Used"

Just reporting back that this issue seems to be resolved without doing anything - Don't know why but the shop staff have reported that the problem seems to have gone away.  Can't say I believe it but....  Thanks for the help.

James

Link to comment
Share on other sites

Al reported that he determined an "OTT caching" problem was the cause of someone's issue that could be very similar to yours.

It would be really freaky if you and this other user are with the same host, and the hosting techs were instructed to relax the caching for this other person, which affected you as well.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...