Loading...
 
Features / Usability

Features / Usability


"Sea Surfing (CSRF) detected. Operation blocked."

posts: 102

Hi!

I am getting this message:

"Sea Surfing (CSRF) detected. Operation blocked."
"Click here to confirm your action"


Go back
Return to home page



I was trying to create this:

Treasures of the Internet



Table of Contents

  • [/multitiki/tiki-read_article.php?articleId=2| Introduction]
  • [/multitiki/tiki-read_article.php?articleId=3| One World]
  • [/multitiki/tiki-read_article.php?articleId=4| Our World Today]
  • [/multitiki/tiki-read_article.php?articleId=5| American Dream]
  • etc.



or anything with links. [NoteL The extra square-bracket was added to reveal what was actually placed in each link.]

Taking the Introduction above as example, initially it was just:

  • [tiki-read_article.php?articleId=2| Introduction]

It does not work. I still get the message shown above. If I persist, I get a lot of error messages. Thus, I changed it to:

  • [/multitiki/tiki-read_article.php?articleId=2| Introduction]

but the message persists, then I changed it to:

  • [../multitiki/tiki-read_article.php?articleId=2| Introduction]


I thought the above worked. But, when I tried to modify the page

  • [/multitiki/tiki-read_article.php?articleId=4| Our World Today]


with a lot of links of news from BBC, I now have the message back. I wonder what is causing the problem.

I do not detect it when there is no link in the file I submitted.

Thanks.

cgc0202

posts: 4596 Japan

The CSRF message shouldn't have anything to do with how the links in your page are written, as far as I know. It's to guard against malicious cross-site scripting attacks, i.e., to make sure you are a human editor an not an evil script. Anyway, what happens if you just click "confirm" to save the page when it contains the links as you first wrote them? Is the page edit saved OK? I get these messages sometimes and just click to confirm and go on. I haven't really paid attention to whether the message occurance is related to the page content.

-- Gary - zukakakina.com

posts: 102

> The CSRF message shouldn't have anything to do with how the links in your page are written, as far as I know. It's to guard against malicious cross-site scripting attacks, i.e., to make sure you are a human editor an not an evil script. Anyway, what happens if you just click "confirm" to save the page when it contains the links as you first wrote them? Is the page edit saved OK? I get these messages sometimes and just click to confirm and go on. I haven't really paid attention to whether the message occurance is related to the page content.
>
> — Gary - zukakakina.com

Hi Gary,

I just experienced this the past few days, starting the day before I reported it here. It is on and off. When I confirm, most of the time it goes through. There were a few times I got the error messages. It seems to be specific for one of the tikiwiki sites I initiated recently. (see note below)

This may be how I checked the CSRF options. But, once it is checked, the appearance of the note is on or off. Note: I have not specified the group. Can this feature be checked, let's say for registered user, and not Admin's? What are the pros and cons for doing just that, i.e., specifying the group to which CSRF applies?

Thanks.

cgc0202

Note: [I have been installing several tikis because I do not know how to install the "multi-tiki" yet — the instructions of mose for Multitiki1.9.1 is very confusing to me. Several people here have asked for clarifications and the responders keep on pointing to mose's instructions. Also, the multitiki tutorial by mose seems to be for installation if you own the server. My websites are in a shared server environment.]


posts: 32

Hello Gary et al,

We are using Tiki 12.x and we have this problem as well.

This was not the case when we were using Tiki 10.x

Let me explain a case when this problem happens:
When we try to create a new user group.
We fill in some details (name, description, home page).
Then when we click on "Add" button.
We get a page where it asks for action confirmation (create).
When we confirm, after that, we get this error page:
QUOTESea Surfing (CSRF) detected. Operation blocked./QUOTE

There is NO 'confirm' button (as in the original post here).
The only buttons are to "Go back" or "Go back to homepage" .

So we are fairly stuck with inability to create further groups.
Please help.

Thanks in advance for advice & insights!


posts: 32

Hello again!

Some additional observation regarding the blockage:
As we could not create a new group from the Admin panel, we tried to modify an existing group and reuse it.
However, the same problem happens as above.

So really stuck at this point.
Any help in this regard would be appreciated.

Thanks in advance!

posts: 1542 Canada

Visit tiki-admin.php and search for "CSRF" and try different settings.

Best regards,

M ;-)

posts: 55 United States
Not working in 14.

posts: 32

Hi Marc,

Thanks for the tip.

Yes, I went to the Tiki admin panel and searched for CSRF. I found the following 2 options, inside the "Security" block:
Option 1: Require confirmation if possible CSRF detected
Option 2: Protect against CSRF with a ticket

I ticked the first option and unticked the second. Then save/change.

Things are better now.

Best!