ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001224ClearOSclearos-frameworkpublic2013-07-11 10:312013-08-21 21:10
Reporterbchambers 
Assigned Tobchambers 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.4.0 
Target Version6.5.0 Beta 1Fixed in Version6.5.0 Beta 1 
Summary0001224: CSRF fails if server time is off by more than -2 hours
DescriptionIn some browsers (Chrome on Linux), the csrf cookie is not set if the server time is off. Specifically, if the server clock is off by more than the value set in /usr/clearos/framework/applications/config/config.php's value of $config['csrf_expire'] setting, the cookie fails to be created on the client and forms do not pass the CSRF protection (including login).
Steps To ReproduceSet your system clock to -2 hours or more before current time and attempt webconfig login.
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-07-11 10:31bchambersNew Issue
2013-07-11 10:31bchambersStatusnew => assigned
2013-07-11 10:31bchambersAssigned To => bchambers
2013-07-11 11:18bchambersNote Added: 0000923
2013-07-11 11:21bchambersNote Added: 0000924
2013-07-11 11:31bchambersNote Added: 0000925
2013-07-17 11:45bchambersCheckin
2013-07-17 11:45bchambersNote Added: 0000935
2013-07-17 11:45bchambersStatusassigned => resolved
2013-07-17 11:45bchambersResolutionopen => fixed
2013-08-19 11:42user2Fixed in Version => 6.5.0 Beta 1
2013-08-19 11:42user2Target Version6.4.0 Updates => 6.5.0 Beta 1
2013-08-21 21:10user2Statusresolved => closed

Notes
(0000923)
bchambers   
2013-07-11 11:18   
On login, you will see:

An Error Was Encountered
The action you have requested is not allowed.
(0000924)
bchambers   
2013-07-11 11:21   
Not sure how to get around this...

Since it will stop users at the login page, perhaps send Unix timestamp of server to compare in javascript with desktop's timestamp and display warning if server is older by two hours or more.
(0000925)
bchambers   
2013-07-11 11:31   
To solve this issue, correct the internal clock time on your server (or desktop). In ClearOS, run:

timesync

To connect to remote NTP servers to update clock.
(0000935)
bchambers   
2013-07-17 11:45   
Source Code Changelog
---------------------------------------------------
- Override security class to make CSRF token session based [fixed tracker 0001224]

File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6226 [^]
U webconfig/framework/trunk/application/config/config.php
A webconfig/framework/trunk/application/core/MY_Security.php