ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001224ClearOSclearos-frameworkpublic2013-07-11 10:312013-08-21 21:10
Reporterbchambers 
Assigned Tobchambers 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.4.0 
Target Version6.5.0 Beta 1Fixed in Version6.5.0 Beta 1 
Summary0001224: CSRF fails if server time is off by more than -2 hours
DescriptionIn some browsers (Chrome on Linux), the csrf cookie is not set if the server time is off. Specifically, if the server clock is off by more than the value set in /usr/clearos/framework/applications/config/config.php's value of $config['csrf_expire'] setting, the cookie fails to be created on the client and forms do not pass the CSRF protection (including login).
Steps To ReproduceSet your system clock to -2 hours or more before current time and attempt webconfig login.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000923)
bchambers (administrator)
2013-07-11 11:18

On login, you will see:

An Error Was Encountered
The action you have requested is not allowed.
(0000924)
bchambers (administrator)
2013-07-11 11:21

Not sure how to get around this...

Since it will stop users at the login page, perhaps send Unix timestamp of server to compare in javascript with desktop's timestamp and display warning if server is older by two hours or more.
(0000925)
bchambers (administrator)
2013-07-11 11:31

To solve this issue, correct the internal clock time on your server (or desktop). In ClearOS, run:

timesync

To connect to remote NTP servers to update clock.
(0000935)
bchambers (administrator)
2013-07-17 11:45

Source Code Changelog
---------------------------------------------------
- Override security class to make CSRF token session based [fixed tracker 0001224]

File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6226 [^]
U webconfig/framework/trunk/application/config/config.php
A webconfig/framework/trunk/application/core/MY_Security.php

- Issue History
Date Modified Username Field Change
2013-07-11 10:31 bchambers New Issue
2013-07-11 10:31 bchambers Status new => assigned
2013-07-11 10:31 bchambers Assigned To => bchambers
2013-07-11 11:18 bchambers Note Added: 0000923
2013-07-11 11:21 bchambers Note Added: 0000924
2013-07-11 11:31 bchambers Note Added: 0000925
2013-07-17 11:45 bchambers Checkin
2013-07-17 11:45 bchambers Note Added: 0000935
2013-07-17 11:45 bchambers Status assigned => resolved
2013-07-17 11:45 bchambers Resolution open => fixed
2013-08-19 11:42 user2 Fixed in Version => 6.5.0 Beta 1
2013-08-19 11:42 user2 Target Version 6.4.0 Updates => 6.5.0 Beta 1
2013-08-21 21:10 user2 Status resolved => closed