Problem with CSRF

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with CSRF

Andreas Meyer
Hello!

Today I logged into roundcube and found the folders are empty. I tried to
log out and get:

ANFORDERUNGSPRÜFUNG FEHLGESCHLAGEN
Zu Ihrer Sicherheit wird der Zugriff auf diese Ressource mit CSRF geschützt.
Wenn Sie dies sehen, haben Sie sich wahrscheinlich vor dem Verlassen der Webanwendung nicht abgemeldet.

Nun ist eine menschliche Interaktion erforderlich, um fortzusetzen.

Bitte kontaktieren Sie Ihren Server-Administrator.

This is the first time I saw this. Can't logout.

What's my problem?

Kind regards

  Andreas
--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
Reindl Harald <[hidden email]> schrieb am 08.04.19 um 21:52:53 Uhr:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> Am 08.04.19 um 21:40 schrieb Andreas Meyer:
> > Hello!
> >
> > Today I logged into roundcube and found the folders are empty. I
> > tried to log out and get:
> >
> > ANFORDERUNGSPRÜFUNG FEHLGESCHLAGEN Zu Ihrer Sicherheit wird der
> > Zugriff auf diese Ressource mit CSRF geschützt. Wenn Sie dies
> > sehen, haben Sie sich wahrscheinlich vor dem Verlassen der
> > Webanwendung nicht abgemeldet.
> >
> > Nun ist eine menschliche Interaktion erforderlich, um
> > fortzusetzen.
> >
> > Bitte kontaktieren Sie Ihren Server-Administrator.
> >
> > This is the first time I saw this. Can't logout.
> >
> > What's my problem?  
>
> roudcube and a dumb CSRF protection at the loin/logout page, ignore it
I can't ignore it. The mailfolders are empty and I can' logout. Don't know why
this happens. Nothing changed in the system for many month.

  Andreas
--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
In reply to this post by Andreas Meyer
Reindl Harald <[hidden email]> schrieb am 08.04.19 um 22:43:39 Uhr:

> >> roudcube and a dumb CSRF protection at the loin/logout page,
> >> ignore it  
> >
> > I can't ignore it. The mailfolders are empty and I can' logout.
> > Don't know why this happens. Nothing changed in the system for many
> > month.  
>
> nonsense, saw that over the years and either reload login page or just
> delete your cookies, done - learn to operate your browser

No, this does not solve the problem. I just installed a fresh chromium browser
to test with instead of firefox and have the same problem with chromium.

  Andreas
--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
Andreas Meyer <[hidden email]> schrieb am 08.04.19 um 22:53:22 Uhr:

> Reindl Harald <[hidden email]> schrieb am 08.04.19 um 22:43:39 Uhr:
>
> > >> roudcube and a dumb CSRF protection at the loin/logout page,
> > >> ignore it    
> > >
> > > I can't ignore it. The mailfolders are empty and I can' logout.
> > > Don't know why this happens. Nothing changed in the system for many
> > > month.    
> >
> > nonsense, saw that over the years and either reload login page or just
> > delete your cookies, done - learn to operate your browser  
>
> No, this does not solve the problem. I just installed a fresh chromium browser
> to test with instead of firefox and have the same problem with chromium.
What happend here that all of the sudden I don't have a working roundcube
anymore? Where does this CSRF problem come from? I just upgraded to version
1.3.9 and the problem remains.

  Andreas

--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Michael Orlitzky-2
On 4/8/19 6:50 PM, Andreas Meyer wrote:
>
> What happend here that all of the sudden I don't have a working roundcube
> anymore? Where does this CSRF problem come from? I just upgraded to version
> 1.3.9 and the problem remains.
>

This just happens every once in a while, and nobody has a good answer.
Our users certainly don't know what to do. They call us, we don't know
what to do. I started disabling the CSRF protection entirely:

  1. Open program/lib/Roundcube/rcube.php
  2. Search for "public function check_request"
  3. Have it always return true.
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
Hello!

Michael Orlitzky <[hidden email]> schrieb am 08.04.19 um 20:23:20 Uhr:

> On 4/8/19 6:50 PM, Andreas Meyer wrote:
> >
> > What happend here that all of the sudden I don't have a working roundcube
> > anymore? Where does this CSRF problem come from? I just upgraded to version
> > 1.3.9 and the problem remains.
> >  
>
> This just happens every once in a while, and nobody has a good answer.
> Our users certainly don't know what to do. They call us, we don't know
> what to do. I started disabling the CSRF protection entirely:
>
>   1. Open program/lib/Roundcube/rcube.php
>   2. Search for "public function check_request"
>   3. Have it always return true.
I fear I don't know how to do that. I don't know much about PHP if at all.

   public function check_request($mode = rcube_utils::INPUT_POST)
    {
        // check secure token in URL if enabled
        if ($token = $this->get_secure_url_token()) {
            foreach (explode('/', preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI'])) as $tok) {
                if ($tok == $token) {
                    return true;
                }
            }

            $this->request_status = self::REQUEST_ERROR_URL;

            return false;
        }

        $sess_tok = $this->get_request_token();

        // ajax requests
        if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) {
            return true;
        }

        // skip empty requests
        if (($mode == rcube_utils::INPUT_POST && empty($_POST))
            || ($mode == rcube_utils::INPUT_GET && empty($_GET))
        ) {
            return true;
        }

        // default method of securing requests
        $token   = rcube_utils::get_input_value('_token', $mode);
        $sess_id = $_COOKIE[ini_get('session.name')];

        if (empty($sess_id) || $token !== $sess_tok) {
            $this->request_status = self::REQUEST_ERROR_TOKEN;
            return false;
        }

        return true;
    }


What do I need to change here?

Kind regards

  Andreas
--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
In reply to this post by Andreas Meyer
Reindl Harald <[hidden email]> schrieb am 09.04.19 um 11:16:20 Uhr:

> >>> What happend here that all of the sudden I don't have a working
> >>> roundcube anymore? Where does this CSRF problem come from? I
> >>> just upgraded to version 1.3.9 and the problem remains.
> >>>  
> >>
> >> This just happens every once in a while, and nobody has a good
> >> answer. Our users certainly don't know what to do. They call us,
> >> we don't know what to do. I started disabling the CSRF protection
> >> entirely:
> >>
> >> 1. Open program/lib/Roundcube/rcube.php 2. Search for "public
> >> function check_request" 3. Have it always return true.  
> >
> > I fear I don't know how to do that. I don't know much about PHP if
> > at all.  
>
> just write "return true;" as first line after the function definition,
> it's that easy
public function check_request($mode = rcube_utils::INPUT_POST)
   {  return true; }

like so and comment out the rest of the function?
Must be wrong, get a blank page.

  Andreas

--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

handcrafted cusine

STOP SENDING THIS RUBBISH!!!!!!!!!!!!!!!!

---

Thank you,

Kind regards,


Handcrafted Cuisine

laky J

director/executive Chef

Website: www.handcraftedcuisine.com.au

Mobile:    +61468681891

Email:      [hidden email]

 


On 2019-04-09 19:32, Andreas Meyer wrote:

Reindl Harald <[hidden email]> schrieb am 09.04.19 um 11:16:20 Uhr:

What happend here that all of the sudden I don't have a working
roundcube anymore? Where does this CSRF problem come from? I
just upgraded to version 1.3.9 and the problem remains.
  

This just happens every once in a while, and nobody has a good
answer. Our users certainly don't know what to do. They call us,
we don't know what to do. I started disabling the CSRF protection
entirely:

1. Open program/lib/Roundcube/rcube.php 2. Search for "public
function check_request" 3. Have it always return true.  

I fear I don't know how to do that. I don't know much about PHP if
at all.  

just write "return true;" as first line after the function definition,
it's that easy

public function check_request($mode = rcube_utils::INPUT_POST)
   {  return true; }

like so and comment out the rest of the function?
Must be wrong, get a blank page.

  Andreas

-- 
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
oh my god!

Bye

handcrafted cusine <[hidden email]> schrieb am 09.04.19 um 19:39:19 Uhr:

> STOP SENDING THIS RUBBISH!!!!!!!!!!!!!!!!
>
> ---
> _Thank you,_
>
> _Kind regards,_
>
> laky J
>
> _director/executive Chef_
>
> WEBSITE: www.handcraftedcuisine.com.au
>
> MOBILE:    +61468681891
>
> EMAIL:      [hidden email]
>
> On 2019-04-09 19:32, Andreas Meyer wrote:
>
> > Reindl Harald <[hidden email]> schrieb am 09.04.19 um 11:16:20 Uhr:
> >
> > What happend here that all of the sudden I don't have a working
> > roundcube anymore? Where does this CSRF problem come from? I
> > just upgraded to version 1.3.9 and the problem remains.
> >
> > This just happens every once in a while, and nobody has a good
> > answer. Our users certainly don't know what to do. They call us,
> > we don't know what to do. I started disabling the CSRF protection
> > entirely:
> >
> > 1. Open program/lib/Roundcube/rcube.php 2. Search for "public
> > function check_request" 3. Have it always return true.  
>
> I fear I don't know how to do that. I don't know much about PHP if
> at all.  
> just write "return true;" as first line after the function definition,
> it's that easy
> public function check_request($mode = rcube_utils::INPUT_POST)
>    {  return true; }
>
> like so and comment out the rest of the function?
> Must be wrong, get a blank page.
>
>   Andreas
>


--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Michael Orlitzky-2
In reply to this post by Andreas Meyer
On 4/9/19 5:32 AM, Andreas Meyer wrote:
>
> public function check_request($mode = rcube_utils::INPUT_POST)
>    {  return true; }
>
> like so and comment out the rest of the function?
> Must be wrong, get a blank page.
>

You probably have a typo, that's the way to do it.
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Ralph Seichter-2
In reply to this post by Andreas Meyer
* Andreas Meyer:

> handcrafted cusine <[hidden email]> schrieb am
> 09.04.19 um 19:39:19 Uhr [...]

Just add these guys to your mail killfile. Months ago, I explained to
them how to get off this mailing list (as my good deed for the day), but
it looks like they are still around. While they don't know much about
mailing lists, they are apparently into creating culinary masterpieces
from scratch, which is commendable. ;-)

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
In reply to this post by Michael Orlitzky-2
Michael Orlitzky <[hidden email]> schrieb am 09.04.19 um 08:16:29 Uhr:

> On 4/9/19 5:32 AM, Andreas Meyer wrote:
> >
> > public function check_request($mode = rcube_utils::INPUT_POST)
> >    {  return true; }
> >
> > like so and comment out the rest of the function?
> > Must be wrong, get a blank page.
> >  
>
> You probably have a typo, that's the way to do it.
Guys, I'm sorry but I don't get it. I made it like this

    public function check_request($mode = rcube_utils::INPUT_POST)
    { return true;
        // check secure token in URL if enabled
        if ($token = $this->get_secure_url_token()) {
            foreach (explode('/', preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI'])) as $tok) {
                if ($tok == $token) {
                    return true;
                }
            }

            $this->request_status = self::REQUEST_ERROR_URL;

            return false;
        }
....

and can logout now but the problem with the empty mailfolders and the not
chooseable preferences remains.

Kind regards

  Andreas

--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with CSRF

Andreas Meyer
In reply to this post by Michael Orlitzky-2
Michael Orlitzky <[hidden email]> schrieb am 09.04.19 um 08:16:29 Uhr:

> On 4/9/19 5:32 AM, Andreas Meyer wrote:
> >
> > public function check_request($mode = rcube_utils::INPUT_POST)
> >    {  return true; }
> >
> > like so and comment out the rest of the function?
> > Must be wrong, get a blank page.
> >  
>
> You probably have a typo, that's the way to do it.
Finally found out what caused the problems with not being able to logout
and not showing menus anymore in roundcube.

In httpd.conf I had set

Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options nosniff
Header set X-Permitted-Cross-Domain-Policies "none"
#Header always set Referrer-Policy "same-origin"
Header always set Referrer-Policy "no-referrer"

Commenting out Header set X-Content-Type-Options nosniff solved all the problems.

Thank you everybody!

  Andreas

--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

attachment0 (235 bytes) Download Attachment