#1 2016-08-21 17:10:37

themhouse
Member
From: Bulgaria
Registered: 2010-05-12
Posts: 100
Website

Ionize CMS 1.0.8 Cross Site Request Forgery

Hey guys smile

It's been a while from my last post. Today i found this link and is good somebody from the DEV to check it.
Ionize CMS 1.0.8 Cross Site Request Forgery

Once a week I check the forum but, there is no information for the last version. I will be happy to read something about it.

Thanks,
Milen


Web and Graphic Design studio PONTODESIGN
Download Bulgarian Translation

Offline

#2 2016-08-23 15:22:07

otemu
Member
Registered: 2014-03-07
Posts: 183

Re: Ionize CMS 1.0.8 Cross Site Request Forgery

Hi,

It is recommended in the config to enable csrf_protection when acceptign user data

codeigniter wrote:

f you are accepting user data, it is strongly
| recommended CSRF protection be enabled

Offline

#3 2016-08-31 09:27:55

adaliszk
Ionize Friend
From: Hungary
Registered: 2010-09-20
Posts: 395
Website

Re: Ionize CMS 1.0.8 Cross Site Request Forgery

Hmm, if you use the codeigniter CSRF protection and using in your ionize forms then this  exploit should gone, but you right, ionize should support out-of-box the CSRF, in fact should be mandatory because most of the ionize users are not programers who know about codeigniter features. smile

For now you can enable the CSRF protection in the application/config.php and add this code to your forms:

<input type="hidden"
    name="<?php echo $this->security->get_csrf_token_name(); ?>"
    value="<?php echo $this->security->get_csrf_hash(); ?>" />

Webdeveloper, Programmer, Application developer, Ionize friend
@adamos42

Offline

#4 2016-09-08 18:31:18

themhouse
Member
From: Bulgaria
Registered: 2010-05-12
Posts: 100
Website

Re: Ionize CMS 1.0.8 Cross Site Request Forgery

Thanks @adamos42 smile

I already protect my site. I just share the info i found in internet and is good if somebody have a problem with this, to find the right info here in the forum with little info how to protect his site from exploit.

Thanks again smile
Cheers,
Milen


Web and Graphic Design studio PONTODESIGN
Download Bulgarian Translation

Offline

#5 2016-11-16 21:47:56

ccmksy
Member
From: Hong Kong
Registered: 2013-11-30
Posts: 48

Re: Ionize CMS 1.0.8 Cross Site Request Forgery

adamos42 wrote:

Hmm, if you use the codeigniter CSRF protection and using in your ionize forms then this  exploit should gone, but you right, ionize should support out-of-box the CSRF, in fact should be mandatory because most of the ionize users are not programers who know about codeigniter features. smile

For now you can enable the CSRF protection in the application/config.php and add this code to your forms:

<input type="hidden"
    name="<?php echo $this->security->get_csrf_token_name(); ?>"
    value="<?php echo $this->security->get_csrf_hash(); ?>" />

I tried , but there is error :

A PHP Error was encountered

Severity: Notice

Message: Undefined property: FTL_Parser::$security

Filename: ftl/parser.php(327) : eval()'d code

Line Number: 44

Last edited by ccmksy (2016-11-16 21:48:50)

Offline

#6 2016-11-27 23:06:19

lesha
Member
Registered: 2013-10-22
Posts: 11

Re: Ionize CMS 1.0.8 Cross Site Request Forgery

ccmksy, try this:

<input type="hidden"
    name="<?php $CI =& get_instance(); echo $CI->security->get_csrf_token_name(); ?>"
    value="<?php echo $CI->security->get_csrf_hash(); ?>" />

Offline

What's Ionize ?

Ionize is an Open Source Content Management System created by webdesigners for webdesigners.

Created and maintained by Partikule and Toopixel, Ionize wants to be the easiest and most powerful CMS.

Can I help ?

Because talent is nothing without involvement, we are looking for motivated coders and webdesigners to join the project team.

Resources

Website : ionizecms.com
Documentation : doc.ionizecms.com

Development : Ionize on GitHub
Translations : Ionize Translations