Support ⇒ Troubleshootings ⇒ Security Error ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexTroubleshootings

Security Error Reply to topic


Have the same 9.2.1CSV running (reliably) at many sites for years.

On just 1 site I just installed newsletters and while changing templates - in turn - to see the one I wanted to use, I suddenly got:
Security Error Home > Security Error You tried to access this page through a bad link... [ Home ] [ Go Back ]

Nothing I can think to do will clear this error. I've tried:
  • Clearing browser cache
  • Logging out/in
  • Clearing server cache/
  • Switching to a sessions folder via config.php
  • Combinations of the above.

Now I can live with the inability to change templates in Newsletter, but today I find:

- I cannot create Admins!

Any attempt to create an admin, even if I do not change browser tab, gives me the same error.

Note that everything else that usually gives this error, such as Admin > CPG Main Menu, and Admin > Blocks, still all work fine! No problems whatsoever. It's just Admins > Admins that is giving the error (besides Newsletters > Templates).

Now I really need to edit my Admins, so any ideas, please? I'm not sure of how to even debug this.

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


  1. Open Firefox
  2. Open firebug
  3. Open the "Net" tab
  4. Ctrl+F5 browser

Is there a 404 in the list?
If so, this might cause the error as index.php might be called on 404's and then the admin session is reset.

In v10 we might solve this issue by creating a hidden "form-uid" item in forms to prevent this from happening.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


No, all 200's.

I have determined that the 2 issues are not directly related.

The Newsletters issue seems to be a timing problem of some sort. The if ($CPG_SESS['admin']['page'] != $op) { cpg_error(_ERROR_BAD_LINK, _SEC_ERROR); } test is coming back with userinfo, instead of Newsletters. But if you Reload WITHOUT going back first (!) it
does come up with Newsletters and everything proceeds. Next template change works OK first time, then 2nd fails until you Reload. So some local error - will investigate later maybe. (Workaround is good enough.)

echo'ing test values in Admins > Admins it's the $_POST['form_id']!==$_SESSION['ADMIN_FROM_ID'] test that's failing I think. But the values look the same, however it still fails if condition is changed to !=

Here's the code with echo's:echo 'can-ad='.can_admin().' sess='.$CPG_SESS['admin']['page'].' pst-frm-id='.$_POST['form_id'].' sess-frm-id='.$_SESSION['ADMIN_FROM_ID'].' bool1='.!can_admin().' bool2='.($CPG_SESS['admin']['page'] != 'admins').' bool3='.($_POST['form_id']!==$_SESSION['ADMIN_FROM_ID']).' bool='.(!can_admin() || $CPG_SESS['admin']['page'] != 'admins' || $_POST['form_id']!==$_SESSION['ADMIN_FROM_ID']); if (!can_admin() || $CPG_SESS['admin']['page'] != 'admins' || $_POST['form_id']!==$_SESSION['ADMIN_FROM_ID']) { and here's the output:can-ad=1 sess=admins pst-frm-id=1355670218.4593 sess-frm-id=1355670218.4593 bool1= bool2= bool3=1 bool=1

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


And here's simplified echo with !== changed to !=
echo 'pst-frm-id ='.$_POST['form_id'].'<br />sess-frm-id='.$_SESSION['ADMIN_FROM_ID'].' bool3='.($_POST['form_id']!=$_SESSION['ADMIN_FROM_ID']); and output is
pst-frm-id =1355670218.4593 sess-frm-id=1355670218.4593 bool3=1

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


I'm facing exactly the same problem (unable to add admins/"You tried to access this page through a bad link...")

Have tried all the same steps as layingback plus tried changing themes and uninstalling all blocks/modules but to no avail. Does anyone have any idea how I/we can debug this further?

Many thanks!

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


ADMIN_FROM_ID or ADMIN_FORM_ID ?

And, is it still present in newer versions then yours?

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Thanks Nano.

Layingback, you're more familiar with the internals here than I am (I'm not even sure how you echoed those values above!), could you provide some input? Many thanks.

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


No it is ADMIN_FROM_ID

But why that line is there in the code, I'm not sure. Looking in v9 9.14 (for 9.2.1), and all later v9 versions, have just: if (!can_admin() || $CPG_SESS['admin']['page'] != 'admins') { cpg_error(_ERROR_BAD_LINK, _SEC_ERROR); }

Resetting admins.php back to that line clears the problem.

The only place I can find this longer version is in 10.3 by DJMaze in response to the packetstormsecurity.org issue. How that got into my DF9 code I'm not sure. I couldn't have written it myself! I'm using a DF9.2.1 version from CVS so maybe I got it a snapshot (it was about the right time), or maybe I added it myself due to a misunderstanding (although it is in every copy of 9.2.1 on my system).

Anyway, now fixed thanks!

But why that extra code does fail is beyond my coding level - as indicated by the diagnostic code above, both SESSION IDs are the same ...

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


Just remember that cutting a line doesn't make a fix.
However we are talking about an old version, any issues with newer versions?

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


That maybe true. But it's almost impossible to see the V9 changes any more. The line of code in the latest v9/history version in CVS is: if (!can_admin() || $CPG_SESS['admin']['page'] != 'admins') { cpg_error(_ERROR_BAD_LINK, _SEC_ERROR); }

There is a different line in http://code.google.com/p/dragonfly-cms/source/browse/admin/modules/admins.php

That I don't understand as CVS was going to be kept up-to-date for v9/history I thought.

What's really confusing is it looks as if the versions on code.google.com pre-date those on CVS ... Maybe I'm wrong, as I only have file dates to go on, as version numbers aren't present on code.googe.com

Which are the releases in Downlaods built from?

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


All this issues just because you are looking at the "default" branch, nor the v10, nor the v9.

In fact the latest v9's admin/modules/admins.php does not have the code you are referring to: code.google.com/p/drag...hp?name=v9

I'm pretty sure you are mixing your 9.2.1 with v10 code ...

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS

All times are UTC


Jump to: