Support ⇒ Dragonfly CMS v10 ⇒ Security Code Incorrect ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

Security Code Incorrect Reply to topic


I tried installing a new version of Dragonfly via the package manager, but it failed miserably and left me with a broken site.
So I rsync'd my files back up normally and got the site back, but I'm getting a lot of Security Code Incorrect messages now when attempting to post.

Which file(s) are involved in this security code checking? I will manually upload those files.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Fri Nov 24, 2017 7:33 am; edited 1 time in total


I have deleted files and re-uploaded them from my local repository.
Hopefully that fixes it. I will try to avoid the package manager for now.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


The system should not give you a Security Code Incorrect message as there are no security codes any more.
The system now uses a CSRF token.

If you can provide more details about the issue, this would be welcome.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


It seems to have settled down now, so I'm not sure what was going on there.
If it comes back, I will gather some more info.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


hybrid wrote
I tried installing a new version of Dragonfly via the package manager, but it failed miserably and left me with a broken site.

I solved this issue.
It was a nasty bug bitbucket.org/dragonfl...a421510dbe
fopen() used 'cb' which means the file is opened but not truncated.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sun Dec 24, 2017 4:23 pm; edited 3 times in total


Had this issue again today when I tried to post.

I'm pretty sure I remember a dev saying that Security Code isn't used any more.
But I'm still getting this message at times.

It's happening to me right now when I try to post.
I tried closing my browser and re-opening, but it didn't make any difference.

Edit: looks like a logout fixed it. I wonder what is causing it.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


There is only 1 place where it happens and that is in /modules/Forums/posting.php
switch ($mode) { case 'newtopic': case 'reply': if (!\Dragonfly\Output\Captcha::validate($_POST)) { $error = true; \Poodle\Notify::error(_SECURITYCODE.' incorrect');
You must have a php session or browser cookies conflict or javascript disabled.
Check in your browser debugger

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Thu Feb 15, 2018 4:13 pm; edited 1 time in total


So this can happen even if captcha isn't used?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


yes

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I think it might be this:

[4996:12096:0219/072921.139:INFO:CONSOLE(0)] "Error parsing header X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube: insecure reporting URL for secure page at character position 22. The default protections will be applied.", source: https://www.youtube.com/embed/oE_JQJ5rGLc?autoplay=0&origin=http://www.mustangtech.com.au (0) [4996:12096:0219/072921.139:INFO:CONSOLE(163)] "Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://accounts.google.com') does not match the recipient window's origin ('http://www.mustangtech.com.au').", source: https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en_GB.E0MnMKUgMVk.O/m=plusone/rt=j/sv=1/d=1/ed=1/am=IA/rs=AGLTcCOs6LwZ-qw468uETpiEuI6HOqoFpg/cb=gapi.loaded_0 (163)

So maybe having an embedded youtube video can stop the entire post? That sounds a bit strange.
I also tried switching to https on my site, but it still showed the "origin" has www.mustangtech.com.au.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


bugs.chromium.org/p/ch...?id=807304


Edit: confirmed it works OK in IE, so I think this is definitely a chromium bug.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

Last edited by hybrid on Mon Feb 19, 2018 5:20 am; edited 1 time in total


Wow good find!

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

All times are UTC


Jump to: