Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong Token #377

Open
GrooveStomp opened this issue Oct 13, 2016 · 1 comment
Open

Wrong Token #377

GrooveStomp opened this issue Oct 13, 2016 · 1 comment

Comments

@GrooveStomp
Copy link

I've installed KrISS feed on my raspberry pi on Debian 8 Jessie with Apache2.
KrISS web directory:

/var/www/kriss/public_html# tree
.
├── data
└── index.php

1 directory, 1 file

Apache config:

/# cat /etc/apache2/sites-enabled/kriss.conf
Listen 9165
<VirtualHost *:9165>
  ServerAdmin <...>
  DocumentRoot /var/www/kriss/public_html
  ErrorLog ${APACHE_LOG_DIR}/error-kriss.log
  CustomLog ${APACHE_LOG_DIR}/access-kriss.log combined
</VirtualHost>

I can hit the page fine in my browser at http://<raspberry-pi-local-ip>:9165 and see: Login, Password, Install KrISS feed.
When I fill in a Login and Password and hit the install button, I get: "Wrong Token" with a button to try again.

Logs:

/# cat /var/log/apache2/error-kriss.log
/#

/# cat /var/log/apache2/access-kriss.log
192.168.1.112 - - [13/Oct/2016:20:04:59 +0000] "GET / HTTP/1.1" 200 1404 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:00 +0000] "GET /?file=favicon.ico HTTP/1.1" 304 325 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "POST / HTTP/1.1" 200 1178 "http://192.168.1.3:9165/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "GET /?file=style.css&version=8.5 HTTP/1.1" 304 325 "http://192.168.1.3:9165/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "GET /?file=favicon.ico HTTP/1.1" 304 325 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"

If I just disable the XSS check, then I can get through this single page.

/var/www/kriss/public_html# diff index.php.orig index.php -C 8
*** index.php.orig      2016-10-13 20:44:51.250231187 +0000
--- index.php   2016-10-13 20:45:12.859668885 +0000
***************
*** 5034,5049 ****
--- 5034,5050 ----
      public static function isToken($token)
      {
          if (isset($_SESSION['tokens'][$token])) {
              unset($_SESSION['tokens'][$token]); // Token is used: destroy it.

              return true; // Token is ok.
          }

+         return true;
          return false; // Wrong token, or already used.
      }

But then login doesn't seem to work. (I just get returned to the login page with no error or warning message.)
@tontof
Copy link
Owner

tontof commented Oct 14, 2016

It seems that your problem is linked with php session.
You can try var_dump($_SESSION) in isToken function to see if there are some values.
Do you have similar problem with some other code with php on your raspberry ?
A solution maybe:
http://stackoverflow.com/questions/13078965/session-variables-not-working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GrooveStomp @tontof