search

tontof / kriss_feed

A simple and smart (or stupid) feed reader
281 stars 53 forks source link

Wrong Token #377

Open GrooveStomp opened 7 years ago

GrooveStomp commented 7 years ago

I've installed KrISS feed on my raspberry pi on Debian 8 Jessie with Apache2. KrISS web directory:

/var/www/kriss/public_html# tree
.
├── data
└── index.php

1 directory, 1 file

Apache config:

/# cat /etc/apache2/sites-enabled/kriss.conf
Listen 9165
<VirtualHost *:9165>
  ServerAdmin <...>
  DocumentRoot /var/www/kriss/public_html
  ErrorLog ${APACHE_LOG_DIR}/error-kriss.log
  CustomLog ${APACHE_LOG_DIR}/access-kriss.log combined
</VirtualHost>

I can hit the page fine in my browser at http://<raspberry-pi-local-ip>:9165 and see: Login, Password, Install KrISS feed. When I fill in a Login and Password and hit the install button, I get: "Wrong Token" with a button to try again.

Logs:

/# cat /var/log/apache2/error-kriss.log
/#

/# cat /var/log/apache2/access-kriss.log
192.168.1.112 - - [13/Oct/2016:20:04:59 +0000] "GET / HTTP/1.1" 200 1404 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:00 +0000] "GET /?file=favicon.ico HTTP/1.1" 304 325 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "POST / HTTP/1.1" 200 1178 "http://192.168.1.3:9165/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "GET /?file=style.css&version=8.5 HTTP/1.1" 304 325 "http://192.168.1.3:9165/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.112 - - [13/Oct/2016:20:05:04 +0000] "GET /?file=favicon.ico HTTP/1.1" 304 325 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"

If I just disable the XSS check, then I can get through this single page.

/var/www/kriss/public_html# diff index.php.orig index.php -C 8
*** index.php.orig      2016-10-13 20:44:51.250231187 +0000
--- index.php   2016-10-13 20:45:12.859668885 +0000
***************
*** 5034,5049 ****
--- 5034,5050 ----
      public static function isToken($token)
      {
          if (isset($_SESSION['tokens'][$token])) {
              unset($_SESSION['tokens'][$token]); // Token is used: destroy it.

              return true; // Token is ok.
          }

+         return true;
          return false; // Wrong token, or already used.
      }

But then login doesn't seem to work. (I just get returned to the login page with no error or warning message.)

tontof commented 7 years ago

It seems that your problem is linked with php session. You can try var_dump($_SESSION) in isToken function to see if there are some values. Do you have similar problem with some other code with php on your raspberry ? A solution maybe: http://stackoverflow.com/questions/13078965/session-variables-not-working