Security offense!! Access denied!

[Argos]

It seems no longer possible to open and edit multiple pages by using right mouse click and open each one of them them in a separate browser tab. When saving you get the error "Security offense!! Access denied!"

This is very annoying, as I often edit many pages at once especially in the creative stage. Now I have to do them one at a time, which is very time consuming.

Why is this safety measure added (I use RC5 in this case)? What is the purpose of it? And can it be disabled?

[maverik]

Same Problem here.
I have already spoken to Dietmar and he is looking for a solution as he said.

[Stefek]

And can it be disabled?

I hope it can, for I am using different windows at once as well.

Regards,
Stefek

[testör]

No, it can't be disabled in 2.8.2 and 2.9.dev. Just look at all the revisions the last weeks and you'll see, that the SecureForm / FTAN is new security measure in 2.8.2 and 2.9 linked very deep in the core classes.
Btw: Most software has this CSRF-avoiding Tans.
If this would be disabled, it would be complete nonsense to include this security measurements. Disabling saftey would be none safety at all. You'll learn to handle this (I have to accept this, too and it's first a bit uncomfortable), I am sure.

[Luisehahne]

I talk with DarkViper. The only chance is, to work with different browser. The secure token is set only once. If you open a second tab with same window, token will be created as new one, and save in the first window failed.

So the secure fix works correctly and fine.

Safety first!

Dietmar

P.S. I hope i could it explain for understanding.

[testör]

I talk with DarkViper. The only chance is, to work with different browser.

Well, but who is working with different browser? Nearly nobody, most people won't (and shouldn't by the way). You can edit only one window in WB backend, that's a security feature and shouldn't be removed. Please don't make a good - and of course "hard" security - very weak because it first seems different to before.

[BlackBird]

Tried this with sseq-lib (with a module of mine that uses the SEQ_FTOKEN() method provided there). Seems to work. As far as I know, sseq-lib checks the browser signature only (can be disabled also) along with other data, so you can work with Tabs without any problems. Maybe the Lib you're using can be configured to be a bit less strict.

"Nach fest kommt ab!"

[Argos]

It's not clear to me why this measure improves "security" and "safety". Can anyone explain what is not safe about working in multiple tabs?

And I also would like to know how I "will learn to handle this"?

This "improvement" alone would be reason for me to not upgrade and use WB 2.8.2 and 2.9

[BlackBird]

I think it is part of the CSRF protection, but, as I said above: "Nach fest kommt ab". (analogous: "after firm comes off") This means in this case: There can be too much protection. It simply makes WB more complicated to use, maybe even unusable. (There are some other threads that go into the same direction, concerning other inventions.)

[Ruud]

Ok let me try to explain a bit.

With the right techniques, if you would be logged in (or have been logged in before in the same browser session) as admin of your website, and you visit another website (or open an email message) with a specially crafted image/script, they could create a new admin user on the fly. Just by visiting a website or reading a mail.

To prevent this, any form (ie user creation/modification, or just page editing) should test if the request to modify the page/user was coming from the authenticated user.
So, now any request to open a form will add a random code (token) that is only valid until the form is saved or the next code is generated.
So by opening a second form in a new tab, the first token is not valid anymore.
More importantly, if a third party creates the form-data to post, there will be no valid token in the data, and the data is rejected.

this site has a good explanation.

[maverik]

Please give a german explanation why it is necessary in backend and what can happend to my site without this protection. My english is not got enough to understand the english explanation.
The only thing i know is that is very irritating and uncomfortable to work with wb at the moment.

[Argos]

Thanks for the explanation Ruud, I understand the need for such a protection now. However, I cannot believe that protection needs such a rude method. Isn't there a more elegant solution to prevent such attacks, and still be able to open and use multiple instances of the admin to work in. Is it for example not possible to create multiple tokens that all refer to the rightfull admin? Or use the same token for multiple browser windows?

I admit that I would prefer a slicker method to edit multiple pages at once, but for the moment opening multiple browser tabs/windows is the only way to do so. It is already a workaround for a shortcoming of WB, but now the workaround is gone. That's too sad.

[Ruud]

This was mainly about explaining the problem. Not discussing the solution.

The immediate solution for "old" websites (not just WB, but any site you can login) is to logout before doing other stuff. If there is no "trusted" connection with your website, there is no problem.

I have even seen recommendations in other CMS forums to use a separate browser for web-development.
i.e. use IE to browse the web and FF for development and management.

I cannot promise any changes in how it is handled at this time, however I can imagine this feature will evolve and become more transparent in the future.

[NorHei]

@maverik

Um es kurz zu machen wenn du bei WB eingelogt bist , bzw. warst, Und du dann auf eine andere Seite gehst die einen bestimmten Schadcode enthält (einfach nur draufgehen, nichts machen) kann der Schadcode dieser Seite deinen Admin Account übernehmen(neues Passwort), bzw. einfach einen neuen Anlegen. danach kann der eventuelle Angreifer dein komplettes WB zu seinen Zwecken nutzen oder sogar über die Dateiverwaltung eigene Scripte installieren.

Das ganze funktioniert auch mit entsprechend mit Schadcode versehenen Mails.

Gegenmaßnamen:  IMMER ausloggen bevor eine Mail geöffnet wird oder du ein anderes Tab mit einer anderen Seite öffnest oder FTAN

Ein möglicher Workaround währe mehrere Browser.


  

[Argos]

Logging out before visting another site is an attack prevention for OLD versions, not for NEW versions. It does ofcourse not allow you to edit multiple pages. There is nothing to edit anymore if you're logged out...

[NorHei]

Someone tested if its possible to use Firefox and Firefox portable at the same time ?

[Argos]

Someone tested if its possible to use Firefox and Firefox portable at the same time ?

That's irrelevant. You still can only edit 1 page per browser...

[Luisehahne]

If i wants to copy/paste from one page sections in another, first I open the sections where I want to copy from, because I don't need to save anything there. Then I open the sections I want to paste and modify. This page get an actuell Token and I can save.

If I want to save something from the copy sections, I first refresh the site, do my changes and save.

May be the solution we are searching for.

First refresh the site you want to save, then modify and save. It's a click more, but for secure I can accept it

Dietmar

[Argos]

Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.

[BlackBird]

Seems that the Lib you are using can't handle more than one valid session. (Where session means open tab in this case.)

[Stefek]

I must say, that I don't like the new "feature" if it changes the way on how to work with the CMS.
They are long term habbits.

Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.

Exactly.
Another situaton is, for example:
You are working on a page but you want to quickly change something in settings/user access or at a different place.
You open a new window with the "open link in new window" command (mouse, context menu etc.)
But you cant change anything... you have no access 

I hope there is another way to grant security.
Even though security is first, don't forget about the usability thingy..

Regards,
Stefek

[Argos]

Indeed , stefek.

[maverik]

Ich bin Jäger und Sammler und so gibt es nicht viele CMS, Counter oder Groupware die ich noch nicht installiert und getestet habe.
So ein Verhalten wie WB jetzt an den Tag legt ist mir aber noch nicht untergekommen. Und mit anderen Systemen arbeite ich in gleicher Weise.

Sind diese Systeme alle unsicher?

In den letzten 5 Jahren hatte ich also mit WB "Tag der offenen Tür" und es ist nichts passiert. Jetzt habe ich so viele Türen und Schlösser dass ich selbst nicht mehr vom Ostflügel in den Weinkeller und danach ins Kaminzimmer komme.

##################### Google Translation ###################################

I'm the hunter-gatherers and so there are not many CMS, Counter, or groupware that I have not yet installed and tested.
Such a behavior such as WB now is the day I shall not yet seen. And I work with other systems in the same way.

All these systems are insecure?

In the last 5 years I had with WB so "open day" and nothing happened. Now I have so many doors and locks that I myself no longer in the east wing of the cellar and then into the fireplace come.

[BlackBird]

The most secure Computer of the world is locked inside a safe, powered off. The only problem is that you can't use it for anything.

[NorHei]

Many still are insecure..
And many have similar problem like WB.

How about some of us go and check how its done in other CMS , i am sure the devs would be happy to implement a better solution.