Перейти к содержанию

Access Denied Error: Possible CSRF Attack

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Access website email

Impact

In the CS-Cart im nost cases the issue with CSRF-attack appears because of the value max_input_vars PHP directive on your server are. In this case server truncates the request and if the security_hash parameter gets truncated, the error message appears.

Solution

This is very bad way, but you can disable tweak anti_csrf at the config.local.php file. It will look like on this screenshot

Accident risk

max_input_vars directive help to web application truncate the request. If the attacker, for example, will try to send significant requests to your web-application (CS-Cart) it can crash/error or take down your webserver (DoS attack).

By default, this directive is set to 10000 in PHP, which means that you cannot send more than ten thousand form fields in one request.

By design, a lot of CMS trim big queries to the smaller ones and make several synchronous requests for transferring the data. CS-Cart instead of this trying to make one big request. And this is the root cause of this error message.

Conclusion

As a conclusion, I want to say that increasing the max_input_vars directive is a dangerous modification. And if you do changes for this directive to 20000 or more, we recommend roll back them in the future.

Hint

If you have a problem, need assistance with tweaks or a free consultation, if you just want to discuss your project with experts and estimate the outcome, if you're looking for a solution that reinforces your online business, we will help. Let us know through MyCloud or email.