Upgrading from 3054p6 to p8

Discussion in 'ISPConfig 3 Priority Support' started by ledoktre, Jun 10, 2015.

  1. ledoktre

    ledoktre Member

    I started with the control panel server. Seemed to work fine. I did my first web server, then my dns server. When it did the DNS, now when I try to edit a dns zone, it reports "CSRF attempt blocked.". I have not pursued any further now, and am wondering how to get dns working again.

    Also, a general question in regards to upgrades - are there any articles on preserving customizations? For example, I like to keep my default TTL for dns records at 1800. Whenever I do an upgrade it changes to 86400 I believe. How many areas can we employ the "custom" file technique?

    Thanks,
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Hi,
    could you compare if all files were updated correctly? If not then it might be that something is missing from the latest update and causing this issue.

    Regarding customization, to explain it in short:
    1.) All files from /usr/local/ispconfig/server/conf and its subdirectories can be copied to the corresponding conf-custom location and altered there. If they exist, those files are used instead of those in conf.
    2.) All files from install/tpl in the install package of ISPConfig can be copied to /usr/local/ispconfig/server/conf-custom/install/ and altered there. Those files are taken instead of the install templates on upgrades.
     
  3. ledoktre

    ledoktre Member

    1. On the customization, great. Thanks. I'll check it out. :)
    2. About comparing the files, could you elaborate? I did a backup, so I could compare to that. Do you mean that or do you mean to the folder in /tmp that was extracted for install?
     
  4. ledoktre

    ledoktre Member

    Just used the diff command on the server and interface folder found within the tar.gz folder. Nothing reported as different or existing only in /tmp. ?
     
  5. ledoktre

    ledoktre Member

    To shed some light onto what Im finding (and calling it a night). I am using Nginx and PHP-FPM for my control panel. I may be incorrect but I suspect that $_POST is not getting set, and there for its not setting the csrf variables appropriately. I put an echo line within the function csrf_token_check() to try and output something. Its appearing like if(isset($_POST) && is_array($_POST)) {} is not even executing. I am confusing myself though too because on any other page where it has a form, it is posting just fine with present configuration.

    ??
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Thank you for your checks. Thats quite odd. We will dig into that.
     
  7. ledoktre

    ledoktre Member

    Greets. Thanks for looking into that. I did also just figure out that its not just DNS - it is actually more things on the site. For example just tried to add a new client - blocked.
     
  8. ledoktre

    ledoktre Member

    This is interesting : http://php.net/manual/en/reserved.variables.post.php
    • Note that $_POST is NOT set for all HTTP POST operations, but only for specific types of POST operations. I have not been able to find documentation, but here's what I've found so far.
    • $_POST _is_ set for:
    • Content-Type: application/x-www-form-urlencoded
    • In other words, for standard web forms.
    • $_POST is NOT set for:
    • Content-Type:text/xml
    • A type used for a generic HTTP POST operation.
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    That's quite strange. ISPConfig uses Ajax requests that surely set _POST because _POST is used to get the form data.
     
  10. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Are you using a custom theme? Maybe that one has not been adapted to the latest security changes in ISPConfig. Please try the default theme and check if the errors are gone.
     
    ledoktre likes this.
  11. ledoktre

    ledoktre Member

    I am using a custom theme yes. I will try that. If that is the case, what changed? I'll need to modify my theme to suit.
     
  12. ledoktre

    ledoktre Member

    I just visited the website for the theme (github) and there was a recent update to the theme for csrf specifically. Turns out there was two files that had a couple lines that needed to be added. Thanks for getting me going in the right direction!!!!!!!!

    :-D
     

Share This Page