khawk said:

bzt said:
If it's not possible to revert to the old platform, could you just please fix that supposed-to-be CSRF protection thing? It literally worth nothing, and it is very annoying that I have to hack http referer lines into the requests every time I log in. Thanks.

I'm not clear what you're asking. Are you wanting to bypass CSRF protection?

bzt said:
Also I got many times 502 Internal server error and/or Bad gateway since you switched to this platform. Could you check on these? Today (in the last hour) I had at least 5 times this issue, you can match the time with the logs.

These are being worked on. Apologies for the inconvenience everyone has had with 502s today.

Hi,

I'm trying to tell you, that the so called "CSRF protection" of this forum engine is NOT working at all. I don't want to, but I must bypass it every time I want to log in. I have a secure environment, which does not allow referer to be sent along with the http requests, as that would allow hidden tracking. Javascript is also disabled by default in my browser, and this engine can't even load the CSS without JS (seriously, why?).

For a proper CSRF protection, you should generate a token on the server side (let's say an sha512 hash of a random number), save it in the session and also put it in a hidden field on the form, then check it with the POST request. Regenerate the token for every page generation. That's the proper way, not foolishly checking the HTTP referer header which can be manipulated extremely easily.

Without JS, you won't get CSS either on this forum, which is just terrible and unreasonable. But not only that, it also reveals that the design of this site is not optimized at all, for example the default user icon (generic-user.png) is so F*NG HUGE that you simply can't read the site, because covers out half of the screen. Also, storing and sending a 560 x560 pixels picture to every single client when it's resized to 44 x 44 anyway is, well, how to put it politely, not entirely sane. It takes lots of unnecessary bandwidth, which may cause some of your server issues as well.

Please don't feel offended, I'm telling this to help you make this site better. It is often difficult to point out security issues in my experience, because admins don't like to admit if their site is vulnerable. I can definitely help you if you want my help.

Cheers,
bzt

(Just to be clear, it's not the generic-user.png alone that might cause your troubles, but the unoptimized design in general with lots of little things that adds up.)

This is how the new design looks like on my browser. Just for the records, it's not the generic-user icon that might cause your troubles, but the unoptimized design in general.

image

Is the 'image' part of the demonstration (i see no link, just the plain text "image") or is something wrong on my side with the display of images ?

I still can't edit. I pasted in an image in my previous post via the clipboard, it is not shown (yet ?) ...

Have a cookie :-)