Problem with Elxis on my shared hosting account

[ragbash]

Elxis version: 2009.02

Site URL: amicidivanadiel[dot]mud-hosting[dot]com

Extensions: Shoutbox
I installed Elxis on a friend's godaddy shared hosting account and have been working on configuration for a friend's gaming (FFXI) community site. Everything has been working just fine, until I tested the "Add Content" form from the front page. Whenever I attempt to save submitted content, I get the "Detected CSRF attack! Someone is forging your requests." message. I am guessing that this is due to the godaddy shared hosting domain setup. I'll elaborate:

With godaddy shared hosting, you point a domain/subdomain to a html document root folder of your choice, pointing the specified subdomain to the selected directory on the server.
Example:
Domain Name:                                     Folder:               
primary-domain[dot]com                       /html/
example-domain[dot]com                      /html/example-domain/
mud-portal[dot]com                              /html/eru/
amicidivanadiel[dot]mud-portal[dot]com /html/eru/amicidivanadiel/

I own the mud-portal domain thru enom. My friend's web hosting & design company owns the godaddy shared server. I set up DNS A records for mud-portal[dot]com and the amicidivanadiel subdomain that point to the IP of the shared server. I then added records in the Domains Manager on the shared server for the mud-portal domain and the amicidivanadiel subdomain that point to the /html/amicidivanadiel directory. This is the only way I've found to have the URL amicidivanadiel[dot]mud-portal[dot]com point to the /html/amicidivanadiel directory on the shared server. I assume godaddy uses the Domains Manager to add apache redirects to the appropriate directory, and that this is causing the CSRF errors.
So I'm thinking the URL resolution goes something like this:
Web Browser URL: amicidivanadiel[dot]mud-portal[dot]com ->
DNS Query: amicidivanadiel[dot]mud-portal[dot]com ->
Enom DNS returns: 72.167.232.231 (godaddy shared server) ->
Godaddy Domain Manager - Domain Lookup: mud-portal[dot]com -> /html/eru/ ->
Godaddy Domain Manager - Subdomain Lookup: amicidivanadiel -> ../amicidivanadiel/

Pointing the web browser to 72.167.232.231 which fetches the index document located in /html/eru/amicidivanadiel/ (Elxis CMS)

My question is: Is there a way to disable the CSRF attack check or a better way to configure my DNS records to avoid this problem? If I forgo the godaddy domain manager, it should prevent the CSRF attack message but then how would the godaddy server know what directory to fetch documents from or even which godaddy user account home directory it should be looking in? I'm not all that great with these shared hosting providers, as I can't look at their configuration files. I know how I would do this on my own server setup, but these providers boggle my mind =)

As for the security issues arising from disabling this protection, we aren't really worried about somebody trying to use CSRF attacks to trick the few people with Author+ privs into submitting their own content =) I'm looking for a quick workaround because I already put in more time setting up this site than I would have liked and I don't really want to buy a hosting account somewhere else for a pro bono job I'm doing for a friend's gaming group.

And before anybody asks why my friends are using a shared hosting site for their web hosting&design company, I should also mention that they do have a dedicated Red Hat Enterprise server they use for hosting their premium clients' sites and that this shared account is only used to offer a cheaper hosting solution for their non-profit clients without bogging down their dedicated server, etc.


Thanks a ton in advance!
-Ragbash

[speck]

about CSRF attack! read here
https://forum.elxis.org/index.php?topic=4023.0

[ragbash]

Sorry for the lengthy topic.. I found a workaround for my problem by grepping around the components directory. If anyone is interested in the **UNSECURE** workaround, here's what I did:

Locate the file ELXIS_INSTALL/components/com_content/content.php
Search the file for CSRF
Comment out the below block ("//" is line comment in PHP)

There are a few other files with the same CSRF protection, if they give you trouble you can use the above steps on the following files:

ELXIS_INSTALL/administrator/components/com_content/admin.content.php
ELXIS_INSTALL/administrator/components/com_config/admin.config.php
ELXIS_INSTALL/administrator/components/com_users/admin.users.php

Once again, this is NOT SECURE as it will open your site to CSRF attacks. The various modules obviously open up security holes related to the file names (disabling CSRF protection in content.php will allow attackers to add/edit content, disabling protection for admin.users.php will allow attackers to add/edit users)

I'm not sure if there is any rule against posting workarounds like this. If so, I apologize in advance but I wanted to share my efforts with any users having similar trouble that do not mind the potential security risk.

Thanks again,
-Ragbash

[datahell]

It's OK. Comment these lines and you are done. Just be cautious when you work in administration area.