Security offense!! Access denied! (cant create pages)[solved]

[mjefferson96]

I have done many WB installs and have never gotten this message before when trying to create a page "Security offense!! Access denied!"  
I have checked all my DB information and its correct. The only thing that I can imagine the problem is that the page is not yet public so I need to access it through the IP/~username  like that instead. Could that be causing the issue?

[kweitzel]

Hi, no that is not the issue. The issue lies within the secure forms. Normally it just disappears after 24h or you could try to change browser and switch the option for the secure form to "multitab"

cheers

Klaus

[mjefferson96]

Well as it turns out I can not change anything in the admin area, even trying to change something as simple as the time zone or secure forms to multi tab gives the same Security Offense! error.
Anyone have any other ideas what it could be if its not the path?

[mjefferson96]

I uninstalled the newest version of WB and installed the older version and now everything works fine. You guys need to look in to this problem with the new release.

[ruebenwurzel]

Hello,

this is discussed a lot of times here in the forum, and if you would have used the search you will have found all solutions you need.

As you didn't offer only a few informations i think you only tried to change the settings with FF. Using IE, Chrome, Safari you are able to change the settings to multitab and all works fine. There is no need to use the old version.

Matthias

[mjefferson96]

I DID use the search here and when through hours of the given "solutions" that did NOT work. But thank you for just assuming that I am too stupid to try that first. Very nice.

[kweitzel]

Please, let's try to be reasonable here guys ... could you please tell us what you tried? It might also help us if you tell us some details about the hosting environment you are using for this site.

cheers

Klaus

[avatar8]

I been having problems with getting the Security Offense message for months now, and none of the solutions on these forums are of any help.

Actually, it seems the problem only happens on the Website Baker installation I have on a Network Solutions server. But when I compare install files between this server and on one where it works, I see no red warnings and the phpinfo files seem almost identical.

I let one of the admins here have backend access to the troubled Baker installion, but never heard back from him.

Strangely, after following the instructions for disabling that error message by altering the SecureForm.php files, I am able to save pages and settings, but I still get the error when I try to delete a page and when I try to rename a file in the media folder.

[kweitzel]

We have released ServicePack 2 for Wb 2.8.2 in the meantime. Would you be willing to try it and report back? One issue found was a fault in the algorithms calculating the transaction numbers and that has been fixed.

cheers

Klaus

[avatar8]

Okay, I didn't know about the service pack, so I tried applying it to my WB installation.

The result: Saving settings and pages now seems to work, but deleting pages and renaming files in the media folder still gives me the Security Offense error 

The only way I can rename a file or delete a page is by trying and failing once, and then trying to do it again immediately. Waiting just 10 seconds will always bring back the Security Offense error when deleting pages and renaming media files.

[avatar8]

Sorry, I made a mistake in my earlier test and hadn't overwritten the older SecureForm Switcher code. I'm actually still getting the exact same errors as before.

To be sure, I just tried installing a brand new version of WebsiteBaker 2.8.2 [R1528] including ServicePack 2. Right away, I noticed the Security Offense error when I tried saving the Settings for the first time. All the same problems are there as before.

Conclusion: the new version of Website Baker (WebsiteBaker 2.8.2 [R1528] including ServicePack 2) is just as troublesome as the others since the SecureForm Switcher was added in.

If any of the developers here would like to log in to my new install and see the problems for yourself, let me know and I'll send you the login info.

As it is now, Website Baker is unusable with the SecureForm Switcher as part of the core. The company I set this up for won't bother trying to do updates anymore and have asked me to look into an alternative CMS such as Drupal.

[ruebenwurzel]

@avatar

Did you switch in the Admin-Tools the Secure-Form Switcher from "single-tab" to "multi-Tab"?
Are the permission of your pages-folder and media-folder in that way, that scripts can write there?
Are you shure that on your server there are only the files from WB 2.8.2 SP2 (no other and no older)?
Did you try to use WB (including the install procedure) with a cleaned browser cache and only one open Browser window?

Conclusion: the new version of Website Baker (WebsiteBaker 2.8.2 [R1528] including ServicePack 2) is just as troublesome as the others since the SecureForm Switcher was added in.

You are at the moment the only one who had this issues. WB 2.8.2 SP2 R1528 works on thousands of installs without problems very stable and secure. So it would be nice to have more informations about your server configuration.

Matthias

[Luisehahne]

Hi,

we want to inform the community, that we already have contact with him per PM. Maybe somebody has an idea with this message.

SessionStore: RangeError: arguments array passed to Function.prototype. apply is too large

Dietmar

[Ruud]

SessionStore: RangeError: arguments array passed to Function.prototype. apply is too large

Looks to me this is a javascript error.
https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/RangeError#Properties

[einteik]

Function.prototype is helping you to create a custom property to an object that is reflected on all instances of it. The JavaScript class has to be instanciated with "new" before.
That's just a small technical background. I think the array the apply method is recieving is corrupt. It would help to post here the related JavaScript methods.

[DarkViper]

ok, Problem solved.
It seems the hoster has inserted a kind of load-balancing, so that after some seconds without access the assigned IP address goes released. The next connection is opened with another IP then. (like the dynamic IP's on DSL connections)

Our class SecureForm (and Secureform for multitabs too) uses the servers IP to calculate a fingerprint. Now in this special case we run in trouble about changing IPs.
The first, manual hotfix for this is to comment out the line which includes $_SERVER['SERVER_ADDR'] in the function _generate_fingerpri nt() in file SecureForm.phpb (Line 90) and function _generate_serverdat a() in SecureForm.mtab.php (Line 179).
Attention: This is needed only for hostings with this special configuration!

A permanent fix will be available soon. We're working on a solution to calculate secure  Fingerprints also for special server configurations.