Remote Config Backup and CSRF
built on Fri Nov 12 18:33:07 UTC 2010
It appears that in recent snapshots, the instructions to remotely backup the config.xml outlined here:
no longer work. I suspect this is because of the newly added CSRF, but have not confirmed this.
wget does indeed store cookies during the login session as indicated by Jim here:
but does not appear to store the CSRF info. Here is the cookie file generated by wget:
# HTTP cookie file. # Generated by Wget on 2010-11-15 06:21:10. # Edit at your own risk. 192.168.168.112 FALSE / FALSE 0 PHPSESSID c7c220f4a2e01e4fd36eb850c6f7e810
Moreover, the second wget command (to actually download the config.xml file) yields a 403:
--2010-11-15 06:32:29-- http://192.168.168.112/diag_backup.php Connecting to 192.168.168.112:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2010-11-15 06:32:29 ERROR 403: Forbidden.
sullrich last edited by
Fixed. Please try the next snapshot.
built on Wed Nov 17 00:46:28 UTC 2010
This still doesn't work for me. With the above snapshot, I no longer get a 403, but the resulting file that's downloaded is the /index.php file and not the actual config.xml file.
built on Sun Nov 21 18:22:57 UTC 2010
Just in case anyone is having this issue, it appears to now work with a minor modification to the original instructions.
In the first wget command, replace
and it should start working correctly.
I updated the instructions on the wiki with that change.