Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 26,122

by Marco van Herwaarden Marco van Herwaarden is offline 24 Apr 2008
Rating: (2 votes - 4.50 average)

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Views: 90108
Reply With Quote
Comments
  #2  
Old 24 Apr 2008, 09:20
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #3  
Old 24 Apr 2008, 17:23
RedFoxy's Avatar
RedFoxy RedFoxy is offline
 
Join Date: Sep 2007
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 18:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

Last edited by RedFoxy; 24 Apr 2008 at 18:00. Reason: Auto-Merged DoublePost
Reply With Quote
  #4  
Old 24 Apr 2008, 19:22
GoTTi GoTTi is offline
 
Join Date: Jun 2002
wow now THIS is a headache. i have security token errors all over my forum....

--------------- Added 24 Apr 2008 at 11:31 ---------------

so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

Last edited by GoTTi; 24 Apr 2008 at 19:55. Reason: Auto-Merged DoublePost
Reply With Quote
  #5  
Old 24 Apr 2008, 20:09
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
 
Join Date: Jan 2002
Real name: Wayne
Originally Posted by GoTTi View Post
so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???
It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.
__________________
Wayne Luke
Get started with your own social network. Purchase and download vBulletin today.
Take vBulletin to the next level - vBCodex. Find Tips, Tutorials, and Resources.
Reply With Quote
  #6  
Old 24 Apr 2008, 21:51
GoTTi GoTTi is offline
 
Join Date: Jun 2002
wow now this is retarded....
Reply With Quote
  #7  
Old 25 Apr 2008, 01:52
echo2kk5 echo2kk5 is offline
 
Join Date: Dec 2004
Originally Posted by Wayne Luke View Post
It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.
Can someone give an example on how to do that? I am not a coder and get lost with this easily...now for the trained eye it's no doubt a piece of cake. For instance I was using the Cyb PayPal Donate Mod and upgrading to 3.6.10 broke it with that security token update. I posted in that thread yesterday but I don't think the creator has been around.
Reply With Quote
  #8  
Old 25 Apr 2008, 02:14
Aclikyano Aclikyano is offline
 
Join Date: Apr 2006
OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...
Reply With Quote
  #9  
Old 25 Apr 2008, 02:34
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
Originally Posted by Aclikyano View Post
OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...
You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.
__________________
Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
Reply With Quote
  #10  
Old 25 Apr 2008, 02:34
valdet's Avatar
valdet valdet is offline
 
Join Date: Feb 2007
Real name: Valdet
Originally Posted by RedFoxy View Post
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added Thursday, 24 April 2008, 19 at 19:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it
Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?
Reply With Quote
  #11  
Old 25 Apr 2008, 02:39
DustyJoe DustyJoe is offline
 
Join Date: Dec 2007
=/ I dont get it, I have errors now too.. with RC 4
Reply With Quote
  #12  
Old 25 Apr 2008, 02:43
echo2kk5 echo2kk5 is offline
 
Join Date: Dec 2004
Originally Posted by King Kovifor View Post
You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.
What are the "forms"? and where do we edit them?
Reply With Quote
  #13  
Old 25 Apr 2008, 02:55
Aclikyano Aclikyano is offline
 
Join Date: Apr 2006
everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)
Reply With Quote
  #14  
Old 25 Apr 2008, 03:24
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
 
Join Date: Jan 2002
Real name: Wayne
Originally Posted by Aclikyano View Post
everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
__________________
Wayne Luke
Get started with your own social network. Purchase and download vBulletin today.
Take vBulletin to the next level - vBCodex. Find Tips, Tutorials, and Resources.

Last edited by Wayne Luke; 25 Apr 2008 at 19:52.
Reply With Quote
  #15  
Old 25 Apr 2008, 03:36
echo2kk5 echo2kk5 is offline
 
Join Date: Dec 2004
Thank you Wayne.
Reply With Quote
Reply

Similar Article
Article Author Type Replies Last Post
Show Thread Enhancements Stamps (CSRF protection added) misr.cc vBulletin 3.7 Add-ons 98 14 Oct 2012 14:54
Add-On Releases vBTube 1.2.9 (CSRF protection added) Playa82 vBulletin 3.7 Add-ons 434 22 Jan 2012 23:08
Mini Mods [ITECH] Inferno CSRF Auto Protection Inferno Tech vBulletin 3.6 Add-ons 15 02 Nov 2010 04:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 05:45.

Layout Options | Width: Wide Color: