vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=177013

Implementing CSRF Protection in modifications
by Marco van Herwaarden
24 Apr 2008 07:32

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Dismounted 24 Apr 2008 08:20

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


RedFoxy 24 Apr 2008 16:23

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

Quote:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

GoTTi 24 Apr 2008 18:22

wow now THIS is a headache. i have security token errors all over my forum....

--------------- Added 24 Apr 2008 at 11:31 ---------------

so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

Wayne Luke 24 Apr 2008 19:09

Quote:

Originally Posted by GoTTi (Post 1498357)
so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.

GoTTi 24 Apr 2008 20:51

wow now this is retarded....

echo2kk5 25 Apr 2008 00:52

Quote:

Originally Posted by Wayne Luke (Post 1498407)
It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.

Can someone give an example on how to do that? I am not a coder and get lost with this easily...now for the trained eye it's no doubt a piece of cake. For instance I was using the Cyb PayPal Donate Mod and upgrading to 3.6.10 broke it with that security token update. I posted in that thread yesterday but I don't think the creator has been around.

Aclikyano 25 Apr 2008 01:14

OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...

King Kovifor 25 Apr 2008 01:34

Quote:

Originally Posted by Aclikyano (Post 1498676)
OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...

You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.

valdet 25 Apr 2008 01:34

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added Thursday, 24 April 2008, 19 at 19:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?

DustyJoe 25 Apr 2008 01:39

=/ I dont get it, I have errors now too.. with RC 4

echo2kk5 25 Apr 2008 01:43

Quote:

Originally Posted by King Kovifor (Post 1498686)
You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.

What are the "forms"? and where do we edit them?

Aclikyano 25 Apr 2008 01:55

everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)

Wayne Luke 25 Apr 2008 02:24

Quote:

Originally Posted by Aclikyano (Post 1498699)
everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

echo2kk5 25 Apr 2008 02:36

Thank you Wayne. :up:

RedFoxy 25 Apr 2008 09:43

Quote:

Originally Posted by valdet (Post 1498687)
Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?

yep

shahryar_neo 25 Apr 2008 13:24

Quote:

Originally Posted by RedFoxy (Post 1498864)
yep

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .

:(

i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

Dismounted 25 Apr 2008 13:46

Have you even read the first reply to the thread regarding AJAX requests?

Opserty 25 Apr 2008 13:49

Quote:

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .
If you are experiencing problems with a modification post in the thread from which you downloaded it, this thread is intended to give advice to those with a small amount of knowledge of vBulletin, PHP and HTML. If you don't have this knowledge you must wait till the author releases a working version of the respective modification.

Quote:

Originally Posted by shahryar_neo (Post 1498970)
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

Either you have a partially working forum or one that is vulnerable to attacks, I know which one I'd choose.

baghdad4ever 25 Apr 2008 13:53

thanks

Wayne Luke 25 Apr 2008 15:51

Quote:

Originally Posted by shahryar_neo (Post 1498970)
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

I have 17 products installed comprised of 88 plugins and quite a few new templates. I had a problem with one product after upgrading to vBulletin 3.7.0 RC4 on my site. That was Princeton's Quick Reply in PMs. Adding the security token to the form took about 20 seconds and the site was fully operational again.

midwestce 25 Apr 2008 16:38

I did the find/replace fix and now on several pages I have an extra /> hanging around. Various mods are still not working. Any help is appreciated.

Golzarion 25 Apr 2008 18:47

Quote:

Originally Posted by Wayne Luke (Post 1498706)

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after it, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you !:up: I do all the changes and now have no problem ..

lt was not too hard:) ... infact it is easy .. the other way is :

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it


shahryar_neo 26 Apr 2008 11:36

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?

sv1cec 26 Apr 2008 12:57

Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

Kaycee123 26 Apr 2008 16:15

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

Dilmah 26 Apr 2008 17:09

Quote:

Originally Posted by sv1cec (Post 1499719)
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

Upgrade.

powerful_rogue 26 Apr 2008 18:25

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Hi,

Im trying to get one of my important mods to work, but not having much luck. Ive tried all the other advice, and the only thing I can think it could be is the Ajax.

This is the part of the mod:

Quote:

<script type="text/javascript">
var qstring = '';

function check_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php?action=pager&do=readpager&', 'nocache=' + (5 * Math.random() * 1.33) );
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Close_Pager(qstring)
{
check_pager(qstring);
}

function ShowPager()
{
var refreshtime = {$vboptions['vbpager_ajax_refresh']};
if (refreshtime > 0)
refreshtime = refreshtime * 1000;

if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{

// Ignore result if its "Fatal Error"
resultText = vbPage.handler.responseText;
isError = resultText.indexOf("Fatal error");
if (isError >= 0 && isError < 25)
vbPage.handler.responseText = '';

if (vbPage.handler.responseText)
{
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
setTimeout('check_pager()', refreshtime);
}
}
else
{ if (refreshtime > 0)
setTimeout('check_pager()', refreshtime);
}
}
}
check_pager();
</script>
Quote:

<script type="text/javascript">
var qstring = '';

function new_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
return false;
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Pager(tform)
{
var users = new Array();
var arrCount = 0;
for (i = 0; i < tform.elements.length; i++)
{
var element = tform.elements[i];
if ((element.name != "allbox") && (element.type == "checkbox") && (element.checked == true))
{
users[arrCount] = element.value;
arrCount++;
}
}
if (arrCount == 0)
{
alert("$vbphrase[pager_no_user_selected]");
return false;
}
else
{
var querystring = "";
for (i = 0; i < users.length; i++)
{
querystring += "&userid[]=" + users[i];
}
}
querystring = "action=pager&do=newpagertouser&" + querystring;
new_pager(querystring);
}

function PagertoUser(userid)
{
if (userid != null || userid != '')
{
querystring = "action=pager&do=newpagertouser&userid[]=" + userid;
exec_refresh(1);
new_pager(querystring);
}
}

function ShowPager()
{
if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{
if (vbPage.handler.responseText)
{
var refreshtime = 5000;
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
}
}
else
{
toggle_disabled(1, 'buddylist_option');
}
}
}
</script>
Theres a few other mention, but from looking at those, where abouts would you suggest puttign the security token?

I would ask in the mod thread, however this has been unsupported a long time ago!

King Kovifor 26 Apr 2008 18:26

Quote:

Originally Posted by Kaycee123 (Post 1499846)
I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

That is because you most likely have a table prefix inside of it. Try following this post instead:

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.


Boofo 26 Apr 2008 18:30

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

powerful_rogue 26 Apr 2008 18:36

Quote:

Originally Posted by Boofo (Post 1499947)
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

Thats the problem I was having with vbpager. I looked for every <form.... and every method=post and put the security token code underneath.

Thats why I think its now an ajax issue. Ive tried to figure it out but to no avail. The odd thing is, it works fine in 3.6.10, but not in 3.7 RC4

--------------- Added 26 Apr 2008 at 20:35 ---------------

problem solved! I had a search around and tried the fix that was being used for a shoutbox.

I changed all 3 instances of "securitytoken=" to "&securitytoken=" in vbulletin_global.js and it did the trick!

rinkrat 26 Apr 2008 22:57

I can't save my vbulletin settings without this error.

What do I change to fix this? In a template?


I also can not import any hacks without an error.

Where do I fix this? In a template?

--------------- Added 26 Apr 2008 at 23:04 ---------------

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.


I am getting the error when I try to edit a template and save it so this will not work.

Lynne 26 Apr 2008 23:42

Quote:

Originally Posted by rinkrat (Post 1500145)
I am getting the error when I try to edit a template and save it so this will not work.

Note that what you quoted says to "add this line directly after the line containing the above", not directly after that code.

rinkrat 26 Apr 2008 23:53

I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

Lynne 26 Apr 2008 23:55

You may want to run the upgrade script again so it makes the necessary changes or run the query listed back on the first page.

Thank you
by cmedic101
27 Apr 2008 00:08

I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working:)

thank you:up:

cmedic

King Kovifor 27 Apr 2008 00:26

Quote:

Originally Posted by rinkrat (Post 1500185)
I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

You should be able to work in the ACP as it is not affected. Maybe posting at vB.com or disabling your plugins by using this code in your config.php may solve your problem:

define('DISABLE_HOOKS', true);

Terrie 27 Apr 2008 07:20

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4

Dismounted 27 Apr 2008 08:52

Quote:

Originally Posted by shahryar_neo (Post 1499668)
sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?

It is the simplest it can be. Add the security token into the request.
Quote:

Originally Posted by sv1cec (Post 1499719)
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

You can't unless you edit files directly as the fix is actually a very large one.
Quote:

Originally Posted by Terrie (Post 1500484)
what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4

You do not need to mess with any default vBulletin JS file.

Opserty 27 Apr 2008 09:20

Quote:

Originally Posted by Dismounted (Post 1500532)
You do not need to mess with any default vBulletin JS file.

There have been a few errors in RC4 that have caused problems for a couple of ajax modifications, hence why some have edited vbulletin_global.js. http://www.vbulletin.com/forum/proje...?issueid=25287

Wayne Luke 27 Apr 2008 13:22

Quote:

Originally Posted by rinkrat (Post 1500185)
I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

Then you will need to open a thread on vBulletin.com. The security changes should have absolutely no affect on the Admin CP and these changes do not apply to the Admin CP in anyway.

bertwrld 27 Apr 2008 15:05

Quote:

Originally Posted by cmedic101 (Post 1500195)
I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working:)

thank you:up:

cmedic

What templates did you edit in the casino?

slmoney 28 Apr 2008 01:01

I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.

King Kovifor 28 Apr 2008 01:26

Quote:

Originally Posted by slmoney (Post 1501072)
I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.

It would be within the javascript. What needs added would be found in the second post. That is about as far as I can explain it as I haven't taught myself AJAX yet.

yaoren 28 Apr 2008 16:37

Ok I'm at a loss since I've manually gone in and did the search in templates and added the line of code to each template that was missing the sercurity token and well, I'm still having the message pop up. I honestly don't know what mod is causing the issues since it pops up only in certain areas. Any other ideas?

Boofo 28 Apr 2008 17:08

Quote:

Originally Posted by yaoren (Post 1501565)
Ok I'm at a loss since I've manually gone in and did the search in templates and added the line of code to each template that was missing the sercurity token and well, I'm still having the message pop up. I honestly don't know what mod is causing the issues since it pops up only in certain areas. Any other ideas?

Check Andreas' profile as he just released a hack that will send an email upon any token errors.

yaoren 28 Apr 2008 20:06

Oh man, thank you so much for this. Still having some problems but getting closer :)

ringleader 28 Apr 2008 23:35

Quick, random, and possibly letting everyone know the stupidity I try to keep hidden like a mental problem...

Does this token need to be placed in every form that passes a hidden value, or just the ones that use the sessionhash?

Boofo 28 Apr 2008 23:45

Every form that uses post.

ringleader 28 Apr 2008 23:52

Excellent. Thanks for responding! :)

Skavenger 30 Apr 2008 00:03

Quote:

Originally Posted by Boofo (Post 1499947)
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

what about this? I have a mod that doesn't have what is in bold...

I mean, there is no <input type="hidden" line neither

Can I just add the security token below the opening form tag "<form>"?

Dismounted 30 Apr 2008 10:47

Yes, you just add the line below the form tag.

ARB4HOSTING.COM 01 May 2008 03:48

Thank you

dealxa 01 May 2008 12:03

I didn't use color in posts, after upgrade :confused:
what is problem?

rinkrat 01 May 2008 15:15

I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

Boosted Panda 01 May 2008 16:51

Quote:

Originally Posted by rinkrat (Post 1504585)
I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

I too am frustrated at this because I was thinking going gold meant ready to go. Now I have end users who are leaving my forums because of this. I spent 2 hours searching and replacing and now find out that anything with form needs it too :( Is there a hack or something out there that will do this automatically this is quite a drag.

Boofo 01 May 2008 17:10

Just do a templare search for <form

Add the code to any form that uses POST. Simple.

The upgrade takes care of all that except for any add-on hacks.

spankaveli 04 May 2008 14:54

Quote:

Originally Posted by Boofo (Post 1499947)
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

thank you for this advise!!!! this fixed my itrader issue. two or 3 of the itrader templates did not have "sessionhash."

Boofo 04 May 2008 15:04

Default vb templates don't always have the sessionhash in the forms. Glad I could help. ;)

Mancunian_Red 04 May 2008 17:20

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

thank you wayne for putting this in english i just followed your instructions and then the problem was solved

CSRF Issue.
by PaulSonny
05 May 2008 21:17

Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.

Milad 06 May 2008 10:34

Quote:

Originally Posted by PaulSonny (Post 1509706)
Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.

make it via post request and use the security token!

dancue 06 May 2008 16:32

I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

ikki29 07 May 2008 19:30

Quote:

Originally Posted by dancue (Post 1510585)
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.



I agree completely with the companion, I use this modification and tb I have these problems, it is a product very used in the forum and I cannot allow me the luxury of removing it, ask them please that they should help us in this topic, graces(thanks) Pd: since always I ask for excuses for my English one, for which I use one I translate of Spanish to groins, sie

scan-pa 07 May 2008 19:45

Yes BIG Thank You to every one who got this needed info to us. This fixed all my mods that went down after the move to vB 3.7.0 Gold.........................


Now the mods I have been running for over 2.5 years are all back online...

dancue 08 May 2008 17:45

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Could someone please explain this further?

What did this look like before the edit? What are you editing? Is it a template, a plug-in?

juan71287 09 May 2008 00:37

Hi guys, I don't really understand this, what I want to do is make it so this does not show anymore.

https://www.vbulletin.org/forum/external/2008/11/48.jpg

Please help me take that off. Thanks.

Flep 09 May 2008 10:00

wow ! This is a precious thread !

thank you :)

dssart 09 May 2008 14:30

Greetings all,

Well, you guys are my last hope. I had a mod written for me last year, my forum members love it and at the moment it's running but when I upgrade I don't expect it to survive..so I'm trying to get a handle on this so that I can do it myself. The coder has long since disappeared so help is appreciated.

The beginning of this thread says that:

"To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT."

I have this line at the beginning of my mods .php file:

define('THIS_SCRIPT', 'dataawards_awards');

Do I add this:

define('CSRF_PROTECTION', true);

Directly below that line? will that solve the entire security token issue or do I need to hunt for form/posts? Talking about form/posts...is this one?:

$awarddisplay.= '<form action="' . htmlentities($_SERVER['PHP_SELF']) . '?addawards=' . $_REQUEST['addawards'] . '&amp;type=' . $type . '" method="POST">';

If I understand this correctly I need to find all form/posts (since you are posting and not requesting, thus the need for the security token):

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Thanks, I hope I can work through this on my own, but if anyone wants to make some money, I'd rather pay to have it done..PM if interested.

Behzad Varedi 10 May 2008 20:22

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thanks alot,

I do what you said and my problem is solved now... :)
thanks again

Ionsurge 11 May 2008 16:18

I've managed to rectify most of these errors myself, however, if I click the "Go Advanced" button on the quick reply part of viewing a thread, it shows the error? As far as I can tell, I've amended it all...

Any help? Have I missed a file?

ExTincTi0N 11 May 2008 17:31

Ok I am having trouble with my skins.
Its the security token thing.
Where do I add it and where in it?

steve1966 11 May 2008 22:45

Hi i have added the this <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after value="$session[sessionhash to all my templates and my members are getting this

Quote:

While performing a search in the Games forum, I received the following message:

"Your submission could not be processed because a security token was missing or mismatched."
please can someone tell me what i should do now as i am a little confused also do i need to do anything with this code

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

thanks

setishock 12 May 2008 05:40

Only time I get one is when I am uploading a flv movie clip. I got the first one up and that was it. Static picture attachments and albums are ok as are text posting. I created an flv attachment and mimed it with content-type: video/flv. This is not using a hack or mod but an inhouse feature.
So what would you suggest to fix it? I do have the passivevid product installed but all was ok till I created the flv attachment.

unitedbreaks 12 May 2008 19:00

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you for making it 'clear' on how to fix this issue. Much appreciation.

Fireproof 13 May 2008 13:40

I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.

Bounce 14 May 2008 15:54

Quote:

Originally Posted by Fireproof (Post 1518224)
I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.

If its the same FORM hack as i'm thinking of in the form template find


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Add after

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I had same problem

JBMoney 14 May 2008 19:39

What if all the templates look fine, and include the code above, but it still happens?

On my site, it happens to users who haven't logged in for a while. They log in, see the forum briefly and then get the error while being redirected to profile.php?do=dst.

dancue 14 May 2008 20:03

Am I correct in assuming that this is where the change would take place?

What must be done?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I am using itsid's HIDE Hack.

Fireproof 14 May 2008 20:29

Quote:

Originally Posted by hIBEES (Post 1519414)
If its the same FORM hack as i'm thinking of in the form template find


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Add after

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I had same problem


Genius! Thank you - worked perfectly!!

Aclikyano 17 May 2008 01:39

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

I did this to avoid editing some newer templates and noticed SOME templates i did before already have it... and Im afraid they have the sec token value=bla bla TWICE instead of just ONCE...

Quote:

<input type="hidden" name="s" value="$session[sessionhash]"
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]"
/>
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
How would I only make every template have this ONCE like its supposed to be?

sids HIDE
by lms
17 May 2008 11:36

Quote:

Originally Posted by dancue (Post 1510585)
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

Cámbialo por este otro código: (you must change by this other code:)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

A mí me funciona bien (Me, it works right).

Salud2

HearthrobZ 21 May 2008 07:55

This is really a mess! I'm not a professional coder.Plz Some One make a step by step instruction to do this to avoid security token missing error,as it'd help lot of people.

Thanks

mikesz 21 May 2008 08:40

I have seen this one before but don't know exactly what triggers it BUT for what its worth,

Find in your footer template the following,



Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

It should be:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

HTH, mikesz

blindmedia ltd 21 May 2008 16:34

its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

scan-pa 21 May 2008 18:06

Quote:

Originally Posted by blindmedia ltd (Post 1526986)
its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

it's not Jelsofts problem. they fixed all of the templates that come with the basic software. But the current errors are from all of the various Non Jelsoft add-ons and Modification programs. Since jelsoft does not Officialy support these add-ons, you use them at your own risk.

But posted in the early posts is the exact steps you should take to search your templates and find the ones that need the line of code added to it.

dssart 21 May 2008 22:16

Quote:

Originally Posted by blindmedia ltd (Post 1526986)
its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

blindmedia ltd 22 May 2008 22:57

Quote:

Originally Posted by dssart (Post 1527308)
Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

thats what i said it was a 100% clean install brand new with no hacks installed and it was giving this error

therefore it would be impossible for it to be anything other than vbulletin itself causing the problem

it is 100% vbulletin 3.7.0 at fault there was at the time it started NO other software hack or mods installed

dssart 23 May 2008 01:55

I can't comment accurately on your situation, but I had serious reservations myself in upgrading from 3.6.9 to 3.7.0. I have a custom hack coded for my forum that I was almost positive was going to fail with this CSRF thing. I did the following and it was the smoothest upgrade I've ever had. Not even my custom hack cracked:

Backup database, backup my /images folder, shut down forum, do upgrade. Upload my custom /images and overwrite the new, then perform upgrade. After, go back and revert everything the upgrade reported as needing to be reverted. Sounds to me like some of the upgrade files were munged during the transfer. I'd re-upload the upgrade files and make sure all appropriate ascii files are transferred as ascii and all binary as binary. Something that simple can easily be overlooked. Also, make sure your config.php is correctly configured. Something is missing..you just have to.

Seeing as it was a brand new install, I'd say the problem is either with a corrupt file upload or misconfigured config.php. Something isn't seeing something the way it's supposed to. Many people have installed the 3.7.0 software as an upgrade (which is a helluva lot trickier than a virgin install) and are running with no problem.

tafreeh 23 May 2008 20:19

ok here is the thing .... i almost check all my templates for security tokken code.... and fix all of them ....
but still only super mod getting security tokken error when ever they try to reply to the post... whether in new reply or quick reply ....

can some1 tell me which templates i have fix....

WFZ 23 May 2008 21:35

does someone wanna' dix this on my forum for meh. :$

blindmedia ltd 25 May 2008 07:39

Quote:

Originally Posted by WFZ (Post 1529372)
does someone wanna' dix this on my forum for meh. :$

anyone wanna do that on mine to?

J98680Bxxxxx 25 May 2008 12:39

As few people are actually using a security token on forums (boards), it will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not.

I am definitely one of those who is not using a Security Token on my board (and will not be using it). Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly. No need to start chasing out authors, of those many mods I have installed, for updates.

Andreas 25 May 2008 12:41

Please stop posting this Wikipedia article.
That is smth. totally different and actually only confuses people!

Paul M 25 May 2008 13:01

Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.

mehrdad220 28 May 2008 13:53

i am having this problem with Currentpoll module in VBadvanced, not sure which file i have to edit to get this fixed. any ideas?

dodge-downunder 28 May 2008 14:24

well im by no means a coder and I am stuck with this BS

Ive searched the templates, fixed it but it still happens.

Im so over this...I really appreciate any assistance..ive read everything, done everything but cant sort it.

We need a lamans terms walk thru please!

pooffck1 28 May 2008 20:09

Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message

Quote:

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks

cache 29 May 2008 05:16

I have followed the instruction added the code after the <form and fixed the problem when I do a search. So it is not as bad as before.

However when the admin tries to delete thread, this security token occurs. I don't think there is another <form in the template style, where can I find the problem?

J98680Bxxxxx 29 May 2008 16:16

Quote:

Originally Posted by pooffck1 (Post 1534357)
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message



i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks

Hi Pooffck1,

I am afraid that you will not get a satisfactory answer here, as it seems that no one really know what is happening with these random messages stating: "Your submission could not be processed because a security token ..."

This CSRF stuff seems to have been done in a big rush. Open a ticket at vB.com and ask their team to proceed with installation and debugging of your site.
:(

--------------- Added 29 May 2008 at 18:48 ---------------

Quote:

Originally Posted by Paul M (Post 1530878)
Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.


If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):

Quote:

Originally Posted by Marco van Herwaarden (Post 1497908)
...

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.



All times are GMT. The time now is 03:23.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.