Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
  #16  
Old 25 Apr 2008, 10:43
RedFoxy's Avatar
RedFoxy RedFoxy is offline
 
Join Date: Sep 2007
Originally Posted by valdet View Post
Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?
yep
Reply With Quote
  #17  
Old 25 Apr 2008, 14:24
shahryar_neo shahryar_neo is offline
 
Join Date: Sep 2006
Originally Posted by RedFoxy View Post
yep
Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .



i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !
Reply With Quote
  #18  
Old 25 Apr 2008, 14:46
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Have you even read the first reply to the thread regarding AJAX requests?
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #19  
Old 25 Apr 2008, 14:49
Opserty Opserty is offline
 
Join Date: Apr 2007
Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .
If you are experiencing problems with a modification post in the thread from which you downloaded it, this thread is intended to give advice to those with a small amount of knowledge of vBulletin, PHP and HTML. If you don't have this knowledge you must wait till the author releases a working version of the respective modification.

Originally Posted by shahryar_neo View Post
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !
Either you have a partially working forum or one that is vulnerable to attacks, I know which one I'd choose.
Reply With Quote
  #20  
Old 25 Apr 2008, 14:53
baghdad4ever baghdad4ever is offline
 
Join Date: May 2007
Real name: husam
thanks
Reply With Quote
  #21  
Old 25 Apr 2008, 16:51
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
 
Join Date: Jan 2002
Real name: Wayne
Originally Posted by shahryar_neo View Post
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !
I have 17 products installed comprised of 88 plugins and quite a few new templates. I had a problem with one product after upgrading to vBulletin 3.7.0 RC4 on my site. That was Princeton's Quick Reply in PMs. Adding the security token to the form took about 20 seconds and the site was fully operational again.
__________________
Wayne Luke
Get started with your own social network. Purchase and download vBulletin today.
Reply With Quote
  #22  
Old 25 Apr 2008, 17:38
midwestce midwestce is offline
 
Join Date: Sep 2007
I did the find/replace fix and now on several pages I have an extra /> hanging around. Various mods are still not working. Any help is appreciated.
Reply With Quote
  #23  
Old 25 Apr 2008, 19:47
Golzarion's Avatar
Golzarion Golzarion is offline
 
Join Date: Jan 2008
Real name: Mohsen
Originally Posted by Wayne Luke View Post

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after it, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
Thank you ! I do all the changes and now have no problem ..

lt was not too hard ... infact it is easy .. the other way is :

Originally Posted by RedFoxy View Post
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 18:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it
Reply With Quote
  #24  
Old 26 Apr 2008, 12:36
shahryar_neo shahryar_neo is offline
 
Join Date: Sep 2006
Originally Posted by Dismounted View Post
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?
Reply With Quote
  #25  
Old 26 Apr 2008, 13:57
sv1cec sv1cec is offline
 
Join Date: May 2004
Real name: John
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.
__________________

John
SV1CEC
Reply With Quote
  #26  
Old 26 Apr 2008, 17:15
Kaycee123 Kaycee123 is offline
 
Join Date: Jun 2007
Originally Posted by RedFoxy View Post
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 18:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it
I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist
__________________
Reply With Quote
  #27  
Old 26 Apr 2008, 18:09
Dilmah Dilmah is offline
 
Join Date: May 2005
Originally Posted by sv1cec View Post
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.
Upgrade.
Reply With Quote
  #28  
Old 26 Apr 2008, 19:25
powerful_rogue's Avatar
powerful_rogue powerful_rogue is offline
 
Join Date: Jan 2007
Real name: Dave
Originally Posted by Dismounted View Post
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
Hi,

Im trying to get one of my important mods to work, but not having much luck. Ive tried all the other advice, and the only thing I can think it could be is the Ajax.

This is the part of the mod:

<script type="text/javascript">
var qstring = '';

function check_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php?action=pager&do=readpager&', 'nocache=' + (5 * Math.random() * 1.33) );
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Close_Pager(qstring)
{
check_pager(qstring);
}

function ShowPager()
{
var refreshtime = {$vboptions['vbpager_ajax_refresh']};
if (refreshtime > 0)
refreshtime = refreshtime * 1000;

if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{

// Ignore result if its "Fatal Error"
resultText = vbPage.handler.responseText;
isError = resultText.indexOf("Fatal error");
if (isError >= 0 && isError < 25)
vbPage.handler.responseText = '';

if (vbPage.handler.responseText)
{
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
setTimeout('check_pager()', refreshtime);
}
}
else
{ if (refreshtime > 0)
setTimeout('check_pager()', refreshtime);
}
}
}
check_pager();
</script>
<script type="text/javascript">
var qstring = '';

function new_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
return false;
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Pager(tform)
{
var users = new Array();
var arrCount = 0;
for (i = 0; i < tform.elements.length; i++)
{
var element = tform.elements[i];
if ((element.name != "allbox") && (element.type == "checkbox") && (element.checked == true))
{
users[arrCount] = element.value;
arrCount++;
}
}
if (arrCount == 0)
{
alert("$vbphrase[pager_no_user_selected]");
return false;
}
else
{
var querystring = "";
for (i = 0; i < users.length; i++)
{
querystring += "&userid[]=" + users[i];
}
}
querystring = "action=pager&do=newpagertouser&" + querystring;
new_pager(querystring);
}

function PagertoUser(userid)
{
if (userid != null || userid != '')
{
querystring = "action=pager&do=newpagertouser&userid[]=" + userid;
exec_refresh(1);
new_pager(querystring);
}
}

function ShowPager()
{
if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{
if (vbPage.handler.responseText)
{
var refreshtime = 5000;
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
}
}
else
{
toggle_disabled(1, 'buddylist_option');
}
}
}
</script>
Theres a few other mention, but from looking at those, where abouts would you suggest puttign the security token?

I would ask in the mod thread, however this has been unsupported a long time ago!
Reply With Quote
  #29  
Old 26 Apr 2008, 19:26
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
Originally Posted by Kaycee123 View Post
I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist
That is because you most likely have a table prefix inside of it. Try following this post instead:

Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
__________________
Former vBulletin.org Staff Member

Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
Reply With Quote
  #30  
Old 26 Apr 2008, 19:30
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.
Reply With Quote
Reply

Similar Article
Article Author Type Replies Last Post
Show Thread Enhancements Stamps (CSRF protection added) misr.cc vBulletin 3.7 Add-ons 98 14 Oct 2012 14:54
Add-On Releases vBTube 1.2.9 (CSRF protection added) Playa82 vBulletin 3.7 Add-ons 434 22 Jan 2012 23:08
Mini Mods [ITECH] Inferno CSRF Auto Protection Inferno Tech vBulletin 3.6 Add-ons 15 02 Nov 2010 04:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 11:43.

Layout Options | Width: Wide Color: