With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar (https://vborg.vbsupport.ru/member.php?u=96) took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

define('CSRF_PROTECTION', true);

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

define('CSRF_SKIP_LIST', 'action_one,action_two');

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

if (THIS_SCRIPT == 'example')
{
$vbulletin->csrf_skip_list[] = 'action_three';
}

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;

I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 1209056453 at 1209056453 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

wow now THIS is a headache. i have security token errors all over my forum....

--------------- Added 24 Apr 2008 at 11:31 ---------------

so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.

wow now this is retarded....

It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.
Can someone give an example on how to do that? I am not a coder and get lost with this easily...now for the trained eye it's no doubt a piece of cake. For instance I was using the Cyb PayPal Donate Mod (https://vborg.vbsupport.ru/showthread.php?t=122997) and upgrading to 3.6.10 broke it with that security token update. I posted in that thread yesterday but I don't think the creator has been around.

<font face="Tahoma">OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...</font>

OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...

You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added Thursday, 24 April 2008, 19 at 19:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

Does this MySQL query mean that it will insert the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after each instances of the following code
<input type="hidden" name="s" value="$session[sessionhash]" />

This will affect only templates that need the security token embedded right?

=/ I dont get it, I have errors now too.. with RC 4

You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.
What are the "forms"? and where do we edit them?

everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)

everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you Wayne. :up:

Does this MySQL query mean that it will insert the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after each instances of the following code
<input type="hidden" name="s" value="$session[sessionhash]" />

This will affect only templates that need the security token embedded right?

yep

yep

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .

:(

i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

Have you even read the first reply to the thread regarding AJAX requests?

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .
If you are experiencing problems with a modification post in the thread from which you downloaded it, this thread is intended to give advice to those with a small amount of knowledge of vBulletin, PHP and HTML. If you don't have this knowledge you must wait till the author releases a working version of the respective modification.

i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !
Either you have a partially working forum or one that is vulnerable to attacks, I know which one I'd choose.

thanks

i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

I have 17 products installed comprised of 88 plugins and quite a few new templates. I had a problem with one product after upgrading to vBulletin 3.7.0 RC4 on my site. That was Princeton's Quick Reply in PMs. Adding the security token to the form took about 20 seconds and the site was fully operational again.

I did the find/replace fix and now on several pages I have an extra /> hanging around. Various mods are still not working. Any help is appreciated.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after it, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you !:up: I do all the changes and now have no problem ..

lt was not too hard:) ... infact it is easy .. the other way is :

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after each instances of the following code
<input type="hidden" name="s" value="$session[sessionhash]" />



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 1209056453 at 1209056453 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?

Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 1209056453 at 1209056453 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

Upgrade.

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

Hi,

Im trying to get one of my important mods to work, but not having much luck. Ive tried all the other advice, and the only thing I can think it could be is the Ajax.

This is the part of the mod:

<script type="text/javascript">
var qstring = '';

function check_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php?action=pager&do=readpager&', 'nocache=' + (5 * Math.random() * 1.33) );
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Close_Pager(qstring)
{
check_pager(qstring);
}

function ShowPager()
{
var refreshtime = {$vboptions['vbpager_ajax_refresh']};
if (refreshtime > 0)
refreshtime = refreshtime * 1000;

if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{

// Ignore result if its "Fatal Error"
resultText = vbPage.handler.responseText;
isError = resultText.indexOf("Fatal error");
if (isError >= 0 && isError < 25)
vbPage.handler.responseText = '';

if (vbPage.handler.responseText)
{
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
setTimeout('check_pager()', refreshtime);
}
}
else
{ if (refreshtime > 0)
setTimeout('check_pager()', refreshtime);
}
}
}
check_pager();
</script>

<script type="text/javascript">
var qstring = '';

function new_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
return false;
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Pager(tform)
{
var users = new Array();
var arrCount = 0;
for (i = 0; i < tform.elements.length; i++)
{
var element = tform.elements[i];
if ((element.name != "allbox") && (element.type == "checkbox") && (element.checked == true))
{
users[arrCount] = element.value;
arrCount++;
}
}
if (arrCount == 0)
{
alert("$vbphrase[pager_no_user_selected]");
return false;
}
else
{
var querystring = "";
for (i = 0; i < users.length; i++)
{
querystring += "&userid[]=" + users[i];
}
}
querystring = "action=pager&do=newpagertouser&" + querystring;
new_pager(querystring);
}

function PagertoUser(userid)
{
if (userid != null || userid != '')
{
querystring = "action=pager&do=newpagertouser&userid[]=" + userid;
exec_refresh(1);
new_pager(querystring);
}
}

function ShowPager()
{
if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{
if (vbPage.handler.responseText)
{
var refreshtime = 5000;
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
}
}
else
{
toggle_disabled(1, 'buddylist_option');
}
}
}
</script>

Theres a few other mention, but from looking at those, where abouts would you suggest puttign the security token?

I would ask in the mod thread, however this has been unsupported a long time ago!

I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

That is because you most likely have a table prefix inside of it. Try following this post instead:

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

Thats the problem I was having with vbpager. I looked for every <form.... and every method=post and put the security token code underneath.

Thats why I think its now an ajax issue. Ive tried to figure it out but to no avail. The odd thing is, it works fine in 3.6.10, but not in 3.7 RC4

--------------- Added 1209242134 at 1209242134 ---------------

problem solved! I had a search around and tried the fix that was being used for a shoutbox.

I changed all 3 instances of "securitytoken=" to "&securitytoken=" in vbulletin_global.js and it did the trick!

I can't save my vbulletin settings without this error.

What do I change to fix this? In a template?


I also can not import any hacks without an error.

Where do I fix this? In a template?

--------------- Added 1209251058 at 1209251058 ---------------

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.


I am getting the error when I try to edit a template and save it so this will not work.

I am getting the error when I try to edit a template and save it so this will not work.
Note that what you quoted says to "add this line directly after the line containing the above", not directly after that code.

I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

You may want to run the upgrade script again so it makes the necessary changes or run the query listed back on the first page.

I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working:)

thank you:up:

cmedic

I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

You should be able to work in the ACP as it is not affected. Maybe posting at vB.com or disabling your plugins by using this code in your config.php may solve your problem:

define('DISABLE_HOOKS', true);

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4

sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?
It is the simplest it can be. Add the security token into the request.
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.
You can't unless you edit files directly as the fix is actually a very large one.
what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4
You do not need to mess with any default vBulletin JS file.

You do not need to mess with any default vBulletin JS file.
There have been a few errors in RC4 that have caused problems for a couple of ajax modifications, hence why some have edited vbulletin_global.js. http://www.vbulletin.com/forum/project.php?issueid=25287

I cannot do anything, including editing templates, turning the board on or loading templates without the security error.

Then you will need to open a thread on vBulletin.com. The security changes should have absolutely no affect on the Admin CP and these changes do not apply to the Admin CP in anyway.

I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working:)

thank you:up:

cmedic

What templates did you edit in the casino?

I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.

I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.

It would be within the javascript. What needs added would be found in the second post. That is about as far as I can explain it as I haven't taught myself AJAX yet.

Ok I'm at a loss since I've manually gone in and did the search in templates and added the line of code to each template that was missing the sercurity token and well, I'm still having the message pop up. I honestly don't know what mod is causing the issues since it pops up only in certain areas. Any other ideas?

Ok I'm at a loss since I've manually gone in and did the search in templates and added the line of code to each template that was missing the sercurity token and well, I'm still having the message pop up. I honestly don't know what mod is causing the issues since it pops up only in certain areas. Any other ideas?

Check Andreas' profile as he just released a hack that will send an email upon any token errors.

Oh man, thank you so much for this. Still having some problems but getting closer :)

Quick, random, and possibly letting everyone know the stupidity I try to keep hidden like a mental problem...

Does this token need to be placed in every form that passes a hidden value, or just the ones that use the sessionhash?

Every form that uses post.

Excellent. Thanks for responding! :)

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

what about this? I have a mod that doesn't have what is in bold...

I mean, there is no <input type="hidden" line neither

Can I just add the security token below the opening form tag "<form>"?

Yes, you just add the line below the form tag.

Thank you

I didn't use color in posts, after upgrade :confused:
what is problem?

I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

I too am frustrated at this because I was thinking going gold meant ready to go. Now I have end users who are leaving my forums because of this. I spent 2 hours searching and replacing and now find out that anything with form needs it too :( Is there a hack or something out there that will do this automatically this is quite a drag.

Just do a templare search for <form

Add the code to any form that uses POST. Simple.

The upgrade takes care of all that except for any add-on hacks.

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

thank you for this advise!!!! this fixed my itrader issue. two or 3 of the itrader templates did not have "sessionhash."

Default vb templates don't always have the sessionhash in the forms. Glad I could help. ;)

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

thank you wayne for putting this in english i just followed your instructions and then the problem was solved

Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.

Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.
make it via post request and use the security token!

I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

<!--hide-addon-->
<if condition="$vboptions[disable_ajax] != 2">
<script type="text/javascript"><!--
var hpostid = 0;
var hmax = 0;
function findposts(obj,call){
ruf = call;
var laenge = obj.innerHTML.length;
if (hmax == '0'){
hmax = laenge;
} else if (hmax < laenge){
hmax = laenge;
Rufen(ruf);
}
}
var hide_aktiv = null;
var unhide = null;
var zahl = 0;
var old;
var postid
function Rufen(posting){
if (window.XMLHttpRequest) {
unhide = new XMLHttpRequest();
} else if (window.ActiveXObject) {
unhide = new ActiveXObject("Microsoft.XMLHTTP");
}
old = posting
var postids = posting.split(",");
if ( zahl < postids.length){
postid = postids[zahl];
unhide.open("POST", "showthread.php", true);
unhide.onreadystatechange = ausgeben;
unhide.setRequestHeader(
"Content-Type",
"application/x-www-form-urlencoded");
unhide.send("do=whatever&p="+postid+"&all="+old);
} else zahl = 0;
}

function ausgeben() {
if (unhide.readyState == 4) {
if (unhide.responseText != 'sid_hide_still_active'){
document.getElementById("post_message_"+postid).innerHTML =
unhide.responseText;
zahl++;
Rufen(old);
} else {
zahl++;
Rufen(old);
}
}
else setTimeout('ausgeben()', 200);
}
//-->
</script>
</if>

<if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
<script type="text/javascript">
if (hide_aktiv) window.clearInterval(hide_aktiv);
var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
</script>
</if>
<div id="hide_fieldset"><fieldset>
<legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
$hide_img
</fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

<!--hide-addon-->
<if condition="$vboptions[disable_ajax] != 2">
<script type="text/javascript"><!--
var hpostid = 0;
var hmax = 0;
function findposts(obj,call){
ruf = call;
var laenge = obj.innerHTML.length;
if (hmax == '0'){
hmax = laenge;
} else if (hmax < laenge){
hmax = laenge;
Rufen(ruf);
}
}
var hide_aktiv = null;
var unhide = null;
var zahl = 0;
var old;
var postid
function Rufen(posting){
if (window.XMLHttpRequest) {
unhide = new XMLHttpRequest();
} else if (window.ActiveXObject) {
unhide = new ActiveXObject("Microsoft.XMLHTTP");
}
old = posting
var postids = posting.split(",");
if ( zahl < postids.length){
postid = postids[zahl];
unhide.open("POST", "showthread.php", true);
unhide.onreadystatechange = ausgeben;
unhide.setRequestHeader(
"Content-Type",
"application/x-www-form-urlencoded");
unhide.send("do=whatever&p="+postid+"&all="+old);
} else zahl = 0;
}

function ausgeben() {
if (unhide.readyState == 4) {
if (unhide.responseText != 'sid_hide_still_active'){
document.getElementById("post_message_"+postid).innerHTML =
unhide.responseText;
zahl++;
Rufen(old);
} else {
zahl++;
Rufen(old);
}
}
else setTimeout('ausgeben()', 200);
}
//-->
</script>
</if>

<if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
<script type="text/javascript">
if (hide_aktiv) window.clearInterval(hide_aktiv);
var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
</script>
</if>
<div id="hide_fieldset"><fieldset>
<legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
$hide_img
</fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.



I agree completely with the companion, I use this modification and tb I have these problems, it is a product very used in the forum and I cannot allow me the luxury of removing it, ask them please that they should help us in this topic, graces(thanks) Pd: since always I ask for excuses for my English one, for which I use one I translate of Spanish to groins, sie

Yes BIG Thank You to every one who got this needed info to us. This fixed all my mods that went down after the move to vB 3.7.0 Gold.........................

Now the mods I have been running for over 2.5 years are all back online...

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

Could someone please explain this further?

What did this look like before the edit? What are you editing? Is it a template, a plug-in?

Hi guys, I don't really understand this, what I want to do is make it so this does not show anymore.

https://vborg.vbsupport.ru/external/2008/11/48.jpg

Please help me take that off. Thanks.

wow ! This is a precious thread !

thank you :)

Greetings all,

Well, you guys are my last hope. I had a mod written for me last year, my forum members love it and at the moment it's running but when I upgrade I don't expect it to survive..so I'm trying to get a handle on this so that I can do it myself. The coder has long since disappeared so help is appreciated.

The beginning of this thread says that:

"To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT."

I have this line at the beginning of my mods .php file:

define('THIS_SCRIPT', 'dataawards_awards');

Do I add this:

define('CSRF_PROTECTION', true);

Directly below that line? will that solve the entire security token issue or do I need to hunt for form/posts? Talking about form/posts...is this one?:

$awarddisplay.= '<form action="' . htmlentities($_SERVER['PHP_SELF']) . '?addawards=' . $_REQUEST['addawards'] . '&amp;type=' . $type . '" method="POST">';

If I understand this correctly I need to find all form/posts (since you are posting and not requesting, thus the need for the security token):

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Thanks, I hope I can work through this on my own, but if anyone wants to make some money, I'd rather pay to have it done..PM if interested.

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thanks alot,

I do what you said and my problem is solved now... :)
thanks again

I've managed to rectify most of these errors myself, however, if I click the "Go Advanced" button on the quick reply part of viewing a thread, it shows the error? As far as I can tell, I've amended it all...

Any help? Have I missed a file?

Ok I am having trouble with my skins.
Its the security token thing.
Where do I add it and where in it?

Hi i have added the this <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after value="$session[sessionhash to all my templates and my members are getting this

While performing a search in the Games forum, I received the following message:

"Your submission could not be processed because a security token was missing or mismatched."

please can someone tell me what i should do now as i am a little confused also do i need to do anything with this code

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

thanks

Only time I get one is when I am uploading a flv movie clip. I got the first one up and that was it. Static picture attachments and albums are ok as are text posting. I created an flv attachment and mimed it with content-type: video/flv. This is not using a hack or mod but an inhouse feature.
So what would you suggest to fix it? I do have the passivevid product installed but all was ok till I created the flv attachment.

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you for making it 'clear' on how to fix this issue. Much appreciation.

I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.

I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.

If its the same FORM hack as i'm thinking of in the form template find

<input type="hidden" name="poststarttime" value="$poststarttime" />

Add after
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

I had same problem

What if all the templates look fine, and include the code above, but it still happens?

On my site, it happens to users who haven't logged in for a while. They log in, see the forum briefly and then get the error while being redirected to profile.php?do=dst.

Am I correct in assuming that this is where the change would take place?

What must be done?

if ( zahl < postids.length){
postid = postids[zahl];
unhide.open("POST", "showthread.php", true);
unhide.onreadystatechange = ausgeben;
unhide.setRequestHeader(
"Content-Type",
"application/x-www-form-urlencoded");
unhide.send("do=whatever&p="+postid+"&all="+old);
} else zahl = 0;
}

I am using itsid's HIDE Hack.

If its the same FORM hack as i'm thinking of in the form template find

<input type="hidden" name="poststarttime" value="$poststarttime" />

Add after
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

I had same problem


Genius! Thank you - worked perfectly!!

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
I did this to avoid editing some newer templates and noticed SOME templates i did before already have it... and Im afraid they have the sec token value=bla bla TWICE instead of just ONCE...

<input type="hidden" name="s" value="$session[sessionhash]"
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />How would I only make every template have this ONCE like its supposed to be?

I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

<!--hide-addon-->
<if condition="$vboptions[disable_ajax] != 2">
<script type="text/javascript"><!--
var hpostid = 0;
var hmax = 0;
function findposts(obj,call){
ruf = call;
var laenge = obj.innerHTML.length;
if (hmax == '0'){
hmax = laenge;
} else if (hmax < laenge){
hmax = laenge;
Rufen(ruf);
}
}
var hide_aktiv = null;
var unhide = null;
var zahl = 0;
var old;
var postid
function Rufen(posting){
if (window.XMLHttpRequest) {
unhide = new XMLHttpRequest();
} else if (window.ActiveXObject) {
unhide = new ActiveXObject("Microsoft.XMLHTTP");
}
old = posting
var postids = posting.split(",");
if ( zahl < postids.length){
postid = postids[zahl];
unhide.open("POST", "showthread.php", true);
unhide.onreadystatechange = ausgeben;
unhide.setRequestHeader(
"Content-Type",
"application/x-www-form-urlencoded");
unhide.send("do=whatever&p="+postid+"&all="+old);
} else zahl = 0;
}

function ausgeben() {
if (unhide.readyState == 4) {
if (unhide.responseText != 'sid_hide_still_active'){
document.getElementById("post_message_"+postid).innerHTML =
unhide.responseText;
zahl++;
Rufen(old);
} else {
zahl++;
Rufen(old);
}
}
else setTimeout('ausgeben()', 200);
}
//-->
</script>
</if>

<if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
<script type="text/javascript">
if (hide_aktiv) window.clearInterval(hide_aktiv);
var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
</script>
</if>
<div id="hide_fieldset"><fieldset>
<legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
$hide_img
</fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

C?mbialo por este otro c?digo: (you must change by this other code:)
<!--hide-addon-->
<if condition="$vboptions[disable_ajax] != 2">
<script type="text/javascript"><!--
var hpostid = 0;
var hmax = 0;
function findposts(obj,call){
ruf = call;
var laenge = obj.innerHTML.length;
if (hmax == '0'){
hmax = laenge;
SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
} else if (hmax < laenge){
hmax = laenge;
SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
Rufen(ruf);
}
}
var hide_aktiv = null;
var unhide = null;
var zahl = 0;
var old;
var postid
function Rufen(posting){
if (window.XMLHttpRequest) {
unhide = new XMLHttpRequest() + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
} else if (window.ActiveXObject) {
unhide = new ActiveXObject("Microsoft.XMLHTTP") + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
}
old = posting
var postids = posting.split(",");
if ( zahl < postids.length){
postid = postids[zahl];
unhide.open("POST", "showthread.php", true);
unhide.onreadystatechange = ausgeben;
unhide.setRequestHeader(
"Content-Type",
"application/x-www-form-urlencoded");
unhide.send("do=whatever&p="+postid+"&all="+old) + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
} else zahl = 0;
}

function ausgeben() {
if (unhide.readyState == 4) {
if (unhide.responseText != 'sid_hide_still_active'){
document.getElementById("post_message_"+postid).innerHTML =
unhide.responseText;
zahl++;
Rufen(old);
} else {
zahl++;
Rufen(old);
}
}
else setTimeout('ausgeben()', 200);
}
//-->
</script>
</if>

<if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
<script type="text/javascript">
if (hide_aktiv) window.clearInterval(hide_aktiv);
var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000) + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
</script>
</if>
<div id="hide_fieldset"><fieldset>
<legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
$hide_img
</fieldset></div>
A m? me funciona bien (Me, it works right).

Salud2

This is really a mess! I'm not a professional coder.Plz Some One make a step by step instruction to do this to avoid security token missing error,as it'd help lot of people.

Thanks

I have seen this one before but don't know exactly what triggers it BUT for what its worth,

Find in your footer template the following,




<if condition="$show['dst_correction']">
<!-- auto DST correction code -->
<form action="profile.php?do=dst" method="post" name="dstform">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="do" value="dst" />
</form>



It should be:



<if condition="$show['dst_correction']">
<!-- auto DST correction code -->
<form action="profile.php?do=dst" method="post" name="dstform">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

<input type="hidden" name="do" value="dst" />
</form>



HTH, mikesz

its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

it's not Jelsofts problem. they fixed all of the templates that come with the basic software. But the current errors are from all of the various Non Jelsoft add-ons and Modification programs. Since jelsoft does not Officialy support these add-ons, you use them at your own risk.

But posted in the early posts is the exact steps you should take to search your templates and find the ones that need the line of code added to it.

its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

thats what i said it was a 100% clean install brand new with no hacks installed and it was giving this error

therefore it would be impossible for it to be anything other than vbulletin itself causing the problem

it is 100% vbulletin 3.7.0 at fault there was at the time it started NO other software hack or mods installed

I can't comment accurately on your situation, but I had serious reservations myself in upgrading from 3.6.9 to 3.7.0. I have a custom hack coded for my forum that I was almost positive was going to fail with this CSRF thing. I did the following and it was the smoothest upgrade I've ever had. Not even my custom hack cracked:

Backup database, backup my /images folder, shut down forum, do upgrade. Upload my custom /images and overwrite the new, then perform upgrade. After, go back and revert everything the upgrade reported as needing to be reverted. Sounds to me like some of the upgrade files were munged during the transfer. I'd re-upload the upgrade files and make sure all appropriate ascii files are transferred as ascii and all binary as binary. Something that simple can easily be overlooked. Also, make sure your config.php is correctly configured. Something is missing..you just have to.

Seeing as it was a brand new install, I'd say the problem is either with a corrupt file upload or misconfigured config.php. Something isn't seeing something the way it's supposed to. Many people have installed the 3.7.0 software as an upgrade (which is a helluva lot trickier than a virgin install) and are running with no problem.

ok here is the thing .... i almost check all my templates for security tokken code.... and fix all of them ....
but still only super mod getting security tokken error when ever they try to reply to the post... whether in new reply or quick reply ....

can some1 tell me which templates i have fix....

does someone wanna' dix this on my forum for meh. :$

does someone wanna' dix this on my forum for meh. :$

anyone wanna do that on mine to?

As few people are actually using a security token on forums (boards), it will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not.

I am definitely one of those who is not using a Security Token on my board (and will not be using it). Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly. No need to start chasing out authors, of those many mods I have installed, for updates.

Please stop posting this Wikipedia article.
That is smth. totally different and actually only confuses people!

Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.

i am having this problem with Currentpoll module in VBadvanced, not sure which file i have to edit to get this fixed. any ideas?

well im by no means a coder and I am stuck with this BS

Ive searched the templates, fixed it but it still happens.

Im so over this...I really appreciate any assistance..ive read everything, done everything but cant sort it.

We need a lamans terms walk thru please!

Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks

I have followed the instruction added the code after the <form and fixed the problem when I do a search. So it is not as bad as before.

However when the admin tries to delete thread, this security token occurs. I don't think there is another <form in the template style, where can I find the problem?

Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message



i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks

Hi Pooffck1,

I am afraid that you will not get a satisfactory answer here, as it seems that no one really know what is happening with these random messages stating: "Your submission could not be processed because a security token ..."

This CSRF stuff seems to have been done in a big rush. Open a ticket at vB.com and ask their team to proceed with installation and debugging of your site.
:(

--------------- Added 1212086935 at 1212086935 ---------------

Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.


If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):


...
define('CSRF_PROTECTION', true);

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):
Lots of things are done via options in vb, that still doesnt mean its a good idea to turn them off. As for should/must - vb will still work without CSRF protection, but it will be insecure, therefore "should" is the correct term. Setting them to false, as you posted, is even worse than not setting the option at all, since that disables the old style protection as well.

what do i have to edit, my users are getting these errors on the following page:

profile.php?do=dst

i had made my own custom style and the only problem on my board was that when i put a search engine on my header template, it gave my members a message saying something about security token

<td class="alt1" valign="top">
<form action="$vboptions/search.php" method="post">
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="hidden" name="s" value="" />
<input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
<input type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
</form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>


and this is how it looked
but when i looked at other templates i saw that they had the security token line in the search.

<td class="alt1" valign="top">
<form action="$vboptions[bburl]/search.php" method="post">
<input type="hidden" name="do" value="process" />
<input type="hidden" name="showposts" value="0" />
<input type="hidden" name="quicksearch" value="1" />
<input type="hidden" name="s" value="" />
[B]<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
<input type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
</form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>

the bolded line is the extra line i put and it started to work

I hope this helps

I had similar problems with the Search functions using CMPS on the front end, yes the infamous Security Issue... but was easily fixed by adding the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> to the adv_portal_search template right AFTER the <td class="$bgclass"> tag.

Although I understand these are NOT issues directly related to vbulletin core software, I really think that the vb staff should take into consideration that the reason most of us use this software is because of the wide varity of addon's available for it. That being said... perhapts a little more COMPATABILITY with add ons should be more carefully considered and tools to implement these fixes provided. Like when ya do the upgrade a script that will prompt you if you want it to check and upgrade all adv_portal*.* Templates that require it at.

I am an avid vb lover and Promote it to everyone I know, I've had my share of issues, but have ALWAYS found the vb staff to be very quick to respond to ANY and ALL issues I've had, so I hope we can stop the Hostile bashing and try to find a happy ground with CONSTRUCTIVE suggestions, Ya get more bees' with Honey folks....

Thank you staff, I appreciate the extra security having just gone through a Hijacked and very screwed up site not long ago. Hopefully these improvements will prevent that from happening in the future.

Be Patient,
Tom

PS: shouldn't it be Vbulletin article REPOSITORY? LOL

i don;t understand which templates i have to edit and put above coding

Well, I do not know what was the big rush about the CSRF issue. According to Jelsoft people, when I protested that a patch should be issued for those still running vB 3.0.xx since this is a security issue :


Regarding the vulnerability of vBulletin 3.0.x and 3.5.x to the reported CSRF exploit, it is important to note that vBulletin 3 has had protection against the vast majority of CSRF attacks for quite some time, in the form of a referrer check to ensure that POST requests originate from the same domain as that on which vBulletin is installed. This fix was implemented in response to articles such as the one to which you refer on darkreading.com. This protection is sufficient to deflect almost all CSRF attempts. This most recent CSRF exploit is relatively minor in the scheme of software flaws; Secunia rates CSRF exploits' severity at only 2/5.

And this comes from James Limm, Jelsoft CEO:


In principle, I agree that we have an obligation to ensure that our products are free from significant security issues. Security is something that we take very seriously - issues such as XSS exploits are fixed extremely quickly for all currently supported versions (usually we release a patch within 24 hours).

In this particular case however, the relatively minor nature of the CSRF issue, coupled with the complex nature of the fix and the fact that version 3.0 is an extremely old version that has been superceded twice led us to make this decision.

Mind you, Jelsoft issued an End-of-Life statement for vB 3.0 the next day after I complained about the lack of fix for a security issue. Some customer care!!!

This fix worked for the "report pm" mod, we were getting the error message. Thank you !

I fixed mine a long time ago. You must be using another one then.

Forms A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

I have stand alone search forms in the first post of some long threads . . . what to do?

Also how can I do a search from MY "Referrer Whitelist" website?

I had this problem with the search button, now its running fine.
Thanks Wayne Luke much appreciated.

Hi all, for now, i have this error only in the polls voted from VBA homepage..... what is the template that i go to edit?

Wow - Thank GAWD for Google LOL - did a search and this is the very 1st thread I found.... After editing over 50 or more templates in the past hour or so - I thank you all who have helped - notably the very informative post here (https://vborg.vbsupport.ru/showpost.php?p=1498706&postcount=14) AND the query that made it so very easy here. (https://vborg.vbsupport.ru/showpost.php?p=1498253&postcount=3)

It's not very often I see a HELP ME JESUS! thread that actually has the solution on the 1st page :D

Thanx GUYZ!

Jacquii.

hi dear all.
when i add new styles into my forum. it ok.
then i want to show 3 styles on my forumhome for my member enjoy it. but i can't save display oder. i got note below :

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

please help me why my Admincp got Error... i want to fix it, but i don't know to fix in Admincp. i had been fixed at templates ok

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

I have done this and I have also Re upped all my files and im still getting an error:(

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

would you be kind and help me implement this into my templete.. i dont understand

--------------- Added 1215989398 at 1215989398 ---------------

i upgraded the script and everything is fine now thanksss

I have done this and I have also Re upped all my files and im still getting an error:(

same here
this is really frustrating
i don't care where its coming from ,i know it has to be fixed
since i am not a coder
if i purchace a board and its running great and after a update its not
than there is not much i cant do a as a total non coder

hi

can some one explain this to me please
i get the error also on my forum since some fool invented a new way of protection or something

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.


Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

i dont understand this very well
i use a modified template not from vB but from phpbb
on 3.6 all is ok en works fine
now on 3.7 the problems start

ps if someone can help me do this it would be apriciated by paypal

My users are getting the error when uploading attachments to their album or to a thread. Both templates have the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> already, so what is the next course of action to fix this?

would you be kind and help me implement this into my templete.. i dont understand

--------------- Added 1215989398 at 1215989398 ---------------

i upgraded the script and everything is fine now thanksss
I dont understand too :( Where are coders now?

I am trying to reproduce my usercp.php file on my site root, I have copyed also my profile.php file and all my /includes/ folder.. and when I'm sending data from it, I got this error:

Fatal error: Call to undefined function: verify_security_token() in c:\programs\server\www\install_test\includes\init. php on line 416Why? I have this line of code on init.php at line 416:

if (!verify_security_token($vbulletin->GPC['securitytoken'], $vbulletin->userinfo['securitytoken_raw']))


Can please somebody help me?

do i need to do this i just ugraded to 3.7.2 pl2 it should be fixed in that right..as i am still having the problem but only with the thanks hack any help will be appreciated

i m having probs to
does it fixed in 3.7.3??

I am getting a token error when editing a Blog comment. I use the latest VB Blog. How can I fix the token error here? Also I get a error when I am inside the admin CP and I try and email a user their password?

I had a mod installed called "force useres to read a thread" when I uninstalled that mod I began to see the token errors.

I need these two erros fixed ASAP!

HELP PLEASE!

This is stupid. What the hell is this all about?

--------------- Added 1220819847 at 1220819847 ---------------

i m having probs to
does it fixed in 3.7.3??

Nope.

--------------- Added 1220820450 at 1220820450 ---------------

I can't save my vbulletin settings without this error.

What do I change to fix this? In a template?


I also can not import any hacks without an error.

Where do I fix this? In a template?

--------------- Added 1209251058 at 1209251058 ---------------




I am getting the error when I try to edit a template and save it so this will not work.
O.M.F.G. There must be 400 templates showing when I search for that.

I just installed the latest version of vBulletin, have no mods installed, made a test thread, and I cant delete it. I get this security token error. Contact admin it says. Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.

i have the problem with thank you hack..any time someone clicks on thanks they get a security token warning....

i looked throudh the plugin this is where i saw the word securitytoken...what changes do i need to make

<template name="post_thanks_button" templatetype="template" date="1217138974" username="Abe" version="7.7"><![CDATA[<a href="post_thanks.php?$session[sessionurl]do=post_thanks_add&amp;p=$post[postid]&amp;&securitytoken=$bbuserinfo[securitytoken]" id="post_thanks_button_$post[postid]"<if condition="$vboptions[disable_ajax] != 2"> onclick="return post_thanks_give($post[postid], <if condition="$vboptions[post_groan_integrate]">true<else />false</if>);"</if> <if condition="$display_thanks_image == 'none'">style="display:none"</if> rel="nofollow"><img src="$stylevar[imgdir_button]/post_thanks.gif" alt="$vbphrase[post_thanks_thanks]" border="0" /></a>]]></template>
<template name="post_thanks_javascript" templatetype="template" date="1198126814" username="Abe" version="7.0"><![CDATA[<script type="text/javascript" src="clientscript/post_thanks.js"></script>]]></template>

I have certain users getting this error when updating their albums.
Rest of the forum seems okay.
Can anyone fix this?

ok so for my template to work without getthing the token error WHAT do i edit/fix

Hi, I have this function, how can I add CSRF for this:

function tab(URL) {
http.open("GET", "tabs.php?f="+URL+"&s="+Math.random(), true);
http.onreadystatechange=function() {
if(http.readyState == 4) {
document.getElementById('forumbits').innerHTML = http.responseText;
}
}
http.send(null);
}
Thanks for helping me

Below is a code for a product, there is no value="$session[sessionhash]" so I am not sure where to add <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />. Anyone have an idea??


$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
$headinclude
<title>$vboptions[bbtitle] - $vbphrase[onetouchspamban_title]</title>
</head>
$header
$navbar
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="70%" align="center">
<tr>
<td class="tcat">$vbphrase[onetouchspamban_title]</td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div align="$stylevar[left]">

<div style="margin: 10px">

<if condition="$_REQUEST['do'] == 'spamcleanconfirm'">
<form action="misc.php" method="post" name="spamconfirm" id="spamconfirm">
$message
<input type="hidden" name="do" value="dospamclean" />
<input type="hidden" name="userid" value="$banuserid" />
<center><input type="submit" class="button" value="$vbphrase[onetouchspamban_confirm_button]" /></center>
</form>
</if>

<if condition="$_POST['do'] == 'dospamclean'">
$message
</if>

</div>

</div>
</div>

</td>
</tr>
</table>

$footer
</body>
</html>

I had the same trouble this took care of it -
Open the template "onetouchban" in Styles and Templates/edit templates -
Find
<form action="misc.php" method="post" name="spamconfirm" id="spamconfirm">

On the NEXT line insert -
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save and edit the same in other styles if you have more that one running.
No more errors - Remember to turn off the IP ban for your test run or you may ban your own IP!!

I also had a security token pop up in a style that has not been updated with the onset of daylight savings in some parts of the world.
The error occurs when the time trys to adjust to daylight savings on profile.php?do=dst.
This is incorperated into the footer template and the security token needs to go on the nesxt line after -
<input type="hidden" name="s" value="$session[sessionhash]" />

Has anyone gotten this security token error when you click on "Go Advanced" on the QuickReply editor?

If so, what template did you have to edit, (or what form in what template) to fix it??

EDIT - Never mind. I found it. I reverted the Showthread template and it's now fixed. :)

Hi guys, I have a second site that uses a small bit of code at the top to search my forum. basically you type the search term on my site, hit search and it feeds that info to the search page on my forum and opens a new window on the forum with the results.

It works fine with the user not logged in to the forum when searching from the other site but when the user is also logged in forum and is then also searching from the other site I get the error

"Your submission could not be processed because a security token was invalid."

I tried commenting out the lines
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

from my search_forums template but this made no difference

This is my code

<div class="span-8 push-4 last margin_bottom">
<form id="form" action="http://www.******.com/forum/search.php" method="post" name="search" target="_blank">

<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="process"/>
<input type="hidden" name="quicksearch" value="1"/>
<input type="hidden" name="showposts" value="1"/>

<label for="query">Search</label>
<input type="text" id="search_field" class="text" name="query" size="18" value="" />
<input type="image" src="/**********/templates/******/images/search.gif" />

</div>

Any ideas on how to work around on this?

Yeah Exactly same here. This is crap and not good. I wish more help was around I see people asking to explain it 5th grade style and they are ignored. GRRR how many people does it take to scream before somethings done???


I just installed the latest version of vBulletin, have no mods installed, made a test thread, and I cant delete it. I get this security token error. Contact admin it says. Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.

Run the following query and you should see a list of possible templates that need editing - Then you have to edit each template for each installed style manually:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;

Run the query in your AdminCP --> Maintenance --> Execute SQL Query

Hope this helps - but if you are in the position to hire someone - perhaps you might post a thread in the Paid Requests section or check out my design site (http://jacquiidesigns.com) ;)

Jacquii.


Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.

Yup - it most definitely is the style needs template(s) edited.

I have reciently upgraded to the lastest vb, I am now having an issue with a "security token" I was redirected to this perticular post by vb support.. I am using a "Form" created by Elricstorm called "Elricstorm's World of Warcraft Recruitment Form" I have modified the form to be up to date with the changes in the game, everything works fine all the changes show up fine, however when attempting to "post" the form I get the security error, I am in no way a programmer, so my question is what Do I fix and where...? If this has already been answered somewhere pointing me there would be great, I searched but came up[ empty.

I will try and give you the code here.. If anyone can help, and you need more data, please let me know... Thanks a ton..


this is from the top of the form...

<?xml version="1.0" encoding="ISO-8859-1"?>

<product productid="wow_recruitment" active="1">
<title><![CDATA[Elricstorm's World of Warcraft Recruitment Form]]></title>
<description>Damnation guild recruitment form</description>
<version>2.0.0</version>
<url>https://vborg.vbsupport.ru/showthread.php?t=1274436</url>
<versioncheckurl><![CDATA[https://vborg.vbsupport.ru/misc.php?do=checkversion&t=1274436]]></versioncheckurl>
<dependencies>
<dependency dependencytype="vbulletin" minversion="3.7.4" maxversion="" />
</dependencies>
<codes>
</codes>
<templates>
<template name="wow_form" templatetype="template" date="0" username="" version="1.0.0"><![CDATA[$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
$headinclude
<title>$vboptions[bbtitle] - $formtitle</title>
</head>
<body>
$header
$navbar

<!-- main -->
<if condition="$preview">
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
<td class="tcat">
Preview
</td>
</tr>
<tr>
<td class="alt1">
$preview
</td>
</tr>
</table>
</if>

<br />
<form name="vbform" action="newthread.php" method="post"<if condition="!is_browser('webtv')"> onsubmit="return vB_Editor['$editorid'].prepare_submit(0, $vboptions[postminchars])"</if>>
<input type="hidden" value="$formname" name="do" />
<input type="hidden" value="submit" name="action" />

<input type="hidden" name="posthash" value="$posthash" />
<input type="hidden" name="poststarttime" value="$poststarttime" />

<style type="text/css">
<!--
.wowtinyc{
text-align: center;
text-align: -moz-center;
font-family: '$fontstyle', cursive;
font-size: 8pt;
font-weight: bold;
}
.wowtinyl{
text-align: center;
text-align: -moz-center;
font-family: '$fontstyle', cursive;
font-size: 8pt;
font-weight: bold;
}
.wowpc{
text-align: center;
text-align: -moz-center;
font-family: '$fontstyle', cursive;
font-size: 10pt;
font-weight: bold;
}
.wowpl{
text-align: left;
text-align: -moz-left;
font-family: '$fontstyle', cursive;
font-size: 10pt;
font-weight: bold;
}
.wowsl{
text-align: left;
text-align: -moz-left;
font-family: '$fontstyle', cursive;
font-size: 9pt;
font-weight: lighter;
}
.wowsc{
text-align: center;
text-align: -moz-center;
font-family: '$fontstyle', cursive;
font-size: 9pt;
font-weight: lighter;
}
-->
</style>

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
<td class="tcat" colspan="3">
$vboptions[bbtitle] - $formtitle
</td>
</tr>
<tr>
<td class="panelsurround" align="center" colspan="3">
<table class="panel" cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td align="$stylevar[left]">
<fieldset class="fieldset" style="margin:0px">
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
<tr>
<td>
$formpurpose
</td>
</tr>
</table>
</fieldset>
</td>
</tr>
</table>
</td>
</tr>
</table>

I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

<input type="hidden" name="s" value="$session[sessionhash]" />

and where it says "Replace with Text" put:


<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />


Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D

Ummm maybe someone should tell me exactly WHERE to put all this stuff... this is like reading chinese when i cant even read symbols and make out what they mean.. only thing now im worrying about is missing security tokens :( think i screwed up big time and lost it all and now i may have to restart over...

but will this fix all token issues or certain areas? im trying to figure out why im having this one in my flashchat...

I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

<input type="hidden" name="s" value="$session[sessionhash]" />

and where it says "Replace with Text" put:


<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />


Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D

You'd better use the testrun first to see which templates are missing the security token and add it manually later. I guess it'll give errors while checking if you page is valid to it's DTD when you have double fieldnames.

--------------- Added 1232445952 at 1232445952 ---------------

Here's a list with (default) templates missing the hidden-field for the securitytoken. These where found in a 3.7.2 version which is updated from 3.5.4 till 3.7.2. The number in front of the template name are the number of fields to be added in total:

2x calenderjump
1x FAQ
2x FORUMDISPLAY
1x forumjump
1x JOINREQUESTS
1x moderation_filter
1x moderation_posts
1x moderation_threads
1x pm_messagelist
6x SHOWTHREAD
1x tag_cloud_page
1x threadadmin_easyspam_skipped_prune
1x WHOSONLINE

Open each of these templates, search for:
<input type="hidden" name="s" value="$session[sessionhash]" />

and replace with:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Shouldn't this be posted in vb category (https://vborg.vbsupport.ru/forumdisplay.php?f=187) and not programming?
Because you can just use this with vB, it has nothing to do with normal "programming".

ok . now witch template have to be edited ? would you please tell me ? all templates ?

--------------- Added 1235223321 at 1235223321 ---------------

i did everything but all the users get this message !!!

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error


the latest release of vbulletin ! please help to slove this !

i get this error only with mozilla when users try to search forums

Could you please tell me which of the Templates I have to change so I don´t get the "Securitytoken" error anymore when submitting the Score for the IbProArcade ? If someone would already know, it would save me a lot of work finding that.

Thanks

Hi, I did the query posted earlier and when I check the Style ID's, one of the results is -1, as shown in the attachment. When I hover over my styles in style manager none of them come up as -1. When I click on a style to go to the url and change the style id at the end of the url to -1 it comes up as the andromeda style, but in style manager, andromeda comes up as styleid 58. Any clues as to why this is like that? I fixed all the security token issues except for the 7 occurences that happen in this -1 styleid.
Any help would be appreciated. :)

-1 means the Master Style which you can only see in debug mode.

Thank you - how would I change those templates then?

Thank you - how would I change those templates then?
You would have to go into debug mode. However, it seems odd that those default templates do not have the security token unless you have done something to modify those templates in the Master Style. There are some forms that do not need the securitytoken and my guess is that those don't. (Mine don't have it in those forms (the couple I checked) and the site runs fine.)

ThanQ Lynne - I appreciate your help. I guess I will ignore them for now.
On another note, I'm no longer getting a flood of emails for security tokens missing, but I have received two of these:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 /home/imforums/public_html/forums/includes/functions.php line 2688: eval()
#1 /home/imforums/public_html/forums/global.php line 379: fetch_error(security_token_missing,sendmessage.php )
#2 /home/imforums/public_html/forums/profile.php line 150: require_once(/home/imforums/public_html/forums/global.php)

POST Variables
==============
Array
(
[securitytoken] =>
[ajax] => 0
)

Request URI
===========
/forums/profile.php?do=dst

Any ideas?

Make sure the security token is present in the footer where the profile.php form is called.

Thanks again Lynne, I have about 7 skins total and from what I can see all the footer templates have the security token. The sql query only shows these results (https://vborg.vbsupport.ru/attachment.php?attachmentid=96562&d=1237147955). I have received 8 email notificactions of missing security tokens, all with exactly the same information as what I posted above. Any other ideas?

That query will most likely not catch modification templates or plugins where they don't have the securitytoken nor will it catch if it is a javascript problem. You can try disabling your modifications and seeing if the error goes away.

Hello,

I'm trying to implement an add-on (ZP Poll) that shows vb polls in a non-vb page (joomla). Everything works well until users try to vote , then they get the security token issue. This hack is not resident in vbulletin and the only line with a form is
<form action=\"" . $directory . "/poll.php?do=pollvote&amp;pollid=\"" . $pollid . "\" method=\"post\">"

Any ideas on what I can do please?

You should ask the author of that modification for help adding the securitytoken.

Hi Lynne,

I've been trying to get hold of the developer for days. I was hoping there is a generic way to add tokens to such non-vb pages. I'm attaching the script so you can advise on where I could add the token ?

I'm no CSRF expert at all. I was able to just add the line to all my custom mods and everything worked perfectly. You can try adding the securitytoken right after the form line you posted above and see if that works.

i have problem with a theme header ( i think so ) quick search (java one) doesnt work with this theme:

where to add special lines to make it work? here is the script

<!-- designed by hanafi@enthropia.com/napy8gen@yahoo.co.uk for forumtemplates.com -->

<a name="top"></a>
<table width="80%" border="0" align="center" cellpadding="0" cellspacing="0" class="wrapper" style="height:100%;">
<tr>
<td class="headerwrap"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="headerwrap2">
<tr>
<td><a href="$vboptions[forumhome].php$session[sessionurl_q]">&nbsp;&nbsp;&nbsp;<img src="images/lily/lily_logo.gif" alt="$vboptions[bbtitle]" width="285" height="140" border="0" id="lily_logo" /></a></td>
</tr>
<tr>
<td class="navwrap">

<!-- nav buttons bar -->
<table id="navstyle" cellpadding="$stylevar[cellpadding]" cellspacing="0" border="0" width="100%" align="center" style="border-top-width:0px">
<tr align="center">
<if condition="$show['member']">
<td><a href="usercp.php$session[sessionurl_q]">$vbphrase[user_cp]</a></td>
</if>
<if condition="$show['registerbutton']">
<td><a href="register.php$session[sessionurl_q]" rel="nofollow">$vbphrase[register]</a></td>
</if>
$template_hook[navbar_buttons_left]
<td><a href="faq.php$session[sessionurl_q]" accesskey="5">$vbphrase[faq]</a></td>
<td><a href="memberlist.php$session[sessionurl_q]">$vbphrase[members_list]</a></td>
<td><a href="calendar.php$session[sessionurl_q]">$vbphrase[calendar]</a></td>
<if condition="$show['popups']">
<if condition="$show['searchbuttons']">
<if condition="$show['member']">
<td><a href="search.php?$session[sessionurl]do=getnew" accesskey="2">$vbphrase[new_posts_nav]</a></td>
<else />
<td><a href="search.php?$session[sessionurl]do=getdaily" accesskey="2">$vbphrase[todays_posts]</a></td>
</if>
<td id="navbar_search" ><a href="search.php$session[sessionurl_q]" accesskey="4" rel="nofollow">$vbphrase[search]</a>

<if condition="$show['quicksearch']">

<script type="text/javascript"> vbmenu_register("navbar_search"); </script></if></td>
</if>
<if condition="$show['member']">
<td id="usercptools" ><a href="$show[nojs_link]#usercptools">$vbphrase[quick_links]</a> <script type="text/javascript"> vbmenu_register("usercptools"); </script></td>
</if>
<else />
<if condition="$show['searchbuttons']">
<td><a href="search.php$session[sessionurl_q]" accesskey="4">$vbphrase[search]</a></td>
<if condition="$show['member']">
<td><a href="search.php?$session[sessionurl]do=getnew" accesskey="2">$vbphrase[new_posts_nav]</a></td>
<else />
<td><a href="search.php?$session[sessionurl]do=getdaily" accesskey="2">$vbphrase[todays_posts]</a></td>
</if>
</if>
<td><a href="forumdisplay.php?$session[sessionurl]do=markread" rel="nofollow">$vbphrase[mark_forums_read]</a></td>
<if condition="$show['member']">
<td><a href="#" onclick="window.open('misc.php?$session[sessionurl]do=buddylist&amp;focus=1','buddylist','statusbar=no,me nubar=no,toolbar=no,scrollbars=yes,resizable=yes,w idth=250,height=300'); return false;">$vbphrase[open_buddy_list]</a></td>
</if>
</if>
$template_hook[navbar_buttons_right]
<if condition="$show['member']">
<td><a href="login.php?$session[sessionurl]do=logout&amp;logouthash=$bbuserinfo[logouthash]" onclick="return log_out('$vbphrase[sure_you_want_to_log_out]')">$vbphrase[log_out]</a></td>
</if>
</tr>
</table>

<!-- / nav buttons bar -->


</td>
</tr>
</table></td>
<td class="headerR">&nbsp;</td>
</tr>
</table></td>
</tr>

<tr>
<td valign="top" class="cwrap">
<!-- /end long header part -->

<!-- content table -->
$spacer_open
<br/>
<div align="center">@vbbanners@</div>
$_phpinclude_output

i have problem with a theme header ( i think so ) quick search (java one) doesnt work with this theme:

where to add special lines to make it work? here is the script

If you think it's a problem with a particular mod, go read the mod thread and see if anyone posted the fix in there. There was also a discussion in this thread about fixing javascript (not java, that is very different) problems. Did you read the thread at all?

Hi Lynne, do you know how to make the Default var?
Thank you

Hi Lynne, do you know how to make the Default var?
Thank you
I don't understand what you mean, sorry.

I don't understand what you mean, sorry.

Hi Lynne,
I mean how to make the AJAX call a script without click a button (or a link) when a user just loaded the page.
For example: I have Installed AJAX Advanced Forum Statistic.
I browse the index page, that Mod loads the Statistics using AJAX for the default.

I hope you understand what I mean.

Hi Lynne,
I mean how to make the AJAX call a script without click a button (or a link) when a user just loaded the page.
For example: I have Installed AJAX Advanced Forum Statistic.
I browse the index page, that Mod loads the Statistics using AJAX for the default.

I hope you understand what I mean.
How is that related to CSRF Protection?

I'm not an ajax expert at all, so I can't really answer questions regarding ajax.

god i'm so confused

if I do a search in templates for that line, but it comes back with 100+ templates. Am I expected to go through every one and check for that securitytoken line?

The only thing that's not working for me is my search

god i'm so confused

if I do a search in templates for that line, but it comes back with 100+ templates. Am I expected to go through every one and check for that securitytoken line?

The only thing that's not working for me is my search
Then try just adding the line in the templates that look like they are search related. If it's a specific page that isn't working, you can find the list of templates on the page by going into debug mode and looking at the bottom of the page. Or, you can just do this - - vboptions > General Settings > Add Template Name in HTML Comments > set to Yes . Then go back to your page and view the source code and you will see the name of the template called around your part of the code.

that line is in the templates related to the search portion. Are there any other suggestions?

<font color="DarkGreen">it is Useful information Thank you</font>

What do you do if only a few users have the issue and no one else?

Guys,

Lynne directed me to this thread and after over a week of no one responding to my cries for help my problem is solved.

THANK YOU LYNNE!!!!!:):D

Users were getting a Security Token message when they tried to use the search function and this thread helped rectify the issue within a short amount of time. As an FYI we are running VB 3.8+ over at our place.

hello, i have a problem with security token in IBPROarcade whem i go submit the score, it show in this page of forum. i have vb 4

foro/index.php?act=Arcade&do=newscore

where template or i have to modify to fix that?

Thank's

hello, i have a problem with security token in IBPROarcade whem i go submit the score, it show in this page of forum. i have vb 4

foro/index.php?act=Arcade&do=newscore

where template or i have to modify to fix that?

Thank's
Questions/Problems regarding modifications need to be asked in the modification thread. That is where the support for modifications is - not out here in the main forums. Please note that if a modification is unsupported (or even if it says it is supported), you may be on your own if you chose to install it.

I am creating an application form that posts info to my officer forums. It was very easy to make in SMF but I keep getting the security token error when doing it in VB4 gold.

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'epeen_application.php');
define('CSRF_PROTECTION', true);

..... blah blah

// ###### YOUR CUSTOM CODE GOES HERE #####
$pagetitle = 'ePeen Application';
$application_form = '<div id="appForm">
<div id="innerGutsApp">
<form id="ePeenApp" class="appnitro" method="post" action="submit_app.php">
<div class="form_description">
<h2>ePeen Application</h2>
<p>Flex Your ePeen Here!</p>
</div>
...
... blah blah

<li class="buttons">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="form_id" value="111237" />
<input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" />
</li>
</ul>
</form>
</div>
</div>';

// ###### NOW YOUR TEMPLATE IS BEING RENDERED ######
$templater = vB_Template::create('ePeen_application');
$templater->register_page_templates();
$templater->register('navbar', $navbar);
$templater->register('pagetitle', $pagetitle);
$templater->register('application_form', $application_form);
print_output($templater->render());

?>

I have what is required but I still get the security token error. Any idea how I can make this work? I have tried taking the form out of my php file and put it directly into the template with no change. I need to get this site done and this is one of my last road blocks.

using vBulletin version 3.8.1.

We have some users using IE and Firefox who get this security token error when trying to upload images. Our footer has the code below in it.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Thank you for any help

using vBulletin version 3.8.1.

We have some users using IE and Firefox who get this security token error when trying to upload images. Our footer has the code below in it.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Thank you for any help

Just putting that in the footer wont help. It has to be within the <form>...</form> properties of what you are doing. If it is outside of the form properties it will be disregarded for that form and considered to be part of something else.

So for a member uploading pics to a post, where in the template code would I add the new code?

Where is the form for uploading pics?

Thanks

For those wondering how to do this in vB4, if you have not done so already, in every form youy have within your home-made mods, where before you would have placed:


<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />


Now use:


<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />


I just spent quite a bit of time trying to figure out what exactly was wrong, and figure this might save someone some time.

Cheers.

Peter

For those wondering how to do this in vB4, if you have not done so already, in every form youy have within your home-made mods, where before you would have placed:


<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />


Now use:


<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />


I just spent quite a bit of time trying to figure out what exactly was wrong, and figure this might save someone some time.

Cheers.

Peter

Hi there,

Thanks for that, so are you saying delete

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

and replace it with

<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />


Thanks Mat

Hi,
When attempting to upload a pdf file, I get the missing security token error message. When I tried a different file type (png), I didn't receive the error. I've checked the attachment related templates and the codes mentioned are there. Any ideas? Thank you!

Ken

Disregard this. The problem is that the pdf file too large. Right now my server has an upload limit in the php.ini of 24MB. The file I was going to upload is about 32MB...

I realize this is an old issue, but how do you add CSRF support to pages that are not posted, but the page decides what to display based on a url parameter?

For example, this works 'thesecool.php?do=apples' (using 'do').

But, 'thesecool.php?s=apples' will do an auto-logout and force the user back to the login screen.

However, if I change it to 'thesecool.php?s=apples&do=apples' (trying to get the 'do' back) - that still doesn't work even though the 'do' parameter is there - and it does an auto-logout and forces the user back to the login screen.

So with a 'post' without a <form> to pass variables...but you're passing url parameters...how do you add the security token?

EDIT:
Apparently, using 's' as a parameter is a bad thing. I changed my 's' (just arbitrarily used it, could have been anything) to a 'do' and everything works. Not sure why 's' would be an issue. Very strange. I should mention that I've used 'b', 'd', 'y', 'm', etc. without problems on other pages; doesn't make sense to me.

EDIT:
Apparently, using 's' as a parameter is a bad thing. I changed my 's' (just arbitrarily used it, could have been anything) to a 'do' and everything works. Not sure why 's' would be an issue. Very strange. I should mention that I've used 'b', 'd', 'y', 'm', etc. without problems on other pages; doesn't make sense to me.

I hope you do realize that the answer to that question is on this very same page. 's' is the parameter name used by vBulletin for the session hash.

vB3:
<input type="hidden" name="s" value="$session[sessionhash]" />
vB4:
<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" />

In general when dealing with vBulletin you should avoid custom parameters using a single character as vBulletin use many of them as shorthand notations. For example: t for thread, p for post, f for forum, etc..

im getting the security token errors on 3.8.7
running The query shows most templates all of a sudden need editing BUT when I check them they all have the required code

Im lost

error im getting is

Script Call Backtrace
=====================
#0 /home/xxx/public_html/vbforum/includes/functions.php line 2704: eval()
#1 /home/xxx/public_html/vbforum/global.php line 379: fetch_error(security_token_missing,sendmessage.php )
#2 /home/xxx/public_html/vbforum/newattachment.php line 42: require_once(/home/xxx/public_html/vbforum/global.php)
#3 /home/xxx/public_html/vbforum/vbseo.php line 1397: require(/home/xxxxx/public_html/vbforum/newattachment.php)

POST Variables
==============
Array
(
[securitytoken] =>
[ajax] => 0
)

Request URI
===========
/vbforum/newattachment.php?do=manageattach&p=


any ideas are welcome

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.


Thank You!

I was getting the Security Token error in the NavBar Search and Quicklinks/Mark Forums Read. I opened my Header Template, found the "Value="$session[sessionhash]" within the 'NavBar Popup Menus' section and added the security token code you quoted.

Search function fixed.

Quicklinks/Mark Forums read still generating a security token issue. Suggestions?