PDA

View Full Version : Post from non VB code - How to implement with Security Tokens?


wdwms
05-14-2008, 01:59 PM
Greetings,

We had a number of pages on our site that would allow people to post pre-formatted data to specific forums and threads. This was done so that uses using our model collection system could easily post a list of those models they have for sale to a forum. These systems worked great until 3.7 was introduced, now all of our custom code does not work thanks to security tokens.

So my question is this, what do I have to do to modify our NON VB code [these are stand-alone php files, these are NOT mods] in order to get the security token to work? In other words, what php code is needed so that I can have the proper security token value filled in when I create the HTML form to post back to vb?

Is there a way to set CSRF protection to "false" just for these specific php files? that would probably be the easiest..

Thanks!

Todd

--------------- Added 1210778820 at 1210778820 ---------------

Well i'm trying to find a solution and i'm close... i've got my custom code creating the token via this format which I found in the vbcode:

$user['securitytoken'] = sha1($user['userid'] . sha1($user['salt']) . sha1(COOKIE_SALT));

I've got the tokens matching now, just a matter of getting the html form stuff correct.

-t

MoT3rror
05-14-2008, 05:09 PM
<a href="https://vborg.vbsupport.ru/showthread.php?t=177013" target="_blank">Here is the article </a>about the new security token being put in if you need it.

gosborne
06-12-2008, 08:54 AM
Sorry to drag this one back up, but this is wht I need to do, though mine is from non php, perl-generated pages.

So, if I'm correct, each user has a unique userid which is made up of :

sha1($user['userid'] . sha1($user['salt']) . sha1(COOKIE_SALT))

Where do I find these values? are they stored in the mysql database or cookies or somewhere else?

thanks

Opserty
06-12-2008, 09:14 AM
Use the search feature: https://vborg.vbsupport.ru/showthread.php?t=181631&highlight=COOKIE_SALT ;)

userid and salt are stored in the user table of the database.

gosborne
06-12-2008, 09:53 AM
Use the search feature: https://vborg.vbsupport.ru/showthread.php?t=181631&highlight=COOKIE_SALT ;)

userid and salt are stored in the user table of the database.

Thank you for your quick reply

I should have made it clearer - I know how to get the userid and salt etc, but concatt hem all together doesn't make the security token. What I guess I need to know is what the sha1(x) thing is doing to those individual elements to make the componenent parts.

edit -- wikipedia to the rescue -- just need to see if some lovely person has written a perl modult

cheers all

--------------- Added 1213268247 at 1213268247 ---------------

Perl modules found for any one else wanting them http://search.cpan.org/search?query=sha1&mode=all

--------------- Added 1213272299 at 1213272299 ---------------

I'm going to have to give up on this.

Let me double check.


First I presume sha1 is hex judging by token I have

OKay So I sha1 the user's salt (which is a three character string, of various types, yes?) -lets say it comes out as AAAAA

then I sha1 the cookiesalt, which is the same as my vb license as show at the top of functions.php - lets say the result is BBBBB.

The userid, which is a variable length number - my admin one is '1', so i'll use that as an example

the resultant string is 1AAAAAABBBBBB, which i then sha1

is this corrent, or am i reading the whole thing wrong


thanks for any help

cheers