vb.org Archive
Page 10 of 18 « First 89 10 1112 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

WFZ 05-23-2008 08:35 PM
does someone wanna' dix this on my forum for meh. :$

blindmedia ltd 05-25-2008 06:39 AM
Quote:
Originally Posted by WFZ (Post 1529372)
does someone wanna' dix this on my forum for meh. :$
anyone wanna do that on mine to?

J98680Bxxxxx 05-25-2008 11:39 AM
As few people are actually using a security token on forums (boards), it will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not.

I am definitely one of those who is not using a Security Token on my board (and will not be using it). Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly. No need to start chasing out authors, of those many mods I have installed, for updates.

Andreas 05-25-2008 11:41 AM
Please stop posting this Wikipedia article.
That is smth. totally different and actually only confuses people!

Paul M 05-25-2008 12:01 PM
Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.

mehrdad220 05-28-2008 12:53 PM
i am having this problem with Currentpoll module in VBadvanced, not sure which file i have to edit to get this fixed. any ideas?

dodge-downunder 05-28-2008 01:24 PM
well im by no means a coder and I am stuck with this BS

Ive searched the templates, fixed it but it still happens.

Im so over this...I really appreciate any assistance..ive read everything, done everything but cant sort it.

We need a lamans terms walk thru please!

pooffck1 05-28-2008 07:09 PM
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message

Quote:
Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks

cache 05-29-2008 04:16 AM
I have followed the instruction added the code after the <form and fixed the problem when I do a search. So it is not as bad as before.

However when the admin tries to delete thread, this security token occurs. I don't think there is another <form in the template style, where can I find the problem?

J98680Bxxxxx 05-29-2008 03:16 PM
Quote:
Originally Posted by pooffck1 (Post 1534357)
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message



i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks
Hi Pooffck1,

I am afraid that you will not get a satisfactory answer here, as it seems that no one really know what is happening with these random messages stating: "Your submission could not be processed because a security token ..."

This CSRF stuff seems to have been done in a big rush. Open a ticket at vB.com and ask their team to proceed with installation and debugging of your site.
:(

--------------- Added [DATE]1212086935[/DATE] at [TIME]1212086935[/TIME] ---------------

Quote:
Originally Posted by Paul M (Post 1530878)
Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.

If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):

Quote:
Originally Posted by Marco van Herwaarden (Post 1497908)
...
PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.


All times are GMT. The time now is 10:22 PM.
Page 10 of 18 « First 89 10 1112 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04074 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete