vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

Outbackmark 10-08-2008 11:38 AM

I had the same trouble this took care of it -
Open the template "onetouchban" in Styles and Templates/edit templates -
Find
Code:

<form action="misc.php" method="post" name="spamconfirm" id="spamconfirm">
On the NEXT line insert -
Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Save and edit the same in other styles if you have more that one running.
No more errors - Remember to turn off the IP ban for your test run or you may ban your own IP!!

I also had a security token pop up in a style that has not been updated with the onset of daylight savings in some parts of the world.
The error occurs when the time trys to adjust to daylight savings on profile.php?do=dst.
This is incorperated into the footer template and the security token needs to go on the nesxt line after -
Code:

<input type="hidden" name="s" value="$session[sessionhash]" />

Ohiosweetheart 10-12-2008 06:20 PM

Has anyone gotten this security token error when you click on "Go Advanced" on the QuickReply editor?

If so, what template did you have to edit, (or what form in what template) to fix it??

EDIT - Never mind. I found it. I reverted the Showthread template and it's now fixed. :)

perfphysio 10-24-2008 08:11 PM

Hi guys, I have a second site that uses a small bit of code at the top to search my forum. basically you type the search term on my site, hit search and it feeds that info to the search page on my forum and opens a new window on the forum with the results.

It works fine with the user not logged in to the forum when searching from the other site but when the user is also logged in forum and is then also searching from the other site I get the error

"Your submission could not be processed because a security token was invalid."

I tried commenting out the lines
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

from my search_forums template but this made no difference

This is my code

<div class="span-8 push-4 last margin_bottom">
<form id="form" action="http://www.******.com/forum/search.php" method="post" name="search" target="_blank">

<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="process"/>
<input type="hidden" name="quicksearch" value="1"/>
<input type="hidden" name="showposts" value="1"/>

<label for="query">Search</label>
<input type="text" id="search_field" class="text" name="query" size="18" value="" />
<input type="image" src="/**********/templates/******/images/search.gif" />

</div>

Any ideas on how to work around on this?

skylerj 11-01-2008 11:06 PM

Yeah Exactly same here. This is crap and not good. I wish more help was around I see people asking to explain it 5th grade style and they are ignored. GRRR how many people does it take to scream before somethings done???


Quote:

Originally Posted by dirtyfeast (Post 1617131)
I just installed the latest version of vBulletin, have no mods installed, made a test thread, and I cant delete it. I get this security token error. Contact admin it says. Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.


PoetJA-1975 11-02-2008 12:49 AM

Run the following query and you should see a list of possible templates that need editing - Then you have to edit each template for each installed style manually:

Code:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
Run the query in your AdminCP --> Maintenance --> Execute SQL Query

Hope this helps - but if you are in the position to hire someone - perhaps you might post a thread in the Paid Requests section or check out my design site ;)

Jacquii.


Quote:

Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.
Yup - it most definitely is the style needs template(s) edited.

Kaas 12-02-2008 09:44 PM

I have reciently upgraded to the lastest vb, I am now having an issue with a "security token" I was redirected to this perticular post by vb support.. I am using a "Form" created by Elricstorm called "Elricstorm's World of Warcraft Recruitment Form" I have modified the form to be up to date with the changes in the game, everything works fine all the changes show up fine, however when attempting to "post" the form I get the security error, I am in no way a programmer, so my question is what Do I fix and where...? If this has already been answered somewhere pointing me there would be great, I searched but came up[ empty.

I will try and give you the code here.. If anyone can help, and you need more data, please let me know... Thanks a ton..


this is from the top of the form...

PHP Code:

<?xml version="1.0" encoding="ISO-8859-1"?>

<product productid="wow_recruitment" active="1">
    <title><![CDATA[Elricstorm's World of Warcraft Recruitment Form]]></title>
    <description>Damnation guild recruitment form</description>
    <version>2.0.0</version>
    <url>https://vborg.vbsupport.ru/showthread.php?t=1274436</url>
    <versioncheckurl><![CDATA[https://vborg.vbsupport.ru/misc.php?do=checkversion&t=1274436]]></versioncheckurl>
    <dependencies>
        <dependency dependencytype="vbulletin" minversion="3.7.4" maxversion="" />
    </dependencies>
    <codes>
    </codes>
    <templates>
        <template name="wow_form" templatetype="template" date="0" username="" version="1.0.0"><![CDATA[$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
$headinclude
<title>$vboptions[bbtitle] - $formtitle</title>
</head>
<body>
$header
$navbar

<!-- main -->
<if condition="$preview">
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
    <tr>
        <td class="tcat">
            Preview
        </td>
    </tr>
    <tr>
        <td class="alt1">
            $preview
        </td>
    </tr>
</table>
</if>

<br />
<form name="vbform" action="newthread.php" method="post"<if condition="!is_browser('webtv')"> onsubmit="return vB_Editor['$editorid'].prepare_submit(0, $vboptions[postminchars])"</if>>
<input type="hidden" value="$formname" name="do" />
<input type="hidden" value="submit" name="action" />

<input type="hidden" name="posthash" value="$posthash" />
<input type="hidden" name="poststarttime" value="$poststarttime" />

<style type="text/css">
<!--
.wowtinyc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 8pt;
    font-weight: bold;
}
.wowtinyl{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 8pt;
    font-weight: bold;
}
.wowpc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 10pt;
    font-weight: bold;
}
.wowpl{
    text-align: left;
    text-align: -moz-left;
    font-family: '$fontstyle', cursive;
    font-size: 10pt;
    font-weight: bold;
}
.wowsl{
    text-align: left;
    text-align: -moz-left;
    font-family: '$fontstyle', cursive;
    font-size: 9pt;
    font-weight: lighter;
}
.wowsc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 9pt;
    font-weight: lighter;
}
-->
</style>

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
    <tr>
        <td class="tcat" colspan="3">
            $vboptions[bbtitle] - $formtitle
        </td>
    </tr>
    <tr>
        <td class="panelsurround" align="center" colspan="3">
            <table class="panel" cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
                <tr>
                <td align="$stylevar[left]">
                    <fieldset class="fieldset" style="margin:0px">
                        <table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
                        <tr>
                            <td>
                                $formpurpose
                            </td>
                        </tr>
                        </table>
                    </fieldset>
                </td>
                </tr>
            </table>
        </td>
    </tr>
</table>


azurekite 12-09-2008 10:43 PM

I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

Code:

<input type="hidden" name="s" value="$session[sessionhash]" />
and where it says "Replace with Text" put:

Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D

C138 Kaysone 01-05-2009 04:08 PM

Ummm maybe someone should tell me exactly WHERE to put all this stuff... this is like reading chinese when i cant even read symbols and make out what they mean.. only thing now im worrying about is missing security tokens :( think i screwed up big time and lost it all and now i may have to restart over...

but will this fix all token issues or certain areas? im trying to figure out why im having this one in my flashchat...

flup 01-20-2009 07:51 AM

Quote:

Originally Posted by azurekite (Post 1681983)
I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

Code:

<input type="hidden" name="s" value="$session[sessionhash]" />
and where it says "Replace with Text" put:

Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D

You'd better use the testrun first to see which templates are missing the security token and add it manually later. I guess it'll give errors while checking if you page is valid to it's DTD when you have double fieldnames.

--------------- Added [DATE]1232445952[/DATE] at [TIME]1232445952[/TIME] ---------------

Here's a list with (default) templates missing the hidden-field for the securitytoken. These where found in a 3.7.2 version which is updated from 3.5.4 till 3.7.2. The number in front of the template name are the number of fields to be added in total:

2x calenderjump
1x FAQ
2x FORUMDISPLAY
1x forumjump
1x JOINREQUESTS
1x moderation_filter
1x moderation_posts
1x moderation_threads
1x pm_messagelist
6x SHOWTHREAD
1x tag_cloud_page
1x threadadmin_easyspam_skipped_prune
1x WHOSONLINE

Open each of these templates, search for:
HTML Code:

<input type="hidden" name="s" value="$session[sessionhash]" />
and replace with:
HTML Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />


ragtek 02-14-2009 06:55 AM

Shouldn't this be posted in vb category and not programming?
Because you can just use this with vB, it has nothing to do with normal "programming".


All times are GMT. The time now is 12:45 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01741 seconds
  • Memory Usage 1,802KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_code_printable
  • (2)bbcode_html_printable
  • (1)bbcode_php_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete