vb.org Archive
Page 18 of 18 « First 81617 18
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

niteflyer32 02-11-2010 04:25 AM
using vBulletin version 3.8.1.

We have some users using IE and Firefox who get this security token error when trying to upload images. Our footer has the code below in it.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Thank you for any help

Dylanblitz 02-14-2010 07:13 PM
Quote:
Originally Posted by niteflyer32 (Post 1979732)
using vBulletin version 3.8.1.

We have some users using IE and Firefox who get this security token error when trying to upload images. Our footer has the code below in it.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />

Thank you for any help
Just putting that in the footer wont help. It has to be within the <form>...</form> properties of what you are doing. If it is outside of the form properties it will be disregarded for that form and considered to be part of something else.

niteflyer32 02-17-2010 06:53 AM
So for a member uploading pics to a post, where in the template code would I add the new code?

Where is the form for uploading pics?

Thanks

AfterWorldForum 06-21-2010 06:05 PM
For those wondering how to do this in vB4, if you have not done so already, in every form youy have within your home-made mods, where before you would have placed:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
Now use:

Code:
<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />
I just spent quite a bit of time trying to figure out what exactly was wrong, and figure this might save someone some time.

Cheers.

Peter

mathewka010 08-29-2010 06:02 AM
Quote:
Originally Posted by AfterWorldForum (Post 2057049)
For those wondering how to do this in vB4, if you have not done so already, in every form youy have within your home-made mods, where before you would have placed:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
Now use:

Code:
<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />
I just spent quite a bit of time trying to figure out what exactly was wrong, and figure this might save someone some time.

Cheers.

Peter
Hi there,

Thanks for that, so are you saying delete
Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
and replace it with
Code:
<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /><input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo[securitytoken]}" />
Thanks Mat

keharris53 08-29-2010 03:38 PM
Hi,
When attempting to upload a pdf file, I get the missing security token error message. When I tried a different file type (png), I didn't receive the error. I've checked the attachment related templates and the codes mentioned are there. Any ideas? Thank you!

Ken

Disregard this. The problem is that the pdf file too large. Right now my server has an upload limit in the php.ini of 24MB. The file I was going to upload is about 32MB...

go2phil 07-19-2011 02:57 AM
I realize this is an old issue, but how do you add CSRF support to pages that are not posted, but the page decides what to display based on a url parameter?

For example, this works 'thesecool.php?do=apples' (using 'do').

But, 'thesecool.php?s=apples' will do an auto-logout and force the user back to the login screen.

However, if I change it to 'thesecool.php?s=apples&do=apples' (trying to get the 'do' back) - that still doesn't work even though the 'do' parameter is there - and it does an auto-logout and forces the user back to the login screen.

So with a 'post' without a <form> to pass variables...but you're passing url parameters...how do you add the security token?

EDIT:
Apparently, using 's' as a parameter is a bad thing. I changed my 's' (just arbitrarily used it, could have been anything) to a 'do' and everything works. Not sure why 's' would be an issue. Very strange. I should mention that I've used 'b', 'd', 'y', 'm', etc. without problems on other pages; doesn't make sense to me.

Marco64Th 08-19-2011 08:47 AM
Quote:
Originally Posted by go2phil (Post 2222285)
EDIT:
Apparently, using 's' as a parameter is a bad thing. I changed my 's' (just arbitrarily used it, could have been anything) to a 'do' and everything works. Not sure why 's' would be an issue. Very strange. I should mention that I've used 'b', 'd', 'y', 'm', etc. without problems on other pages; doesn't make sense to me.
I hope you do realize that the answer to that question is on this very same page. 's' is the parameter name used by vBulletin for the session hash.

vB3:
PHP Code:
<input type="hidden" name="s" value="$session[sessionhash]/> 
vB4:
PHP Code:
<input type="hidden" name="s" value="{vb:raw session[sessionhash]}" /> 
In general when dealing with vBulletin you should avoid custom parameters using a single character as vBulletin use many of them as shorthand notations. For example: t for thread, p for post, f for forum, etc..

Silver_2000_)! 04-23-2012 03:39 AM
im getting the security token errors on 3.8.7
running The query shows most templates all of a sudden need editing BUT when I check them they all have the required code

Im lost

error im getting is

Code:
  Script Call Backtrace
  =====================
  #0 /home/xxx/public_html/vbforum/includes/functions.php line 2704: eval()
  #1 /home/xxx/public_html/vbforum/global.php line 379: fetch_error(security_token_missing,sendmessage.php)
  #2 /home/xxx/public_html/vbforum/newattachment.php line 42: require_once(/home/xxx/public_html/vbforum/global.php)
  #3 /home/xxx/public_html/vbforum/vbseo.php line 1397: require(/home/xxxxx/public_html/vbforum/newattachment.php)
 
  POST Variables
  ==============
  Array
  (
      [securitytoken] =>
      [ajax] => 0
  )
 
  Request URI
  ===========
  /vbforum/newattachment.php?do=manageattach&p=
any ideas are welcome

sweptwingnut 08-08-2013 02:21 PM
Quote:
Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank You!

I was getting the Security Token error in the NavBar Search and Quicklinks/Mark Forums Read. I opened my Header Template, found the "Value="$session[sessionhash]" within the 'NavBar Popup Menus' section and added the security token code you quoted.

Search function fixed.

Quicklinks/Mark Forums read still generating a security token issue. Suggestions?


All times are GMT. The time now is 02:26 PM.
Page 18 of 18 « First 81617 18
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01398 seconds
  • Memory Usage 1,760KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_code_printable
  • (2)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete