vb.org Archive
Page 6 of 9 « First 45 6 78 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.6 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=194)
-   -   Administrative and Maintenance Tools - Security Token Notification (https://vborg.vbsupport.ru/showthread.php?t=177017)

Boofo 05-15-2008 11:56 AM
Quote:
Originally Posted by soulface (Post 1512690)
Code:
Missing or Invalid Security Token detected.
 
Script Call  Backtrace
=====================
#0  /home/doshomik/public_html/includes/functions.php line 2528: eval()
#1  /home/doshomik/public_html/includes/init.php line 417:  fetch_error(security_token_missing,ltr,sendmessage.php)
#2  /home/doshomik/public_html/admincp/global.php line 34:  require_once(/home/doshomik/public_html/includes/init.php)
#3  /home/doshomik/public_html/admincp/newsproxy.php line 25:  require_once(/home/doshomik/public_html/admincp/global.php)
 
POST  Variables
==============
Array
(
    [ajax] => 1
    [securitytoken] =>
)
 
Request  URI
===========
/admincp/newsproxy.php
OK, can anyone describe in a normal language (:p) on how can I identify which hack is causing the problem by seeing this msg ?

thx
Look for this file maybe?

newsproxy.php

J98680Bxxxxx 05-24-2008 09:27 AM
Thanks Andreas for this Mod. At least it is pointing users on possible files that need to be debugged.

I have just installed (finalupgrade vB 3.7 CR3 ->) vB 3.7 Gold and the vBlog 1.0.5. Smooth installation completed and navigating through the site works fine, until one member tried to post a Blog entry. :( "Your submission could not be processed because a security token was missing or mismatched."

I have browsed through and read all threads at vB.com and vB.org regarding this issue and ended up here (via Boofo's referral in one of those many threads).

Here is what I got in my logs:

Code:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 /home/++++++++++/public_html/forum/includes/functions.php line 2528: eval()
#1 /home/++++++++++/public_html/forum/includes/init.php line 417: fetch_error(security_token_missing,ltr,sendmessage.php)
#2 /home/++++++++++/public_html/forum/global.php line 20: require_once(/home/++++++++++/public_html/forum/includes/init.php)
#3 /home/++++++++++/public_html/forum/blog_post.php line 111: require_once(/home/++++++++++/public_html/forum/global.php)

POST Variables
==============
Array
(
    [title] => Just testing
    [message] => Just testing<br>
    [wysiwyg] => 1
    [s] =>
    [do] => updateblog
    [b] =>
    [posthash] => 019bc6a36c2d9a5ea4c8fd568e55ccc1
    [poststarttime] => 1211619819
    [loggedinuser] => 1
    [sbutton] => Post Now
    [allowcomments] => 1
    [status] => publish_now
    [publish] => Array
        (
            [month] => 5
            [day] => 24
            [year] => 2008
            [hour] => 08
            [minute] => 25
        )

    [parseurl] => 1
    [emailupdate] => email
    [blogid] =>
    [securitytoken] =>
)

Request URI
===========
/forum/blog_post.php?do=updateblog
A similar issue has been reported at vB.com (here).

The files (functions.php, init.php, sendmessage.php, global.php, blog_post.php) listed above are brand new (i.e. directly obtained from the finalupgrade).

All templates & styles up-to-date. All those security token are already present in files containing forms. All Mods & Plug-ings disabled.

:confused: What's going on with this vB 3.7 Gold? Has anyone figured out a good medecine for this "CSRF Protection"?

In the meantime, I have just took vB 3.7 Gold out of my forum and put back in place my vB 3.7 CR3 - working fine.

J98680Bxxxxx 05-25-2008 11:13 AM
Quote:
Originally Posted by Mike-D (Post 1498602)
Security Tokens are small Hardware Devices that owners carries to authorize access to a Network Service. That means: Security Tokens provide an extra level of assurance thru a method known as TFA (Two-Factor Authentication). In this case the user has a PIN (Personal Identification Number which authorizes them as the owner of that particular device. So the device then shows a number which uniquely identifies the user to the service and allowing them to log in. The identification number for each user is changed frequently, usually every 3 min's. See also Wikipedia :)
I am definitely one of those who is not using a Security Token. Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly.

It will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not. This, as few people are actually using a "security token".

Andreas 05-25-2008 11:35 AM
DO NOT REMOVE THIS CONSTANT FROM vBulletin SCRIPTS
Never!

The Wikipedia article Mike-D posted is about smth. else.

If you are using the default style, unmodified files and no plugins you should not have any problems.
If you do have problems, please make sure that all your plugins and templates are up to date.

As you can clearly see from the E-Mail, the token is missing!
Please check again if all your templates are up-to-date.
If they are please repeat this step until you have found the one that is not up-to-date.

J98680Bxxxxx 05-25-2008 11:42 AM
Quote:
Originally Posted by Andreas (Post 1530854)
DO NOT REMOVE THIS CONSTANT FROM vBulletin SCRIPTS
Never!

The Wikipedia article Mike-D posted is about smth. else.

If you are using the default style, unmodified files and no plugins you should not have any problems.
If you do have problems, please make sure that all your plugins and templates are up to date.

As you can clearly see from the E-Mail, the token is missing!
Please check again if all your templates are up-to-date.
If they are please repeat this step until you have found the one that is not up-to-date.

The constant is there, but set to false, until vBulletin Team comes out with a non retarded solution.

Andreas 05-25-2008 11:47 AM
Being false is even worse than not being there at all - as that will also disable the POST referrer whitelist check.

So with this setup your board is more unsecure then 3.6.9/3.7.0 RC 3.

Fixing your issues is quite simple: Upload all original non-image files, revert all templates and disable the plugin system.
If there are still issues afterwards, open a support ticket @ vbulletin.com

If you do not want to go this route, you will have to fix the installed modifications/templates yourself - refer to the article about CSRF protection.
Detailed instructions have been posted there.

Paul M 05-25-2008 11:56 AM
Quote:
Originally Posted by J98680B2423E (Post 1530836)
I am definitely one of those who is not using a Security Token. Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);
Thats a bit like deciding to remove all the locks from the dorrs to your house in the hope that no one will try and break in. Not a very good idea.

stinger2 05-25-2008 09:32 PM
Quote:
#0 /home/xxxxxxxxxx/www/forums/includes/functions.php line 2529: eval()
#1 /home/xxxxxxxxxxx/www/forums/includes/init.php line 418: fetch_error(security_token_missing,ltr,sendmessage .php)
#2 /home/xxxxxxxxxx/www/forums/global.php line 21: require_once(/home/xxxxxxxxxxxxx/www/forums/includes/init.php)

#3 /home/xxxxxxxxxx/www/forums/reputation.php line 46: require_once(/home/xxxxxxxxxxxx/www/forums/global.php)
#4 /home/xxxxxxxxx/php-cgi/phphandler line 37: include(/home/xxxxxxxxxx/www/forums/reputation.php)

POST Variables
==============
Array
(
[ajax] => 1
[securitytoken] =>
)

Request URI
===========
/forums/reputation.php?p=296211

Quote:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 /home/xxxxxxxx/www/forums/includes/functions.php line 2529: eval()
#1 /home/xxxxxxxxxx/www/forums/includes/init.php line 418: fetch_error(security_token_missing,ltr,sendmessage .php)
#2 /home/xxxxxxxxx/www/forums/global.php line 21: require_once(/home/xxxxxxxxxxxx/www/forums/includes/init.php)

#3 /home/xxxxxxxxxx/www/forums/search.php line 53: require_once(/home/xxxxxxxxxx/www/forums/global.php)
#4 /home/xxxxxxxxxxxx/php-cgi/phphandler line 37: include(/home/xxxxxxxxxx/www/forums/search.php)

POST Variables
==============
Array
(
[s] =>
[do] => process
[sortby] => lastpost
[forumchoice] => 0
[query] => shottas
[securitytoken] =>
)

Request URI
===========
/forums/search.php


i keep getting different missing security token messages........and i dont know how to deal with them.............is this normal, should we do something about it?

i get a message or two from members saying they got the message....can any one explain why these different messages? every one from a different php.

Boofo 05-25-2008 09:38 PM
Andreas, is there a way to set this hack up to be a little more specific on where the error is coming from maybe? That might help narrowing it down a bit in some places. I have gotten only a couple but they are in weird places as far as I can tell. One was even from the editpost.php and I don't have any hacks touching that.

stinger2 05-27-2008 03:39 PM
Quote:
Originally Posted by Boofo (Post 1531313)
Andreas, is there a way to set this hack up to be a little more specific on where the error is coming from maybe? That might help narrowing it down a bit in some places. I have gotten only a couple but they are in weird places as far as I can tell. One was even from the editpost.php and I don't have any hacks touching that.

I second that.........in other words................exactly what i wanted


All times are GMT. The time now is 01:18 PM.
Page 6 of 9 « First 45 6 78 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01388 seconds
  • Memory Usage 1,763KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete