vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

PaulSonny 05-05-2008 08:17 PM

Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.

Milad 05-06-2008 09:34 AM

Quote:

Originally Posted by PaulSonny (Post 1509706)
Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.

make it via post request and use the security token!

dancue 05-06-2008 03:32 PM

I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

Code:

                                <!--hide-addon-->
                <if condition="$vboptions[disable_ajax] != 2">
                        <script type="text/javascript"><!--
                        var hpostid = 0;
                        var hmax = 0;
                        function findposts(obj,call){
                                ruf = call;
                                var laenge = obj.innerHTML.length;
                                if (hmax == '0'){
                                        hmax = laenge;
                                } else if (hmax < laenge){
                                        hmax = laenge;
                                        Rufen(ruf);
                                }
                        }
                        var hide_aktiv = null;
                        var unhide = null;
                        var zahl = 0;
                        var old;
                        var postid
                        function Rufen(posting){
                                if (window.XMLHttpRequest) {
                                        unhide = new XMLHttpRequest();
                                } else if (window.ActiveXObject) {
                                        unhide = new ActiveXObject("Microsoft.XMLHTTP");
                                }
                                old = posting
                                var postids = posting.split(",");
                                if ( zahl < postids.length){
                                        postid = postids[zahl];
                                        unhide.open("POST", "showthread.php", true);
                                        unhide.onreadystatechange = ausgeben;
                                        unhide.setRequestHeader(
                                                "Content-Type",
                                                "application/x-www-form-urlencoded");
                                        unhide.send("do=whatever&p="+postid+"&all="+old);
                                } else zahl = 0;
                        }

                        function ausgeben() {
                                if (unhide.readyState == 4) {
                                        if (unhide.responseText != 'sid_hide_still_active'){
                                                document.getElementById("post_message_"+postid).innerHTML =
                                                        unhide.responseText;
                                                zahl++;
                                                Rufen(old);
                                        } else {
                                                zahl++;
                                                Rufen(old);
                                        }
                                }
                                else setTimeout('ausgeben()', 200);
                        }
                        //-->
                        </script>
                </if>

Code:

                <if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
                <script type="text/javascript">
                        if (hide_aktiv) window.clearInterval(hide_aktiv);
                        var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
                </script>
                </if>
                <div id="hide_fieldset"><fieldset>
                        <legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
                        $hide_img
                </fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

ikki29 05-07-2008 06:30 PM

Quote:

Originally Posted by dancue (Post 1510585)
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

Code:

                                <!--hide-addon-->
                <if condition="$vboptions[disable_ajax] != 2">
                        <script type="text/javascript"><!--
                        var hpostid = 0;
                        var hmax = 0;
                        function findposts(obj,call){
                                ruf = call;
                                var laenge = obj.innerHTML.length;
                                if (hmax == '0'){
                                        hmax = laenge;
                                } else if (hmax < laenge){
                                        hmax = laenge;
                                        Rufen(ruf);
                                }
                        }
                        var hide_aktiv = null;
                        var unhide = null;
                        var zahl = 0;
                        var old;
                        var postid
                        function Rufen(posting){
                                if (window.XMLHttpRequest) {
                                        unhide = new XMLHttpRequest();
                                } else if (window.ActiveXObject) {
                                        unhide = new ActiveXObject("Microsoft.XMLHTTP");
                                }
                                old = posting
                                var postids = posting.split(",");
                                if ( zahl < postids.length){
                                        postid = postids[zahl];
                                        unhide.open("POST", "showthread.php", true);
                                        unhide.onreadystatechange = ausgeben;
                                        unhide.setRequestHeader(
                                                "Content-Type",
                                                "application/x-www-form-urlencoded");
                                        unhide.send("do=whatever&p="+postid+"&all="+old);
                                } else zahl = 0;
                        }

                        function ausgeben() {
                                if (unhide.readyState == 4) {
                                        if (unhide.responseText != 'sid_hide_still_active'){
                                                document.getElementById("post_message_"+postid).innerHTML =
                                                        unhide.responseText;
                                                zahl++;
                                                Rufen(old);
                                        } else {
                                                zahl++;
                                                Rufen(old);
                                        }
                                }
                                else setTimeout('ausgeben()', 200);
                        }
                        //-->
                        </script>
                </if>

Code:

                <if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
                <script type="text/javascript">
                        if (hide_aktiv) window.clearInterval(hide_aktiv);
                        var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
                </script>
                </if>
                <div id="hide_fieldset"><fieldset>
                        <legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
                        $hide_img
                </fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.



I agree completely with the companion, I use this modification and tb I have these problems, it is a product very used in the forum and I cannot allow me the luxury of removing it, ask them please that they should help us in this topic, graces(thanks) Pd: since always I ask for excuses for my English one, for which I use one I translate of Spanish to groins, sie

scan-pa 05-07-2008 06:45 PM

Yes BIG Thank You to every one who got this needed info to us. This fixed all my mods that went down after the move to vB 3.7.0 Gold.........................

Now the mods I have been running for over 2.5 years are all back online...

dancue 05-08-2008 04:45 PM

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
Code:

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
        success: this.handle_ajax_response,
        failure: this.handle_ajax_error,
        timeout: vB_Default_Timeout,
        scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);


Could someone please explain this further?

What did this look like before the edit? What are you editing? Is it a template, a plug-in?

juan71287 05-08-2008 11:37 PM

Hi guys, I don't really understand this, what I want to do is make it so this does not show anymore.

https://vborg.vbsupport.ru/external/2008/11/48.jpg

Please help me take that off. Thanks.

Flep 05-09-2008 09:00 AM

wow ! This is a precious thread !

thank you :)

dssart 05-09-2008 01:30 PM

Greetings all,

Well, you guys are my last hope. I had a mod written for me last year, my forum members love it and at the moment it's running but when I upgrade I don't expect it to survive..so I'm trying to get a handle on this so that I can do it myself. The coder has long since disappeared so help is appreciated.

The beginning of this thread says that:

"To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT."

I have this line at the beginning of my mods .php file:

define('THIS_SCRIPT', 'dataawards_awards');

Do I add this:

define('CSRF_PROTECTION', true);

Directly below that line? will that solve the entire security token issue or do I need to hunt for form/posts? Talking about form/posts...is this one?:

$awarddisplay.= '<form action="' . htmlentities($_SERVER['PHP_SELF']) . '?addawards=' . $_REQUEST['addawards'] . '&amp;type=' . $type . '" method="POST">';

If I understand this correctly I need to find all form/posts (since you are posting and not requesting, thus the need for the security token):

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Thanks, I hope I can work through this on my own, but if anyone wants to make some money, I'd rather pay to have it done..PM if interested.

Behzad Varedi 05-10-2008 07:22 PM

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thanks alot,

I do what you said and my problem is solved now... :)
thanks again


All times are GMT. The time now is 12:22 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02052 seconds
  • Memory Usage 1,811KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_code_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete