vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

Aclikyano 05-17-2008 12:39 AM

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

I did this to avoid editing some newer templates and noticed SOME templates i did before already have it... and Im afraid they have the sec token value=bla bla TWICE instead of just ONCE...

Quote:

<input type="hidden" name="s" value="$session[sessionhash]"
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]"
/>
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
How would I only make every template have this ONCE like its supposed to be?

lms 05-17-2008 10:36 AM

Quote:

Originally Posted by dancue (Post 1510585)
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?

Code:

                                <!--hide-addon-->
                <if condition="$vboptions[disable_ajax] != 2">
                        <script type="text/javascript"><!--
                        var hpostid = 0;
                        var hmax = 0;
                        function findposts(obj,call){
                                ruf = call;
                                var laenge = obj.innerHTML.length;
                                if (hmax == '0'){
                                        hmax = laenge;
                                } else if (hmax < laenge){
                                        hmax = laenge;
                                        Rufen(ruf);
                                }
                        }
                        var hide_aktiv = null;
                        var unhide = null;
                        var zahl = 0;
                        var old;
                        var postid
                        function Rufen(posting){
                                if (window.XMLHttpRequest) {
                                        unhide = new XMLHttpRequest();
                                } else if (window.ActiveXObject) {
                                        unhide = new ActiveXObject("Microsoft.XMLHTTP");
                                }
                                old = posting
                                var postids = posting.split(",");
                                if ( zahl < postids.length){
                                        postid = postids[zahl];
                                        unhide.open("POST", "showthread.php", true);
                                        unhide.onreadystatechange = ausgeben;
                                        unhide.setRequestHeader(
                                                "Content-Type",
                                                "application/x-www-form-urlencoded");
                                        unhide.send("do=whatever&p="+postid+"&all="+old);
                                } else zahl = 0;
                        }

                        function ausgeben() {
                                if (unhide.readyState == 4) {
                                        if (unhide.responseText != 'sid_hide_still_active'){
                                                document.getElementById("post_message_"+postid).innerHTML =
                                                        unhide.responseText;
                                                zahl++;
                                                Rufen(old);
                                        } else {
                                                zahl++;
                                                Rufen(old);
                                        }
                                }
                                else setTimeout('ausgeben()', 200);
                        }
                        //-->
                        </script>
                </if>

Code:

                <if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
                <script type="text/javascript">
                        if (hide_aktiv) window.clearInterval(hide_aktiv);
                        var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000);
                </script>
                </if>
                <div id="hide_fieldset"><fieldset>
                        <legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
                        $hide_img
                </fieldset></div>

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.

C?mbialo por este otro c?digo: (you must change by this other code:)
Code:

                                <!--hide-addon-->
                <if condition="$vboptions[disable_ajax] != 2">
                        <script type="text/javascript"><!--
                        var hpostid = 0;
                        var hmax = 0;
                        function findposts(obj,call){
                                ruf = call;
                                var laenge = obj.innerHTML.length;
                                if (hmax == '0'){
                                        hmax = laenge;
                                        SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                                } else if (hmax < laenge){
                                        hmax = laenge;
                                        SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                                        Rufen(ruf);
                                }
                        }
                        var hide_aktiv = null;
                        var unhide = null;
                        var zahl = 0;
                        var old;
                        var postid
                        function Rufen(posting){
                                if (window.XMLHttpRequest) {
                                        unhide = new XMLHttpRequest() + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                                } else if (window.ActiveXObject) {
                                        unhide = new ActiveXObject("Microsoft.XMLHTTP") + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                                }
                                old = posting
                                var postids = posting.split(",");
                                if ( zahl < postids.length){
                                        postid = postids[zahl];
                                        unhide.open("POST", "showthread.php", true);
                                        unhide.onreadystatechange = ausgeben;
                                        unhide.setRequestHeader(
                                                "Content-Type",
                                                "application/x-www-form-urlencoded");
                                        unhide.send("do=whatever&p="+postid+"&all="+old) + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                                } else zahl = 0;
                        }

                        function ausgeben() {
                                if (unhide.readyState == 4) {
                                        if (unhide.responseText != 'sid_hide_still_active'){
                                                document.getElementById("post_message_"+postid).innerHTML =
                                                        unhide.responseText;
                                                zahl++;
                                                Rufen(old);
                                        } else {
                                                zahl++;
                                                Rufen(old);
                                        }
                                }
                                else setTimeout('ausgeben()', 200);
                        }
                        //-->
                        </script>
                </if>

Code:

                <if condition="$vboptions[disable_ajax] != 2 AND $vboptions[sid_hide_ajax_on] == 1">
                <script type="text/javascript">
                        if (hide_aktiv) window.clearInterval(hide_aktiv);
                        var hide_aktiv = window.setInterval("findposts(fetch_object('posts'),'$hide_call')", 3000) + SESSIONURL + 'securitytoken=' + SECURITYTOKEN;
                </script>
                </if>
                <div id="hide_fieldset"><fieldset>
                        <legend><span class="highlight">$vbphrase[sid_hide_post_hide]</span></legend>
                        $hide_img
                </fieldset></div>

A m? me funciona bien (Me, it works right).

Salud2

HearthrobZ 05-21-2008 06:55 AM

This is really a mess! I'm not a professional coder.Plz Some One make a step by step instruction to do this to avoid security token missing error,as it'd help lot of people.

Thanks

mikesz 05-21-2008 07:40 AM

I have seen this one before but don't know exactly what triggers it BUT for what its worth,

Find in your footer template the following,


Code:


<if condition="$show['dst_correction']">
<!-- auto DST correction code -->
<form action="profile.php?do=dst" method="post" name="dstform">
        <input type="hidden" name="s" value="$session[sessionhash]" />
        <input type="hidden" name="do" value="dst" />
</form>

It should be:

Code:


<if condition="$show['dst_correction']">
<!-- auto DST correction code -->
<form action="profile.php?do=dst" method="post" name="dstform">
        <input type="hidden" name="s" value="$session[sessionhash]" />
        <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

        <input type="hidden" name="do" value="dst" />
</form>

HTH, mikesz

blindmedia ltd 05-21-2008 03:34 PM

its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

scan-pa 05-21-2008 05:06 PM

Quote:

Originally Posted by blindmedia ltd (Post 1526986)
its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

it's not Jelsofts problem. they fixed all of the templates that come with the basic software. But the current errors are from all of the various Non Jelsoft add-ons and Modification programs. Since jelsoft does not Officialy support these add-ons, you use them at your own risk.

But posted in the early posts is the exact steps you should take to search your templates and find the ones that need the line of code added to it.

dssart 05-21-2008 09:16 PM

Quote:

Originally Posted by blindmedia ltd (Post 1526986)
its ok for you all to say do this if people know the code and i dont know

surely as jelsoft screwed up with this they should issue a fix,i installed my 3.7 as a clean 1st time full install and i still get this error

Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

blindmedia ltd 05-22-2008 09:57 PM

Quote:

Originally Posted by dssart (Post 1527308)
Do yourself a favor..if your having problems and the hacks you have installed are something you can live without then uninstall them., revert your templates, upgrade, and you will be stress-free. Have you tried contacting the author of the hack? he probably has moved onto other things which is why you are here. If that's the case, the hack is obviously unsupported now and it's just a matter of time anyways before it breaks under another update and you will have to go through this all over again.

thats what i said it was a 100% clean install brand new with no hacks installed and it was giving this error

therefore it would be impossible for it to be anything other than vbulletin itself causing the problem

it is 100% vbulletin 3.7.0 at fault there was at the time it started NO other software hack or mods installed

dssart 05-23-2008 12:55 AM

I can't comment accurately on your situation, but I had serious reservations myself in upgrading from 3.6.9 to 3.7.0. I have a custom hack coded for my forum that I was almost positive was going to fail with this CSRF thing. I did the following and it was the smoothest upgrade I've ever had. Not even my custom hack cracked:

Backup database, backup my /images folder, shut down forum, do upgrade. Upload my custom /images and overwrite the new, then perform upgrade. After, go back and revert everything the upgrade reported as needing to be reverted. Sounds to me like some of the upgrade files were munged during the transfer. I'd re-upload the upgrade files and make sure all appropriate ascii files are transferred as ascii and all binary as binary. Something that simple can easily be overlooked. Also, make sure your config.php is correctly configured. Something is missing..you just have to.

Seeing as it was a brand new install, I'd say the problem is either with a corrupt file upload or misconfigured config.php. Something isn't seeing something the way it's supposed to. Many people have installed the 3.7.0 software as an upgrade (which is a helluva lot trickier than a virgin install) and are running with no problem.

tafreeh 05-23-2008 07:19 PM

ok here is the thing .... i almost check all my templates for security tokken code.... and fix all of them ....
but still only super mod getting security tokken error when ever they try to reply to the post... whether in new reply or quick reply ....

can some1 tell me which templates i have fix....


All times are GMT. The time now is 12:55 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01663 seconds
  • Memory Usage 1,818KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_code_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete