I guess I will be against everyone and help you find the solution without upgrading.
All the code I am getting is from 3.7.0 files.
The security token is defined on line 1334 of class_core.php with this code.
PHP Code:
$user['securitytoken'] = sha1($user['userid'] . sha1($user['salt']) . sha1(COOKIE_SALT));
Then this code is checked in init.php at line 398 - 460 with this code.
PHP Code:
// CSRF Protection for POST requests
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')
{
if ($vbulletin->userinfo['userid'] > 0 AND defined('CSRF_PROTECTION') AND CSRF_PROTECTION === true)
{
$vbulletin->input->clean_array_gpc('p', array(
'securitytoken' => TYPE_STR,
));
if (!in_array($_POST['do'], $vbulletin->csrf_skip_list))
{
if ($vbulletin->GPC['securitytoken'] !== $vbulletin->userinfo['securitytoken'])
{
$vbphrase = init_language();
$_tmp = NULL;
$stylevar = fetch_stylevars($_tmp, $vbulletin->userinfo);
exec_headers();
die(fetch_error('security_token_missing', $stylevar['textdirection'], $vbulletin->options['contactuslink']));
}
}
}
else if (!defined('CSRF_PROTECTION') AND !defined('SKIP_REFERRER_CHECK'))
{
if ($_SERVER['HTTP_HOST'] OR $_ENV['HTTP_HOST'])
{
$http_host = ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST']);
}
else if ($_SERVER['SERVER_NAME'] OR $_ENV['SERVER_NAME'])
{
$http_host = ($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_ENV['SERVER_NAME']);
}
if ($http_host AND $_SERVER['HTTP_REFERER'])
{
$http_host = preg_replace('#:80$#', '', trim($http_host));
$referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
$ref_port = intval($referrer_parts['port']);
$ref_host = $referrer_parts['host'] . ((!empty($ref_port) AND $ref_port != '80') ? ":$ref_port" : '');
$allowed = preg_split('#\s+#', $vbulletin->options['allowedreferrers'], -1, PREG_SPLIT_NO_EMPTY);
$allowed[] = preg_replace('#^www\.#i', '', $http_host);
$allowed[] = '.paypal.com';
$pass_ref_check = false;
foreach ($allowed AS $host)
{
if (preg_match('#' . preg_quote($host, '#') . '$#siU', $ref_host))
{
$pass_ref_check = true;
break;
}
}
unset($allowed);
if ($pass_ref_check == false)
{
die('In order to accept POST request originating from this domain, the admin must add this domain to the whitelist.');
}
}
}
}
This code replace the following code in 3.7 R3 before the CSRF patch was released.
PHP Code:
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' AND !defined('SKIP_REFERRER_CHECK'))
{
if ($_SERVER['HTTP_HOST'] OR $_ENV['HTTP_HOST'])
{
$http_host = ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST']);
}
else if ($_SERVER['SERVER_NAME'] OR $_ENV['SERVER_NAME'])
{
$http_host = ($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_ENV['SERVER_NAME']);
}
if ($http_host AND $_SERVER['HTTP_REFERER'])
{
$http_host = preg_replace('#:80$#', '', trim($http_host));
$referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
$ref_port = intval($referrer_parts['port']);
$ref_host = $referrer_parts['host'] . ((!empty($ref_port) AND $ref_port != '80') ? ":$ref_port" : '');
$allowed = preg_split('#\s+#', $vbulletin->options['allowedreferrers'], -1, PREG_SPLIT_NO_EMPTY);
$allowed[] = preg_replace('#^www\.#i', '', $http_host);
$allowed[] = '.paypal.com';
$pass_ref_check = false;
foreach ($allowed AS $host)
{
if (preg_match('#' . preg_quote($host, '#') . '$#siU', $ref_host))
{
$pass_ref_check = true;
break;
}
}
unset($allowed);
if ($pass_ref_check == false)
{
die('In order to accept POST request originating from this domain, the admin must add this domain to the whitelist.');
}
}
}
You just need to do something similar or come up with another way of doing it.
More Information