Thread: Implementing CSRF Protection in modifications
View Single Post
  #107  
Old 06-03-2008, 07:07 AM
sv1cec sv1cec is offline
 
Join Date: May 2004
Location: Athens, Greece
Posts: 2,091
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Well, I do not know what was the big rush about the CSRF issue. According to Jelsoft people, when I protested that a patch should be issued for those still running vB 3.0.xx since this is a security issue :

Quote:
Regarding the vulnerability of vBulletin 3.0.x and 3.5.x to the reported CSRF exploit, it is important to note that vBulletin 3 has had protection against the vast majority of CSRF attacks for quite some time, in the form of a referrer check to ensure that POST requests originate from the same domain as that on which vBulletin is installed. This fix was implemented in response to articles such as the one to which you refer on darkreading.com. This protection is sufficient to deflect almost all CSRF attempts. This most recent CSRF exploit is relatively minor in the scheme of software flaws; Secunia rates CSRF exploits' severity at only 2/5.
And this comes from James Limm, Jelsoft CEO:

Quote:
In principle, I agree that we have an obligation to ensure that our products are free from significant security issues. Security is something that we take very seriously - issues such as XSS exploits are fixed extremely quickly for all currently supported versions (usually we release a patch within 24 hours).

In this particular case however, the relatively minor nature of the CSRF issue, coupled with the complex nature of the fix and the fact that version 3.0 is an extremely old version that has been superceded twice led us to make this decision.
Mind you, Jelsoft issued an End-of-Life statement for vB 3.0 the next day after I complained about the lack of fix for a security issue. Some customer care!!!
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01208 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete