The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Implementing CSRF Protection in modifications
With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications. Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org: Changes for CSRF protection with third party modifications Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token. The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility. Adding Protection to your own files To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT. PHP Code:
If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests. You should always add this to your file, even if you don't think the script is ever going to receive POST requests. An absence of this defined constant within your files will result in the old style referrer checking being performed. Template Changes The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user. Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> Exempting Certain Actions It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file. PHP Code:
If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'. PHP Code:
|
#112
|
|||
|
|||
Hi all, for now, i have this error only in the polls voted from VBA homepage..... what is the template that i go to edit?
|
#113
|
||||
|
||||
Wow - Thank GAWD for Google LOL - did a search and this is the very 1st thread I found.... After editing over 50 or more templates in the past hour or so - I thank you all who have helped - notably the very informative post here AND the query that made it so very easy here.
It's not very often I see a HELP ME JESUS! thread that actually has the solution on the 1st page Thanx GUYZ! Jacquii. |
#114
|
||||
|
||||
hi dear all.
when i add new styles into my forum. it ok. then i want to show 3 styles on my forumhome for my member enjoy it. but i can't save display oder. i got note below : Quote:
|
#115
|
|||
|
|||
Quote:
|
#116
|
|||
|
|||
Quote:
--------------- Added [DATE]1215989398[/DATE] at [TIME]1215989398[/TIME] --------------- i upgraded the script and everything is fine now thanksss |
#117
|
|||
|
|||
Quote:
this is really frustrating i don't care where its coming from ,i know it has to be fixed since i am not a coder if i purchace a board and its running great and after a update its not than there is not much i cant do a as a total non coder |
#118
|
|||
|
|||
hi
can some one explain this to me please i get the error also on my forum since some fool invented a new way of protection or something Template Changes The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user. Quote:
i use a modified template not from vB but from phpbb on 3.6 all is ok en works fine now on 3.7 the problems start ps if someone can help me do this it would be apriciated by paypal |
#119
|
|||
|
|||
My users are getting the error when uploading attachments to their album or to a thread. Both templates have the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> already, so what is the next course of action to fix this?
|
#120
|
||||
|
||||
I dont understand too Where are coders now?
|
#121
|
||||
|
||||
I am trying to reproduce my usercp.php file on my site root, I have copyed also my profile.php file and all my /includes/ folder.. and when I'm sending data from it, I got this error:
Code:
Fatal error: Call to undefined function: verify_security_token() in c:\programs\server\www\install_test\includes\init.php on line 416
PHP Code:
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|