Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #122  
Old 08-23-2008, 04:35 PM
mystic10 mystic10 is offline
 
Join Date: Sep 2007
Posts: 298
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

do i need to do this i just ugraded to 3.7.2 pl2 it should be fixed in that right..as i am still having the problem but only with the thanks hack any help will be appreciated
Reply With Quote
  #123  
Old 09-02-2008, 11:31 AM
sunnylikbeckham's Avatar
sunnylikbeckham sunnylikbeckham is offline
 
Join Date: Feb 2008
Location: India
Posts: 165
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i m having probs to
does it fixed in 3.7.3??
Reply With Quote
  #124  
Old 09-04-2008, 08:18 AM
yotsume's Avatar
yotsume yotsume is offline
 
Join Date: Dec 2006
Posts: 844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am getting a token error when editing a Blog comment. I use the latest VB Blog. How can I fix the token error here? Also I get a error when I am inside the admin CP and I try and email a user their password?

I had a mod installed called "force useres to read a thread" when I uninstalled that mod I began to see the token errors.

I need these two erros fixed ASAP!

HELP PLEASE!
Reply With Quote
  #125  
Old 09-07-2008, 07:35 PM
g00gl3r g00gl3r is offline
 
Join Date: Sep 2005
Posts: 174
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is stupid. What the hell is this all about?

--------------- Added [DATE]1220819847[/DATE] at [TIME]1220819847[/TIME] ---------------

Quote:
Originally Posted by sunnylikbeckham View Post
i m having probs to
does it fixed in 3.7.3??
Nope.

--------------- Added [DATE]1220820450[/DATE] at [TIME]1220820450[/TIME] ---------------

Quote:
Originally Posted by rinkrat View Post
I can't save my vbulletin settings without this error.

What do I change to fix this? In a template?


I also can not import any hacks without an error.

Where do I fix this? In a template?

--------------- Added [DATE]1209251058[/DATE] at [TIME]1209251058[/TIME] ---------------




I am getting the error when I try to edit a template and save it so this will not work.
O.M.F.G. There must be 400 templates showing when I search for that.
Reply With Quote
  #126  
Old 09-08-2008, 05:35 AM
dirtyfeast dirtyfeast is offline
 
Join Date: May 2008
Posts: 26
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just installed the latest version of vBulletin, have no mods installed, made a test thread, and I cant delete it. I get this security token error. Contact admin it says. Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.
Reply With Quote
  #127  
Old 09-08-2008, 10:09 AM
mystic10 mystic10 is offline
 
Join Date: Sep 2007
Posts: 298
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i have the problem with thank you hack..any time someone clicks on thanks they get a security token warning....

i looked throudh the plugin this is where i saw the word securitytoken...what changes do i need to make

<template name="post_thanks_button" templatetype="template" date="1217138974" username="Abe" version="7.7"><![CDATA[<a href="post_thanks.php?$session[sessionurl]do=post_thanks_add&amp;p=$post[postid]&amp;&securitytoken=$bbuserinfo[securitytoken]" id="post_thanks_button_$post[postid]"<if condition="$vboptions[disable_ajax] != 2"> onclick="return post_thanks_give($post[postid], <if condition="$vboptions[post_groan_integrate]">true<else />false</if>);"</if> <if condition="$display_thanks_image == 'none'">style="display:none"</if> rel="nofollow"><img src="$stylevar[imgdir_button]/post_thanks.gif" alt="$vbphrase[post_thanks_thanks]" border="0" /></a>]]></template>
<template name="post_thanks_javascript" templatetype="template" date="1198126814" username="Abe" version="7.0"><![CDATA[<script type="text/javascript" src="clientscript/post_thanks.js"></script>]]></template>
Reply With Quote
  #128  
Old 09-09-2008, 12:41 PM
scott_gersforum scott_gersforum is offline
 
Join Date: Jan 2007
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have certain users getting this error when updating their albums.
Rest of the forum seems okay.
Can anyone fix this?
Reply With Quote
  #129  
Old 09-14-2008, 03:05 AM
redskull redskull is offline
 
Join Date: Jun 2007
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok so for my template to work without getthing the token error WHAT do i edit/fix
Reply With Quote
  #130  
Old 09-14-2008, 07:47 PM
mokujin's Avatar
mokujin mokujin is offline
 
Join Date: Oct 2005
Location: Czech
Posts: 345
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, I have this function, how can I add CSRF for this:

Code:
function tab(URL) {
  http.open("GET", "tabs.php?f="+URL+"&s="+Math.random(), true);
  http.onreadystatechange=function() {
    if(http.readyState == 4) {
      document.getElementById('forumbits').innerHTML = http.responseText;
	}
  }
  http.send(null);
}
Thanks for helping me
Reply With Quote
  #131  
Old 10-02-2008, 03:09 PM
SVTCobraLTD SVTCobraLTD is offline
 
Join Date: Jul 2007
Location: PA
Posts: 841
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Below is a code for a product, there is no value="$session[sessionhash]" so I am not sure where to add <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />. Anyone have an idea??


Code:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
	<head>
		$headinclude
		<title>$vboptions[bbtitle] - $vbphrase[onetouchspamban_title]</title>
	</head>
	$header
	$navbar
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="70%" align="center">
<tr>
	<td class="tcat">$vbphrase[onetouchspamban_title]</td>
</tr>
<tr>
	<td class="panelsurround" align="center">
	<div class="panel">
		<div align="$stylevar[left]">
	
			<div style="margin: 10px">

	<if condition="$_REQUEST['do'] == 'spamcleanconfirm'">
		<form action="misc.php" method="post" name="spamconfirm" id="spamconfirm">
			$message
			<input type="hidden" name="do" value="dospamclean" />
			<input type="hidden" name="userid" value="$banuserid" />
			<center><input type="submit" class="button" value="$vbphrase[onetouchspamban_confirm_button]" /></center>
		</form>
	</if>

	<if condition="$_POST['do'] == 'dospamclean'">
		$message
	</if>

</div>
			
	</div>
	</div>

	</td>
</tr>
</table>

	$footer
</body>
</html>
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:28 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07046 seconds
  • Memory Usage 2,343KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (3)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete