Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #132  
Old 10-08-2008, 11:38 AM
Outbackmark's Avatar
Outbackmark Outbackmark is offline
 
Join Date: Jun 2007
Posts: 125
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I had the same trouble this took care of it -
Open the template "onetouchban" in Styles and Templates/edit templates -
Find
Code:
<form action="misc.php" method="post" name="spamconfirm" id="spamconfirm">
On the NEXT line insert -
Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Save and edit the same in other styles if you have more that one running.
No more errors - Remember to turn off the IP ban for your test run or you may ban your own IP!!

I also had a security token pop up in a style that has not been updated with the onset of daylight savings in some parts of the world.
The error occurs when the time trys to adjust to daylight savings on profile.php?do=dst.
This is incorperated into the footer template and the security token needs to go on the nesxt line after -
Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
Reply With Quote
  #133  
Old 10-12-2008, 06:20 PM
Ohiosweetheart Ohiosweetheart is offline
 
Join Date: Dec 2005
Location: N.E. Ohio
Posts: 2,291
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Has anyone gotten this security token error when you click on "Go Advanced" on the QuickReply editor?

If so, what template did you have to edit, (or what form in what template) to fix it??

EDIT - Never mind. I found it. I reverted the Showthread template and it's now fixed.
Reply With Quote
  #134  
Old 10-24-2008, 08:11 PM
perfphysio's Avatar
perfphysio perfphysio is offline
 
Join Date: Sep 2006
Location: London, UK
Posts: 212
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi guys, I have a second site that uses a small bit of code at the top to search my forum. basically you type the search term on my site, hit search and it feeds that info to the search page on my forum and opens a new window on the forum with the results.

It works fine with the user not logged in to the forum when searching from the other site but when the user is also logged in forum and is then also searching from the other site I get the error

"Your submission could not be processed because a security token was invalid."

I tried commenting out the lines
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

from my search_forums template but this made no difference

This is my code

<div class="span-8 push-4 last margin_bottom">
<form id="form" action="http://www.******.com/forum/search.php" method="post" name="search" target="_blank">

<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="process"/>
<input type="hidden" name="quicksearch" value="1"/>
<input type="hidden" name="showposts" value="1"/>

<label for="query">Search</label>
<input type="text" id="search_field" class="text" name="query" size="18" value="" />
<input type="image" src="/**********/templates/******/images/search.gif" />

</div>

Any ideas on how to work around on this?
Reply With Quote
  #135  
Old 11-01-2008, 11:06 PM
skylerj skylerj is offline
 
Join Date: Sep 2008
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah Exactly same here. This is crap and not good. I wish more help was around I see people asking to explain it 5th grade style and they are ignored. GRRR how many people does it take to scream before somethings done???


Quote:
Originally Posted by dirtyfeast View Post
I just installed the latest version of vBulletin, have no mods installed, made a test thread, and I cant delete it. I get this security token error. Contact admin it says. Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.
Reply With Quote
  #136  
Old 11-02-2008, 12:49 AM
PoetJA-1975's Avatar
PoetJA-1975 PoetJA-1975 is offline
 
Join Date: Sep 2006
Location: Meh...
Posts: 1,218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Run the following query and you should see a list of possible templates that need editing - Then you have to edit each template for each installed style manually:

Code:
SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
Run the query in your AdminCP --> Maintenance --> Execute SQL Query

Hope this helps - but if you are in the position to hire someone - perhaps you might post a thread in the Paid Requests section or check out my design site

Jacquii.


Quote:
Why does this happen on a newly installed forum with no hacks installed. Could it be the template I am using which is ambience.
Yup - it most definitely is the style needs template(s) edited.
Reply With Quote
  #137  
Old 12-02-2008, 09:44 PM
Kaas Kaas is offline
 
Join Date: Jun 2006
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have reciently upgraded to the lastest vb, I am now having an issue with a "security token" I was redirected to this perticular post by vb support.. I am using a "Form" created by Elricstorm called "Elricstorm's World of Warcraft Recruitment Form" I have modified the form to be up to date with the changes in the game, everything works fine all the changes show up fine, however when attempting to "post" the form I get the security error, I am in no way a programmer, so my question is what Do I fix and where...? If this has already been answered somewhere pointing me there would be great, I searched but came up[ empty.

I will try and give you the code here.. If anyone can help, and you need more data, please let me know... Thanks a ton..


this is from the top of the form...

PHP Code:
<?xml version="1.0" encoding="ISO-8859-1"?>

<product productid="wow_recruitment" active="1">
    <title><![CDATA[Elricstorm's World of Warcraft Recruitment Form]]></title>
    <description>Damnation guild recruitment form</description>
    <version>2.0.0</version>
    <url>https://vborg.vbsupport.ru/showthread.php?t=1274436</url>
    <versioncheckurl><![CDATA[https://vborg.vbsupport.ru/misc.php?do=checkversion&t=1274436]]></versioncheckurl>
    <dependencies>
        <dependency dependencytype="vbulletin" minversion="3.7.4" maxversion="" />
    </dependencies>
    <codes>
    </codes>
    <templates>
        <template name="wow_form" templatetype="template" date="0" username="" version="1.0.0"><![CDATA[$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
$headinclude
<title>$vboptions[bbtitle] - $formtitle</title>
</head>
<body>
$header
$navbar

<!-- main -->
<if condition="$preview">
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
    <tr>
        <td class="tcat">
            Preview
        </td>
    </tr>
    <tr>
        <td class="alt1">
            $preview
        </td>
    </tr>
</table>
</if>

<br />
<form name="vbform" action="newthread.php" method="post"<if condition="!is_browser('webtv')"> onsubmit="return vB_Editor['$editorid'].prepare_submit(0, $vboptions[postminchars])"</if>>
<input type="hidden" value="$formname" name="do" />
<input type="hidden" value="submit" name="action" />

<input type="hidden" name="posthash" value="$posthash" />
<input type="hidden" name="poststarttime" value="$poststarttime" />

<style type="text/css">
<!--
.wowtinyc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 8pt;
    font-weight: bold;
}
.wowtinyl{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 8pt;
    font-weight: bold;
}
.wowpc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 10pt;
    font-weight: bold;
}
.wowpl{
    text-align: left;
    text-align: -moz-left;
    font-family: '$fontstyle', cursive;
    font-size: 10pt;
    font-weight: bold;
}
.wowsl{
    text-align: left;
    text-align: -moz-left;
    font-family: '$fontstyle', cursive;
    font-size: 9pt;
    font-weight: lighter;
}
.wowsc{
    text-align: center;
    text-align: -moz-center;
    font-family: '$fontstyle', cursive;
    font-size: 9pt;
    font-weight: lighter;
}
-->
</style>

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
    <tr>
        <td class="tcat" colspan="3">
            $vboptions[bbtitle] - $formtitle
        </td>
    </tr>
    <tr>
        <td class="panelsurround" align="center" colspan="3">
            <table class="panel" cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
                <tr>
                <td align="$stylevar[left]">
                    <fieldset class="fieldset" style="margin:0px">
                        <table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
                        <tr>
                            <td>
                                $formpurpose
                            </td>
                        </tr>
                        </table>
                    </fieldset>
                </td>
                </tr>
            </table>
        </td>
    </tr>
</table>
Reply With Quote
  #138  
Old 12-09-2008, 10:43 PM
azurekite azurekite is offline
 
Join Date: Jun 2007
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
and where it says "Replace with Text" put:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D
Reply With Quote
  #139  
Old 01-05-2009, 04:08 PM
C138 Kaysone C138 Kaysone is offline
 
Join Date: Jun 2008
Location: NC
Posts: 134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ummm maybe someone should tell me exactly WHERE to put all this stuff... this is like reading chinese when i cant even read symbols and make out what they mean.. only thing now im worrying about is missing security tokens think i screwed up big time and lost it all and now i may have to restart over...

but will this fix all token issues or certain areas? im trying to figure out why im having this one in my flashchat...
Reply With Quote
  #140  
Old 01-20-2009, 07:51 AM
flup's Avatar
flup flup is offline
 
Join Date: Jan 2002
Location: Maastricht, NL
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by azurekite View Post
I'm not sure if this has been suggested yet and I don't care to search through all 10 pages of this to find out.

This is simply what I did to fix my Security Token issues for my custom theme for my board.

Go to your Administrator Control Panel, then choose:

Styles & Templates >> Search in Templates

Inside there you will use the "Find and Replace in Templates" function.

Where it says "Search in Style" you will choose the custom style that is giving you problems.

Where it says "Search for Text" put:

Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
and where it says "Replace with Text" put:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
Then choose "No" for the "Test Replacement Only" option.

And finally choose "Yes" for the "Case-Insensitive" option. (Just to be sure. =D)


Click Find and then keep hitting next till it updates the skins.

That's what I did and now it works like a charm. =D
You'd better use the testrun first to see which templates are missing the security token and add it manually later. I guess it'll give errors while checking if you page is valid to it's DTD when you have double fieldnames.

--------------- Added [DATE]1232445952[/DATE] at [TIME]1232445952[/TIME] ---------------

Here's a list with (default) templates missing the hidden-field for the securitytoken. These where found in a 3.7.2 version which is updated from 3.5.4 till 3.7.2. The number in front of the template name are the number of fields to be added in total:

2x calenderjump
1x FAQ
2x FORUMDISPLAY
1x forumjump
1x JOINREQUESTS
1x moderation_filter
1x moderation_posts
1x moderation_threads
1x pm_messagelist
6x SHOWTHREAD
1x tag_cloud_page
1x threadadmin_easyspam_skipped_prune
1x WHOSONLINE

Open each of these templates, search for:
HTML Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
and replace with:
HTML Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="s" value="$session[sessionhash]" />
Reply With Quote
  #141  
Old 02-14-2009, 06:55 AM
ragtek ragtek is offline
 
Join Date: Mar 2006
Location: austria, croatia
Posts: 1,630
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Shouldn't this be posted in vb category and not programming?
Because you can just use this with vB, it has nothing to do with normal "programming".
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:14 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05795 seconds
  • Memory Usage 2,374KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (9)bbcode_code
  • (2)bbcode_html
  • (4)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete