Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #142  
Old 02-20-2009, 09:12 PM
moon_spell moon_spell is offline
 
Join Date: Oct 2007
Posts: 52
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok . now witch template have to be edited ? would you please tell me ? all templates ?

--------------- Added [DATE]1235223321[/DATE] at [TIME]1235223321[/TIME] ---------------

i did everything but all the users get this message !!!

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error


the latest release of vbulletin ! please help to slove this !
Reply With Quote
  #143  
Old 02-23-2009, 11:14 AM
Mr. Baws Mr. Baws is offline
 
Join Date: Sep 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i get this error only with mozilla when users try to search forums
Reply With Quote
  #144  
Old 03-07-2009, 06:49 AM
tlwwolfseye's Avatar
tlwwolfseye tlwwolfseye is offline
 
Join Date: Dec 2008
Location: Germany
Posts: 320
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Could you please tell me which of the Templates I have to change so I don´t get the "Securitytoken" error anymore when submitting the Score for the IbProArcade ? If someone would already know, it would save me a lot of work finding that.

Thanks
Reply With Quote
  #145  
Old 03-15-2009, 07:16 PM
darkman's Avatar
darkman darkman is offline
 
Join Date: Mar 2002
Location: USA
Posts: 27
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, I did the query posted earlier and when I check the Style ID's, one of the results is -1, as shown in the attachment. When I hover over my styles in style manager none of them come up as -1. When I click on a style to go to the url and change the style id at the end of the url to -1 it comes up as the andromeda style, but in style manager, andromeda comes up as styleid 58. Any clues as to why this is like that? I fixed all the security token issues except for the 7 occurences that happen in this -1 styleid.
Any help would be appreciated.
Attached Images
File Type: png 3-15-2009 3-09-56 PM.png (29.8 KB, 0 views)
Reply With Quote
  #146  
Old 03-15-2009, 08:30 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

-1 means the Master Style which you can only see in debug mode.
Reply With Quote
  #147  
Old 03-15-2009, 08:41 PM
darkman's Avatar
darkman darkman is offline
 
Join Date: Mar 2002
Location: USA
Posts: 27
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you - how would I change those templates then?
Reply With Quote
  #148  
Old 03-15-2009, 08:48 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by darkman View Post
Thank you - how would I change those templates then?
You would have to go into debug mode. However, it seems odd that those default templates do not have the security token unless you have done something to modify those templates in the Master Style. There are some forms that do not need the securitytoken and my guess is that those don't. (Mine don't have it in those forms (the couple I checked) and the site runs fine.)
Reply With Quote
  #149  
Old 03-15-2009, 09:49 PM
darkman's Avatar
darkman darkman is offline
 
Join Date: Mar 2002
Location: USA
Posts: 27
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ThanQ Lynne - I appreciate your help. I guess I will ignore them for now.
On another note, I'm no longer getting a flood of emails for security tokens missing, but I have received two of these:
HTML Code:
Missing or Invalid Security Token detected.
 
Script Call Backtrace
=====================
#0 /home/imforums/public_html/forums/includes/functions.php line 2688: eval()
#1 /home/imforums/public_html/forums/global.php line 379: fetch_error(security_token_missing,sendmessage.php)
#2 /home/imforums/public_html/forums/profile.php line 150: require_once(/home/imforums/public_html/forums/global.php)
 
POST Variables
==============
Array
(
    [securitytoken] => 
    [ajax] => 0
)
 
Request URI
===========
/forums/profile.php?do=dst
Any ideas?
Reply With Quote
  #150  
Old 03-15-2009, 10:07 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Make sure the security token is present in the footer where the profile.php form is called.
Reply With Quote
  #151  
Old 03-16-2009, 03:43 AM
darkman's Avatar
darkman darkman is offline
 
Join Date: Mar 2002
Location: USA
Posts: 27
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks again Lynne, I have about 7 skins total and from what I can see all the footer templates have the security token. The sql query only shows these results. I have received 8 email notificactions of missing security tokens, all with exactly the same information as what I posted above. Any other ideas?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:31 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04769 seconds
  • Memory Usage 2,343KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (1)bbcode_html
  • (3)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_attachment
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete