Help in securing vB 3.0.xx for the CSRF vulnerability

[sv1cec]

OK friends, here is the problem.

I have been using vB 3.0.xx in my site, for two simple reasons, (a) that I had no good reason to upgrade, 3.0.xx was covering my needs and (b) because my site is heavily hacked/improved with lots of modifications, some of them downloaded from here and some of them done by myself. When vB released 3.5, with the new coding conventions, I decided that the hassle was too much, and the benefits too little, so I stayed with 3.0.xx and have never regretted it.

All these years, I have been paying my vB license fees, for the simple reason that I was hoping that Jelsoft will have the decency to provide me with security updates/fixes. Remember that I am using the same major release as the current one, so I was under the impression that Jelsoft would at least make sure that my version is secure.

Enter the latest vulnerability announcement and Jelsoft position, that they do not offer any security fix for older releases. I find this absurd, but that's not the point here. The point is that I am forced to either upgrade to 3.7 and loose all my special code in my site, or to stay with a vulnerable version of vB.

I have been in touch with vB people and they do not recognize this problem, their position is that this vulnerability is not very serious and that they can't support previous releases (we are still at the same major release, mind you) and this is a security issue. I understand that they can't provide a patch for 3.0.xx, but what I was looking for, was at least some concise, concrete instructions on how to plug this hole in their software. Instead, they have send me a couple of files, which were supposed to help me patch my version (one is an explanation of how to patch 3.6.xx and the other is a diff file showing all differences between 3.6.9 and 3.6.10), unfortunately the code is in vB 3.6 not in vB 3.0. As a result these files are next to useless for me. For example, the code does not use md5 for the token, but sha1 or something, which I am not even sure it can be used in the php release I am using.

Implementing the fix on the end-user side is relatively easy, all one has to do, is to add the following line in the php files he wants to protect:

Code:

define('CSRF_PROTECTION', true);

and add this line in the templates which use POST to submit a form:

Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

My problem is how this "securitytoken" is generated and added in the $bbuserinfo array, and of course, where is the token checked, when submitted by a form which uses POST.

Can someone help on this? Can someone help me figure out the code which has to be added (in 3.0.xx coding standards) and where, in order to generate the token and check it?

As I explained upgrading will be a huge problem, due to all the different code I have implemented in my site (my users will go crazy, I am not even sure if the site can be upgraded with all the different columns I've added to tables etc), and keep using a vulnerable release is of course plain stupid, so all help on this will be appreciated.