The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Implementing CSRF Protection in modifications
With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications. Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org: Changes for CSRF protection with third party modifications Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token. The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility. Adding Protection to your own files To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT. PHP Code:
If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests. You should always add this to your file, even if you don't think the script is ever going to receive POST requests. An absence of this defined constant within your files will result in the old style referrer checking being performed. Template Changes The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user. Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> Exempting Certain Actions It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file. PHP Code:
If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'. PHP Code:
|
#92
|
|||
|
|||
does someone wanna' dix this on my forum for meh. :$
|
#93
|
|||
|
|||
anyone wanna do that on mine to?
|
#94
|
|||
|
|||
As few people are actually using a security token on forums (boards), it will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not.
I am definitely one of those who is not using a Security Token on my board (and will not be using it). Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those define('CSRF_PROTECTION', true); to -> define('CSRF_PROTECTION', false); All my mods and plug-ings are working fine again and the board is running smoothly. No need to start chasing out authors, of those many mods I have installed, for updates. |
#95
|
||||
|
||||
Please stop posting this Wikipedia article.
That is smth. totally different and actually only confuses people! |
#96
|
||||
|
||||
Link removed.
I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route. |
#97
|
|||
|
|||
i am having this problem with Currentpoll module in VBadvanced, not sure which file i have to edit to get this fixed. any ideas?
|
#98
|
|||
|
|||
well im by no means a coder and I am stuck with this BS
Ive searched the templates, fixed it but it still happens. Im so over this...I really appreciate any assistance..ive read everything, done everything but cant sort it. We need a lamans terms walk thru please! |
#99
|
|||
|
|||
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message
Quote:
Someone please help me out on this Thanks |
#100
|
|||
|
|||
I have followed the instruction added the code after the <form and fixed the problem when I do a search. So it is not as bad as before.
However when the admin tries to delete thread, this security token occurs. I don't think there is another <form in the template style, where can I find the problem? |
#101
|
|||
|
|||
Quote:
I am afraid that you will not get a satisfactory answer here, as it seems that no one really know what is happening with these random messages stating: "Your submission could not be processed because a security token ..." This CSRF stuff seems to have been done in a big rush. Open a ticket at vB.com and ask their team to proceed with installation and debugging of your site. --------------- Added [DATE]1212086935[/DATE] at [TIME]1212086935[/TIME] --------------- Quote:
If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"): Quote:
|
Thread Tools | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|