Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #102  
Old 05-29-2008, 06:35 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by J98680B2423E View Post
If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):
Lots of things are done via options in vb, that still doesnt mean its a good idea to turn them off. As for should/must - vb will still work without CSRF protection, but it will be insecure, therefore "should" is the correct term. Setting them to false, as you posted, is even worse than not setting the option at all, since that disables the old style protection as well.
Reply With Quote
  #103  
Old 05-30-2008, 03:00 PM
mtlcore mtlcore is offline
 
Join Date: Jul 2005
Posts: 265
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

what do i have to edit, my users are getting these errors on the following page:

profile.php?do=dst
Reply With Quote
  #104  
Old 05-30-2008, 05:28 PM
pooffck1 pooffck1 is offline
 
Join Date: Apr 2008
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i had made my own custom style and the only problem on my board was that when i put a search engine on my header template, it gave my members a message saying something about security token

Code:
             <td class="alt1" valign="top">
<form action="$vboptions[bburl]/search.php" method="post">
                <input type="hidden" name="do" value="process" />
                <input type="hidden" name="showposts" value="0" />
                <input type="hidden" name="quicksearch" value="1" />
                <input type="hidden" name="s" value="" />
                <input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
                <input  type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
              </form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>
and this is how it looked
but when i looked at other templates i saw that they had the security token line in the search.

Code:
            <td class="alt1" valign="top">
<form action="$vboptions[bburl]/search.php" method="post">
                <input type="hidden" name="do" value="process" />
                <input type="hidden" name="showposts" value="0" />
                <input type="hidden" name="quicksearch" value="1" />
                <input type="hidden" name="s" value="" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
                <input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
                <input  type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
              </form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>
the bolded line is the extra line i put and it started to work

I hope this helps
Reply With Quote
  #105  
Old 06-01-2008, 02:55 AM
xTerMn8R xTerMn8R is offline
 
Join Date: Mar 2004
Posts: 116
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I had similar problems with the Search functions using CMPS on the front end, yes the infamous Security Issue... but was easily fixed by adding the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> to the adv_portal_search template right AFTER the <td class="$bgclass"> tag.

Although I understand these are NOT issues directly related to vbulletin core software, I really think that the vb staff should take into consideration that the reason most of us use this software is because of the wide varity of addon's available for it. That being said... perhapts a little more COMPATABILITY with add ons should be more carefully considered and tools to implement these fixes provided. Like when ya do the upgrade a script that will prompt you if you want it to check and upgrade all adv_portal*.* Templates that require it at.

I am an avid vb lover and Promote it to everyone I know, I've had my share of issues, but have ALWAYS found the vb staff to be very quick to respond to ANY and ALL issues I've had, so I hope we can stop the Hostile bashing and try to find a happy ground with CONSTRUCTIVE suggestions, Ya get more bees' with Honey folks....

Thank you staff, I appreciate the extra security having just gone through a Hijacked and very screwed up site not long ago. Hopefully these improvements will prevent that from happening in the future.

Be Patient,
Tom

PS: shouldn't it be Vbulletin article REPOSITORY? LOL
Reply With Quote
  #106  
Old 06-03-2008, 06:03 AM
Goomzee Goomzee is offline
 
Join Date: Apr 2008
Location: Philippines
Posts: 588
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i don;t understand which templates i have to edit and put above coding
Reply With Quote
  #107  
Old 06-03-2008, 07:07 AM
sv1cec sv1cec is offline
 
Join Date: May 2004
Location: Athens, Greece
Posts: 2,091
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, I do not know what was the big rush about the CSRF issue. According to Jelsoft people, when I protested that a patch should be issued for those still running vB 3.0.xx since this is a security issue :

Quote:
Regarding the vulnerability of vBulletin 3.0.x and 3.5.x to the reported CSRF exploit, it is important to note that vBulletin 3 has had protection against the vast majority of CSRF attacks for quite some time, in the form of a referrer check to ensure that POST requests originate from the same domain as that on which vBulletin is installed. This fix was implemented in response to articles such as the one to which you refer on darkreading.com. This protection is sufficient to deflect almost all CSRF attempts. This most recent CSRF exploit is relatively minor in the scheme of software flaws; Secunia rates CSRF exploits' severity at only 2/5.
And this comes from James Limm, Jelsoft CEO:

Quote:
In principle, I agree that we have an obligation to ensure that our products are free from significant security issues. Security is something that we take very seriously - issues such as XSS exploits are fixed extremely quickly for all currently supported versions (usually we release a patch within 24 hours).

In this particular case however, the relatively minor nature of the CSRF issue, coupled with the complex nature of the fix and the fact that version 3.0 is an extremely old version that has been superceded twice led us to make this decision.
Mind you, Jelsoft issued an End-of-Life statement for vB 3.0 the next day after I complained about the lack of fix for a security issue. Some customer care!!!
Reply With Quote
  #108  
Old 06-06-2008, 04:30 PM
Skitty Skitty is offline
 
Join Date: May 2007
Posts: 44
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This fix worked for the "report pm" mod, we were getting the error message. Thank you !
Reply With Quote
  #109  
Old 06-06-2008, 05:09 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I fixed mine a long time ago. You must be using another one then.
Reply With Quote
  #110  
Old 06-08-2008, 10:55 PM
ViewMy.biz ViewMy.biz is offline
 
Join Date: May 2002
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wayne Luke View Post
Forms A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.
I have stand alone search forms in the first post of some long threads . . . what to do?

Also how can I do a search from MY "Referrer Whitelist" website?
Reply With Quote
  #111  
Old 06-11-2008, 10:24 AM
phmaster phmaster is offline
 
Join Date: May 2008
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I had this problem with the search button, now its running fine.
Thanks Wayne Luke much appreciated.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:32 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05162 seconds
  • Memory Usage 2,324KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (3)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete