Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #112  
Old 06-14-2008, 07:40 PM
Sworm Sworm is offline
 
Join Date: Feb 2008
Posts: 422
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi all, for now, i have this error only in the polls voted from VBA homepage..... what is the template that i go to edit?
Reply With Quote
  #113  
Old 06-29-2008, 04:48 AM
PoetJA-1975's Avatar
PoetJA-1975 PoetJA-1975 is offline
 
Join Date: Sep 2006
Location: Meh...
Posts: 1,218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Wow - Thank GAWD for Google LOL - did a search and this is the very 1st thread I found.... After editing over 50 or more templates in the past hour or so - I thank you all who have helped - notably the very informative post here AND the query that made it so very easy here.

It's not very often I see a HELP ME JESUS! thread that actually has the solution on the 1st page

Thanx GUYZ!

Jacquii.
Reply With Quote
  #114  
Old 07-07-2008, 02:04 AM
nhuhuu's Avatar
nhuhuu nhuhuu is offline
 
Join Date: Sep 2004
Posts: 45
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hi dear all.
when i add new styles into my forum. it ok.
then i want to show 3 styles on my forumhome for my member enjoy it. but i can't save display oder. i got note below :

Quote:
Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
please help me why my Admincp got Error... i want to fix it, but i don't know to fix in Admincp. i had been fixed at templates ok
Reply With Quote
  #115  
Old 07-09-2008, 12:51 AM
CEO254 CEO254 is offline
 
Join Date: Feb 2008
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
I have done this and I have also Re upped all my files and im still getting an error
Reply With Quote
  #116  
Old 07-13-2008, 05:45 PM
xoutlawz00x xoutlawz00x is offline
 
Join Date: May 2008
Posts: 56
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dismounted View Post
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
Code:
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
	success: this.handle_ajax_response,
	failure: this.handle_ajax_error,
	timeout: vB_Default_Timeout,
	scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);
would you be kind and help me implement this into my templete.. i dont understand

--------------- Added [DATE]1215989398[/DATE] at [TIME]1215989398[/TIME] ---------------

i upgraded the script and everything is fine now thanksss
Reply With Quote
  #117  
Old 07-18-2008, 01:35 PM
denman75 denman75 is offline
 
Join Date: Aug 2006
Location: Netherlands
Posts: 228
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by CEO254 View Post
I have done this and I have also Re upped all my files and im still getting an error
same here
this is really frustrating
i don't care where its coming from ,i know it has to be fixed
since i am not a coder
if i purchace a board and its running great and after a update its not
than there is not much i cant do a as a total non coder
Reply With Quote
  #118  
Old 08-02-2008, 02:31 PM
gbox master gbox master is offline
 
Join Date: Dec 2007
Posts: 108
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hi

can some one explain this to me please
i get the error also on my forum since some fool invented a new way of protection or something

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.


Quote:
Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.
i dont understand this very well
i use a modified template not from vB but from phpbb
on 3.6 all is ok en works fine
now on 3.7 the problems start

ps if someone can help me do this it would be apriciated by paypal
Reply With Quote
  #119  
Old 08-06-2008, 02:32 PM
meissenation meissenation is offline
 
Join Date: Apr 2005
Posts: 476
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

My users are getting the error when uploading attachments to their album or to a thread. Both templates have the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> already, so what is the next course of action to fix this?
Reply With Quote
  #120  
Old 08-06-2008, 09:08 PM
mokujin's Avatar
mokujin mokujin is offline
 
Join Date: Oct 2005
Location: Czech
Posts: 345
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by xoutlawz00x View Post
would you be kind and help me implement this into my templete.. i dont understand

--------------- Added [DATE]1215989398[/DATE] at [TIME]1215989398[/TIME] ---------------

i upgraded the script and everything is fine now thanksss
I dont understand too Where are coders now?
Reply With Quote
  #121  
Old 08-11-2008, 05:00 PM
Triky's Avatar
Triky Triky is offline
 
Join Date: Mar 2007
Location: [Italy]
Posts: 728
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am trying to reproduce my usercp.php file on my site root, I have copyed also my profile.php file and all my /includes/ folder.. and when I'm sending data from it, I got this error:

Code:
 Fatal error:  Call to undefined function:  verify_security_token() in c:\programs\server\www\install_test\includes\init.php on line 416
Why? I have this line of code on init.php at line 416:

PHP Code:
            if (!verify_security_token($vbulletin->GPC['securitytoken'], $vbulletin->userinfo['securitytoken_raw'])) 
Can please somebody help me?
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:39 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06860 seconds
  • Memory Usage 2,339KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (4)bbcode_php
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete