Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #162  
Old 05-10-2009, 04:44 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by mokujin View Post
Hi Lynne,
I mean how to make the AJAX call a script without click a button (or a link) when a user just loaded the page.
For example: I have Installed AJAX Advanced Forum Statistic.
I browse the index page, that Mod loads the Statistics using AJAX for the default.

I hope you understand what I mean.
How is that related to CSRF Protection?

I'm not an ajax expert at all, so I can't really answer questions regarding ajax.
Reply With Quote
  #163  
Old 06-20-2009, 07:39 PM
Eclyps19 Eclyps19 is offline
 
Join Date: May 2007
Posts: 57
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

god i'm so confused

if I do a search in templates for that line, but it comes back with 100+ templates. Am I expected to go through every one and check for that securitytoken line?

The only thing that's not working for me is my search
Reply With Quote
  #164  
Old 06-20-2009, 08:43 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Eclyps19 View Post
god i'm so confused

if I do a search in templates for that line, but it comes back with 100+ templates. Am I expected to go through every one and check for that securitytoken line?

The only thing that's not working for me is my search
Then try just adding the line in the templates that look like they are search related. If it's a specific page that isn't working, you can find the list of templates on the page by going into debug mode and looking at the bottom of the page. Or, you can just do this - - vboptions > General Settings > Add Template Name in HTML Comments > set to Yes . Then go back to your page and view the source code and you will see the name of the template called around your part of the code.
Reply With Quote
  #165  
Old 06-21-2009, 02:42 AM
Eclyps19 Eclyps19 is offline
 
Join Date: May 2007
Posts: 57
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

that line is in the templates related to the search portion. Are there any other suggestions?
Reply With Quote
  #166  
Old 09-27-2009, 05:42 AM
yahya komeet's Avatar
yahya komeet yahya komeet is offline
 
Join Date: Sep 2009
Location: k.s.a
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

<font color="DarkGreen">it is Useful information Thank you</font>
Reply With Quote
  #167  
Old 11-01-2009, 11:12 PM
whaase whaase is offline
 
Join Date: May 2006
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What do you do if only a few users have the issue and no one else?
Reply With Quote
  #168  
Old 11-10-2009, 10:46 AM
gnagplank6 gnagplank6 is offline
 
Join Date: Jun 2009
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Guys,

Lynne directed me to this thread and after over a week of no one responding to my cries for help my problem is solved.

THANK YOU LYNNE!!!!!

Users were getting a Security Token message when they tried to use the search function and this thread helped rectify the issue within a short amount of time. As an FYI we are running VB 3.8+ over at our place.
Reply With Quote
  #169  
Old 12-27-2009, 03:31 PM
pablete pablete is offline
 
Join Date: Feb 2009
Posts: 99
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hello, i have a problem with security token in IBPROarcade whem i go submit the score, it show in this page of forum. i have vb 4

foro/index.php?act=Arcade&do=newscore

where template or i have to modify to fix that?

Thank's
Reply With Quote
  #170  
Old 12-27-2009, 05:28 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by pablete View Post
hello, i have a problem with security token in IBPROarcade whem i go submit the score, it show in this page of forum. i have vb 4

foro/index.php?act=Arcade&do=newscore

where template or i have to modify to fix that?

Thank's
Questions/Problems regarding modifications need to be asked in the modification thread. That is where the support for modifications is - not out here in the main forums. Please note that if a modification is unsupported (or even if it says it is supported), you may be on your own if you chose to install it.
Reply With Quote
  #171  
Old 01-15-2010, 08:59 PM
psypher psypher is offline
 
Join Date: Dec 2009
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am creating an application form that posts info to my officer forums. It was very easy to make in SMF but I keep getting the security token error when doing it in VB4 gold.

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'epeen_application.php');
define('CSRF_PROTECTION', true);

..... blah blah

// ###### YOUR CUSTOM CODE GOES HERE #####
$pagetitle = 'ePeen Application';
$application_form = '<div id="appForm">
<div id="innerGutsApp">
<form id="ePeenApp" class="appnitro" method="post" action="submit_app.php">
<div class="form_description">
<h2>ePeen Application</h2>
<p>Flex Your ePeen Here!</p>
</div>
...
... blah blah

<li class="buttons">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="form_id" value="111237" />
<input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" />
</li>
</ul>
</form>
</div>
</div>';

// ###### NOW YOUR TEMPLATE IS BEING RENDERED ######
$templater = vB_Template::create('ePeen_application');
$templater->register_page_templates();
$templater->register('navbar', $navbar);
$templater->register('pagetitle', $pagetitle);
$templater->register('application_form', $application_form);
print_output($templater->render());

?>

I have what is required but I still get the security token error. Any idea how I can make this work? I have tried taking the form out of my php file and put it directly into the template with no change. I need to get this site done and this is one of my last road blocks.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:48 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06856 seconds
  • Memory Usage 2,331KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (3)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete