The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Comments |
#52
|
||||
|
||||
Quote:
newsproxy.php |
#53
|
|||
|
|||
Thanks Andreas for this Mod. At least it is pointing users on possible files that need to be debugged.
I have just installed (finalupgrade vB 3.7 CR3 ->) vB 3.7 Gold and the vBlog 1.0.5. Smooth installation completed and navigating through the site works fine, until one member tried to post a Blog entry. "Your submission could not be processed because a security token was missing or mismatched." I have browsed through and read all threads at vB.com and vB.org regarding this issue and ended up here (via Boofo's referral in one of those many threads). Here is what I got in my logs: Code:
Missing or Invalid Security Token detected. Script Call Backtrace ===================== #0 /home/++++++++++/public_html/forum/includes/functions.php line 2528: eval() #1 /home/++++++++++/public_html/forum/includes/init.php line 417: fetch_error(security_token_missing,ltr,sendmessage.php) #2 /home/++++++++++/public_html/forum/global.php line 20: require_once(/home/++++++++++/public_html/forum/includes/init.php) #3 /home/++++++++++/public_html/forum/blog_post.php line 111: require_once(/home/++++++++++/public_html/forum/global.php) POST Variables ============== Array ( [title] => Just testing [message] => Just testing<br> [wysiwyg] => 1 [s] => [do] => updateblog [b] => [posthash] => 019bc6a36c2d9a5ea4c8fd568e55ccc1 [poststarttime] => 1211619819 [loggedinuser] => 1 [sbutton] => Post Now [allowcomments] => 1 [status] => publish_now [publish] => Array ( [month] => 5 [day] => 24 [year] => 2008 [hour] => 08 [minute] => 25 ) [parseurl] => 1 [emailupdate] => email [blogid] => [securitytoken] => ) Request URI =========== /forum/blog_post.php?do=updateblog The files (functions.php, init.php, sendmessage.php, global.php, blog_post.php) listed above are brand new (i.e. directly obtained from the finalupgrade). All templates & styles up-to-date. All those security token are already present in files containing forms. All Mods & Plug-ings disabled. What's going on with this vB 3.7 Gold? Has anyone figured out a good medecine for this "CSRF Protection"? In the meantime, I have just took vB 3.7 Gold out of my forum and put back in place my vB 3.7 CR3 - working fine. |
#54
|
|||
|
|||
Quote:
define('CSRF_PROTECTION', true); to -> define('CSRF_PROTECTION', false); All my mods and plug-ings are working fine again and the board is running smoothly. It will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not. This, as few people are actually using a "security token". |
#55
|
||||
|
||||
DO NOT REMOVE THIS CONSTANT FROM vBulletin SCRIPTS
Never! The Wikipedia article Mike-D posted is about smth. else. If you are using the default style, unmodified files and no plugins you should not have any problems. If you do have problems, please make sure that all your plugins and templates are up to date. As you can clearly see from the E-Mail, the token is missing! Please check again if all your templates are up-to-date. If they are please repeat this step until you have found the one that is not up-to-date. |
#56
|
|||
|
|||
Quote:
The constant is there, but set to false, until vBulletin Team comes out with a non retarded solution. |
#57
|
||||
|
||||
Being false is even worse than not being there at all - as that will also disable the POST referrer whitelist check.
So with this setup your board is more unsecure then 3.6.9/3.7.0 RC 3. Fixing your issues is quite simple: Upload all original non-image files, revert all templates and disable the plugin system. If there are still issues afterwards, open a support ticket @ vbulletin.com If you do not want to go this route, you will have to fix the installed modifications/templates yourself - refer to the article about CSRF protection. Detailed instructions have been posted there. |
#58
|
||||
|
||||
Thats a bit like deciding to remove all the locks from the dorrs to your house in the hope that no one will try and break in. Not a very good idea.
|
#59
|
||||
|
||||
Quote:
Quote:
i keep getting different missing security token messages........and i dont know how to deal with them.............is this normal, should we do something about it? i get a message or two from members saying they got the message....can any one explain why these different messages? every one from a different php. |
#60
|
||||
|
||||
Andreas, is there a way to set this hack up to be a little more specific on where the error is coming from maybe? That might help narrowing it down a bit in some places. I have gotten only a couple but they are in weird places as far as I can tell. One was even from the editpost.php and I don't have any hacks touching that.
|
#61
|
||||
|
||||
Quote:
I second that.........in other words................exactly what i wanted |
Thread Tools | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|