Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles

Reply
 
Thread Tools
Implementing CSRF Protection in modifications
Marco van Herwaarden
Join Date: Jul 2004
Posts: 25,415

 

Show Printable Version Email this Page Subscription
Marco van Herwaarden Marco van Herwaarden is offline 04-23-2008, 10:00 PM

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:
define('CSRF_PROTECTION'true); 
With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP Code:
define('CSRF_SKIP_LIST''action_one,action_two'); 
The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP Code:
if (THIS_SCRIPT == 'example')
{
        
$vbulletin->csrf_skip_list[] = 'action_three';

Reply With Quote
  #72  
Old 05-11-2008, 03:18 PM
Ionsurge's Avatar
Ionsurge Ionsurge is offline
 
Join Date: Jan 2003
Location: United Kingdom
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've managed to rectify most of these errors myself, however, if I click the "Go Advanced" button on the quick reply part of viewing a thread, it shows the error? As far as I can tell, I've amended it all...

Any help? Have I missed a file?
Reply With Quote
  #73  
Old 05-11-2008, 04:31 PM
ExTincTi0N ExTincTi0N is offline
 
Join Date: Mar 2008
Location: Texas
Posts: 332
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok I am having trouble with my skins.
Its the security token thing.
Where do I add it and where in it?
Reply With Quote
  #74  
Old 05-11-2008, 09:45 PM
steve1966 steve1966 is offline
 
Join Date: Dec 2007
Posts: 504
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi i have added the this <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after value="$session[sessionhash to all my templates and my members are getting this

Quote:
While performing a search in the Games forum, I received the following message:

"Your submission could not be processed because a security token was missing or mismatched."
please can someone tell me what i should do now as i am a little confused also do i need to do anything with this code

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

thanks
Reply With Quote
  #75  
Old 05-12-2008, 04:40 AM
setishock setishock is offline
 
Join Date: Feb 2008
Location: Houma, La.
Posts: 1,177
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Only time I get one is when I am uploading a flv movie clip. I got the first one up and that was it. Static picture attachments and albums are ok as are text posting. I created an flv attachment and mimed it with content-type: video/flv. This is not using a hack or mod but an inhouse feature.
So what would you suggest to fix it? I do have the passivevid product installed but all was ok till I created the flv attachment.
Reply With Quote
  #76  
Old 05-12-2008, 06:00 PM
unitedbreaks's Avatar
unitedbreaks unitedbreaks is offline
 
Join Date: Aug 2006
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
Thank you for making it 'clear' on how to fix this issue. Much appreciation.
Reply With Quote
  #77  
Old 05-13-2008, 12:40 PM
Fireproof Fireproof is offline
 
Join Date: Apr 2007
Posts: 155
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.
Reply With Quote
  #78  
Old 05-14-2008, 02:54 PM
Bounce's Avatar
Bounce Bounce is offline
 
Join Date: Mar 2004
Location: Edinburgh,Scotland
Posts: 919
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Fireproof View Post
I'm sorry, I'm still a bit lost.

I'm using the FORM HACK modification. Can someone tell me what I should be adding, and where? I don't know if I'm supposed to add the "define" tag or the "Input securitytoken" tag" or both.
If its the same FORM hack as i'm thinking of in the form template find

HTML Code:
<input type="hidden" name="poststarttime" value="$poststarttime" />
Add after
HTML Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
I had same problem
Reply With Quote
  #79  
Old 05-14-2008, 06:39 PM
JBMoney JBMoney is offline
 
Join Date: Feb 2002
Posts: 109
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What if all the templates look fine, and include the code above, but it still happens?

On my site, it happens to users who haven't logged in for a while. They log in, see the forum briefly and then get the error while being redirected to profile.php?do=dst.
Reply With Quote
  #80  
Old 05-14-2008, 07:03 PM
dancue dancue is offline
 
Join Date: Feb 2008
Posts: 569
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Am I correct in assuming that this is where the change would take place?

What must be done?

Code:
				if ( zahl < postids.length){
					postid = postids[zahl];
					unhide.open("POST", "showthread.php", true);
					unhide.onreadystatechange = ausgeben;
					unhide.setRequestHeader(
						"Content-Type",
						"application/x-www-form-urlencoded");
					unhide.send("do=whatever&p="+postid+"&all="+old);
				} else zahl = 0;
			}
I am using itsid's HIDE Hack.
Reply With Quote
  #81  
Old 05-14-2008, 07:29 PM
Fireproof Fireproof is offline
 
Join Date: Apr 2007
Posts: 155
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by hIBEES View Post
If its the same FORM hack as i'm thinking of in the form template find

HTML Code:
<input type="hidden" name="poststarttime" value="$poststarttime" />
Add after
HTML Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
I had same problem

Genius! Thank you - worked perfectly!!
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:39 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04879 seconds
  • Memory Usage 2,333KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (4)bbcode_html
  • (3)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete