Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Help in securing vB 3.0.xx for the CSRF vulnerability
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #7  
Old 05-06-2008, 07:31 PM
MoT3rror MoT3rror is offline
 
Join Date: Mar 2007
Posts: 423
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I guess I will be against everyone and help you find the solution without upgrading.

All the code I am getting is from 3.7.0 files.

The security token is defined on line 1334 of class_core.php with this code.
PHP Code:
$user['securitytoken'] = sha1($user['userid'] . sha1($user['salt']) . sha1(COOKIE_SALT)); 
Then this code is checked in init.php at line 398 - 460 with this code.
PHP Code:
// CSRF Protection for POST requests
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')
{

    if ($vbulletin->userinfo['userid'] > AND defined('CSRF_PROTECTION') AND CSRF_PROTECTION === true)
    {
        $vbulletin->input->clean_array_gpc('p', array(
            'securitytoken' => TYPE_STR,
        ));

        if (!in_array($_POST['do'], $vbulletin->csrf_skip_list))
        {
            if ($vbulletin->GPC['securitytoken'] !== $vbulletin->userinfo['securitytoken'])
            {
                $vbphrase init_language();
                $_tmp NULL;
                $stylevar fetch_stylevars($_tmp$vbulletin->userinfo);
                exec_headers();

                die(fetch_error('security_token_missing'$stylevar['textdirection'], $vbulletin->options['contactuslink']));
            }
        }
    }
    else if (!defined('CSRF_PROTECTION') AND !defined('SKIP_REFERRER_CHECK'))
    {
        if ($_SERVER['HTTP_HOST'] OR $_ENV['HTTP_HOST'])
        {
            $http_host = ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST']);
        }
        else if ($_SERVER['SERVER_NAME'] OR $_ENV['SERVER_NAME'])
        {
            $http_host = ($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_ENV['SERVER_NAME']);
        }

        if ($http_host AND $_SERVER['HTTP_REFERER'])
        {
            $http_host preg_replace('#:80$#'''trim($http_host));
            $referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
            $ref_port intval($referrer_parts['port']);
            $ref_host $referrer_parts['host'] . ((!empty($ref_port) AND $ref_port != '80') ? ":$ref_port'');

            $allowed preg_split('#\s+#'$vbulletin->options['allowedreferrers'], -1PREG_SPLIT_NO_EMPTY);
            $allowed[] = preg_replace('#^www\.#i'''$http_host);
            $allowed[] = '.paypal.com';

            $pass_ref_check false;
            foreach ($allowed AS $host)
            {
                if (preg_match('#' preg_quote($host'#') . '$#siU'$ref_host))
                {
                    $pass_ref_check true;
                    break;
                }
            }
            unset($allowed);

            if ($pass_ref_check == false)
            {
                die('In order to accept POST request originating from this domain, the admin must add this domain to the whitelist.');
            }
        }
    }
This code replace the following code in 3.7 R3 before the CSRF patch was released.
PHP Code:
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' AND !defined('SKIP_REFERRER_CHECK'))
{
    if ($_SERVER['HTTP_HOST'] OR $_ENV['HTTP_HOST'])
    {
        $http_host = ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST']);
    }
    else if ($_SERVER['SERVER_NAME'] OR $_ENV['SERVER_NAME'])
    {
        $http_host = ($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_ENV['SERVER_NAME']);
    }

    if ($http_host AND $_SERVER['HTTP_REFERER'])
    {
        $http_host preg_replace('#:80$#'''trim($http_host));
        $referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
        $ref_port intval($referrer_parts['port']);
        $ref_host $referrer_parts['host'] . ((!empty($ref_port) AND $ref_port != '80') ? ":$ref_port'');

        $allowed preg_split('#\s+#'$vbulletin->options['allowedreferrers'], -1PREG_SPLIT_NO_EMPTY);
        $allowed[] = preg_replace('#^www\.#i'''$http_host);
        $allowed[] = '.paypal.com';

        $pass_ref_check false;
        foreach ($allowed AS $host)
        {
            if (preg_match('#' preg_quote($host'#') . '$#siU'$ref_host))
            {
                $pass_ref_check true;
                break;
            }
        }
        unset($allowed);

        if ($pass_ref_check == false)
        {
            die('In order to accept POST request originating from this domain, the admin must add this domain to the whitelist.');
        }
    }
You just need to do something similar or come up with another way of doing it.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:47 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03949 seconds
  • Memory Usage 2,609KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete