The Arcive of Official vBulletin Modifications Site.

Paul M · #**102** 05-29-2008, 06:35 PM

Quote:

Originally Posted by J98680B2423E

If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):

Lots of things are done via options in vb, that still doesnt mean its a good idea to turn them off. As for should/must - vb will still work without CSRF protection, but it will be insecure, therefore "should" is the correct term. Setting them to false, as you posted, is even worse than not setting the option at all, since that disables the old style protection as well.

mtlcore · #**103** 05-30-2008, 03:00 PM

what do i have to edit, my users are getting these errors on the following page:

profile.php?do=dst

pooffck1 · #**104** 05-30-2008, 05:28 PM

i had made my own custom style and the only problem on my board was that when i put a search engine on my header template, it gave my members a message saying something about security token

Code:

             <td class="alt1" valign="top">
<form action="$vboptions[bburl]/search.php" method="post">
                <input type="hidden" name="do" value="process" />
                <input type="hidden" name="showposts" value="0" />
                <input type="hidden" name="quicksearch" value="1" />
                <input type="hidden" name="s" value="" />
                <input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
                <input  type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
              </form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>

and this is how it looked
but when i looked at other templates i saw that they had the security token line in the search.

Code:

            <td class="alt1" valign="top">
<form action="$vboptions[bburl]/search.php" method="post">
                <input type="hidden" name="do" value="process" />
                <input type="hidden" name="showposts" value="0" />
                <input type="hidden" name="quicksearch" value="1" />
                <input type="hidden" name="s" value="" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
                <input type="text" name="query" size="15" onfocus="this.value=''" value="Search..." />
                <input  type="image" valign="middle" src="$vboptions[bburl]/images/misc/go.gif" style="vertical-align: middle;"/>
              </form>&nbsp;<a href="$vboptions[bburl]/search.php" accesskey="4" rel="nofollow">Options</a><br>

the bolded line is the extra line i put and it started to work

I hope this helps

xTerMn8R · #**105** 06-01-2008, 02:55 AM

I had similar problems with the Search functions using CMPS on the front end, yes the infamous Security Issue... but was easily fixed by adding the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> to the adv_portal_search template right AFTER the <td class="$bgclass"> tag.

Although I understand these are NOT issues directly related to vbulletin core software, I really think that the vb staff should take into consideration that the reason most of us use this software is because of the wide varity of addon's available for it. That being said... perhapts a little more COMPATABILITY with add ons should be more carefully considered and tools to implement these fixes provided. Like when ya do the upgrade a script that will prompt you if you want it to check and upgrade all adv_portal*.* Templates that require it at.

I am an avid vb lover and Promote it to everyone I know, I've had my share of issues, but have ALWAYS found the vb staff to be very quick to respond to ANY and ALL issues I've had, so I hope we can stop the Hostile bashing and try to find a happy ground with CONSTRUCTIVE suggestions, Ya get more bees' with Honey folks....

Thank you staff, I appreciate the extra security having just gone through a Hijacked and very screwed up site not long ago. Hopefully these improvements will prevent that from happening in the future.

Be Patient,
Tom

PS: shouldn't it be Vbulletin article REPOSITORY? LOL

Goomzee · #**106** 06-03-2008, 06:03 AM

i don;t understand which templates i have to edit and put above coding

sv1cec · #**107** 06-03-2008, 07:07 AM

Well, I do not know what was the big rush about the CSRF issue. According to Jelsoft people, when I protested that a patch should be issued for those still running vB 3.0.xx since this is a security issue :

Quote:

Regarding the vulnerability of vBulletin 3.0.x and 3.5.x to the reported CSRF exploit, it is important to note that vBulletin 3 has had protection against the vast majority of CSRF attacks for quite some time, in the form of a referrer check to ensure that POST requests originate from the same domain as that on which vBulletin is installed. This fix was implemented in response to articles such as the one to which you refer on darkreading.com. This protection is sufficient to deflect almost all CSRF attempts. This most recent CSRF exploit is relatively minor in the scheme of software flaws; Secunia rates CSRF exploits' severity at only 2/5.

And this comes from James Limm, Jelsoft CEO:

Quote:

In principle, I agree that we have an obligation to ensure that our products are free from significant security issues. Security is something that we take very seriously - issues such as XSS exploits are fixed extremely quickly for all currently supported versions (usually we release a patch within 24 hours).

In this particular case however, the relatively minor nature of the CSRF issue, coupled with the complex nature of the fix and the fact that version 3.0 is an extremely old version that has been superceded twice led us to make this decision.

Mind you, Jelsoft issued an End-of-Life statement for vB 3.0 the next day after I complained about the lack of fix for a security issue. Some customer care!!!

Skitty · #**108** 06-06-2008, 04:30 PM

This fix worked for the "report pm" mod, we were getting the error message. Thank you !

Boofo · #**109** 06-06-2008, 05:09 PM

I fixed mine a long time ago. You must be using another one then.

ViewMy.biz · #**110** 06-08-2008, 10:55 PM

Quote:

Originally Posted by Wayne Luke

Forms A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

I have stand alone search forms in the first post of some long threads . . . what to do?

Also how can I do a search from MY "Referrer Whitelist" website?

phmaster · #**111** 06-11-2008, 10:24 AM

I had this problem with the search button, now its running fine.
Thanks Wayne Luke much appreciated.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05490 seconds Memory Usage 2,340KB Queries Executed 26 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (3)bbcode_code (3)bbcode_php (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_article (1)navbar (4)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (11)post_thanks_box (1)post_thanks_box_bit (11)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit (11)post_thanks_postbit_info (10)postbit (11)postbit_onlinestatus (11)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!