The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Implementing CSRF Protection in modifications
With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications. Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org: Changes for CSRF protection with third party modifications Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token. The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility. Adding Protection to your own files To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT. PHP Code:
If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests. You should always add this to your file, even if you don't think the script is ever going to receive POST requests. An absence of this defined constant within your files will result in the old style referrer checking being performed. Template Changes The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user. Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> Exempting Certain Actions It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file. PHP Code:
If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'. PHP Code:
|
#142
|
|||
|
|||
ok . now witch template have to be edited ? would you please tell me ? all templates ?
--------------- Added [DATE]1235223321[/DATE] at [TIME]1235223321[/TIME] --------------- i did everything but all the users get this message !!! Your submission could not be processed because a security token was missing. If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error the latest release of vbulletin ! please help to slove this ! |
#143
|
|||
|
|||
i get this error only with mozilla when users try to search forums
|
#144
|
||||
|
||||
Could you please tell me which of the Templates I have to change so I don´t get the "Securitytoken" error anymore when submitting the Score for the IbProArcade ? If someone would already know, it would save me a lot of work finding that.
Thanks |
#145
|
||||
|
||||
Hi, I did the query posted earlier and when I check the Style ID's, one of the results is -1, as shown in the attachment. When I hover over my styles in style manager none of them come up as -1. When I click on a style to go to the url and change the style id at the end of the url to -1 it comes up as the andromeda style, but in style manager, andromeda comes up as styleid 58. Any clues as to why this is like that? I fixed all the security token issues except for the 7 occurences that happen in this -1 styleid.
Any help would be appreciated. |
#146
|
||||
|
||||
-1 means the Master Style which you can only see in debug mode.
|
#147
|
||||
|
||||
Thank you - how would I change those templates then?
|
#148
|
||||
|
||||
You would have to go into debug mode. However, it seems odd that those default templates do not have the security token unless you have done something to modify those templates in the Master Style. There are some forms that do not need the securitytoken and my guess is that those don't. (Mine don't have it in those forms (the couple I checked) and the site runs fine.)
|
#149
|
||||
|
||||
ThanQ Lynne - I appreciate your help. I guess I will ignore them for now.
On another note, I'm no longer getting a flood of emails for security tokens missing, but I have received two of these: HTML Code:
Missing or Invalid Security Token detected. Script Call Backtrace ===================== #0 /home/imforums/public_html/forums/includes/functions.php line 2688: eval() #1 /home/imforums/public_html/forums/global.php line 379: fetch_error(security_token_missing,sendmessage.php) #2 /home/imforums/public_html/forums/profile.php line 150: require_once(/home/imforums/public_html/forums/global.php) POST Variables ============== Array ( [securitytoken] => [ajax] => 0 ) Request URI =========== /forums/profile.php?do=dst |
#150
|
||||
|
||||
Make sure the security token is present in the footer where the profile.php form is called.
|
#151
|
||||
|
||||
Thanks again Lynne, I have about 7 skins total and from what I can see all the footer templates have the security token. The sql query only shows these results. I have received 8 email notificactions of missing security tokens, all with exactly the same information as what I posted above. Any other ideas?
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|