Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.6 > vBulletin 3.6 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Security Token Notification Details »»
Security Token Notification
Version: 1.0.1, by Andreas Andreas is offline
Developer Last Online: Jan 2023 Show Printable Version Email this Page

Category: Administrative and Maintenance Tools - Version: 3.6.9 Rating:
Released: 04-23-2008 Last Update: 05-26-2008 Installs: 75
Uses Plugins
 
No support by the author.

This simple mod logs security token erorrs to vBulletin PHP error log and optionally sends an E-Mail to the webmaster.

Example Log Entry
Code:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 C:\Programme\XAMPP Lite\htdocs\vb310\includes\functions.php line 2420: eval()
#1 C:\Programme\XAMPP Lite\htdocs\vb310\includes\init.php line 417: fetch_error(security_token_missing,ltr,sendmessage.php)
#2 C:\Programme\XAMPP Lite\htdocs\vb310\global.php line 20: require_once(C:\Programme\XAMPP Lite\htdocs\vb310\includes\init.php)
#3 C:\Programme\XAMPP Lite\htdocs\vb310\newthread.php line 49: require_once(C:\Programme\XAMPP Lite\htdocs\vb310\global.php)

POST Variables
===============
Array
(
    [do] => foo
    [f] => 3
    [forumid] => 3
    [securitytoken] => 
)

Request URI
===========
/vb368pl1/newthread.php?do=foo

Datum: 24.04.2008 11:36:08
Benutzername: Kirby
IP-Adresse: 127.0.0.1
If you do not know what this is about, you most likely won't need it

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #52  
Old 05-15-2008, 11:56 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by soulface View Post
Code:
Missing or Invalid Security Token detected.
 
Script Call  Backtrace
=====================
#0  /home/doshomik/public_html/includes/functions.php line 2528: eval()
#1  /home/doshomik/public_html/includes/init.php line 417:  fetch_error(security_token_missing,ltr,sendmessage.php)
#2  /home/doshomik/public_html/admincp/global.php line 34:  require_once(/home/doshomik/public_html/includes/init.php)
#3  /home/doshomik/public_html/admincp/newsproxy.php line 25:  require_once(/home/doshomik/public_html/admincp/global.php)
 
POST  Variables
==============
Array
(
    [ajax] => 1
     [securitytoken] => 
)
 
Request  URI
===========
/admincp/newsproxy.php
OK, can anyone describe in a normal language () on how can I identify which hack is causing the problem by seeing this msg ?

thx
Look for this file maybe?

newsproxy.php
Reply With Quote
  #53  
Old 05-24-2008, 09:27 AM
J98680Bxxxxx J98680Bxxxxx is offline
 
Join Date: Jan 2008
Location: Bridge - Enterprise
Posts: 325
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks Andreas for this Mod. At least it is pointing users on possible files that need to be debugged.

I have just installed (finalupgrade vB 3.7 CR3 ->) vB 3.7 Gold and the vBlog 1.0.5. Smooth installation completed and navigating through the site works fine, until one member tried to post a Blog entry. "Your submission could not be processed because a security token was missing or mismatched."

I have browsed through and read all threads at vB.com and vB.org regarding this issue and ended up here (via Boofo's referral in one of those many threads).

Here is what I got in my logs:

Code:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 /home/++++++++++/public_html/forum/includes/functions.php line 2528: eval()
#1 /home/++++++++++/public_html/forum/includes/init.php line 417: fetch_error(security_token_missing,ltr,sendmessage.php)
#2 /home/++++++++++/public_html/forum/global.php line 20: require_once(/home/++++++++++/public_html/forum/includes/init.php)
#3 /home/++++++++++/public_html/forum/blog_post.php line 111: require_once(/home/++++++++++/public_html/forum/global.php)

POST Variables
==============
Array
(
    [title] => Just testing
    [message] => Just testing<br>
    [wysiwyg] => 1
    [s] => 
    [do] => updateblog
    [b] => 
    [posthash] => 019bc6a36c2d9a5ea4c8fd568e55ccc1
    [poststarttime] => 1211619819
    [loggedinuser] => 1
    [sbutton] => Post Now
    [allowcomments] => 1
    [status] => publish_now
    [publish] => Array
        (
            [month] => 5
            [day] => 24
            [year] => 2008
            [hour] => 08
            [minute] => 25
        )

    [parseurl] => 1
    [emailupdate] => email
    [blogid] => 
    [securitytoken] => 
)

Request URI
===========
/forum/blog_post.php?do=updateblog
A similar issue has been reported at vB.com (here).

The files (functions.php, init.php, sendmessage.php, global.php, blog_post.php) listed above are brand new (i.e. directly obtained from the finalupgrade).

All templates & styles up-to-date. All those security token are already present in files containing forms. All Mods & Plug-ings disabled.

What's going on with this vB 3.7 Gold? Has anyone figured out a good medecine for this "CSRF Protection"?

In the meantime, I have just took vB 3.7 Gold out of my forum and put back in place my vB 3.7 CR3 - working fine.
Reply With Quote
  #54  
Old 05-25-2008, 11:13 AM
J98680Bxxxxx J98680Bxxxxx is offline
 
Join Date: Jan 2008
Location: Bridge - Enterprise
Posts: 325
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Mike-D View Post
Security Tokens are small Hardware Devices that owners carries to authorize access to a Network Service. That means: Security Tokens provide an extra level of assurance thru a method known as TFA (Two-Factor Authentication). In this case the user has a PIN (Personal Identification Number which authorizes them as the owner of that particular device. So the device then shows a number which uniquely identifies the user to the service and allowing them to log in. The identification number for each user is changed frequently, usually every 3 min's. See also Wikipedia
I am definitely one of those who is not using a Security Token. Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly.

It will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not. This, as few people are actually using a "security token".
Reply With Quote
  #55  
Old 05-25-2008, 11:35 AM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

DO NOT REMOVE THIS CONSTANT FROM vBulletin SCRIPTS
Never!

The Wikipedia article Mike-D posted is about smth. else.

If you are using the default style, unmodified files and no plugins you should not have any problems.
If you do have problems, please make sure that all your plugins and templates are up to date.

As you can clearly see from the E-Mail, the token is missing!
Please check again if all your templates are up-to-date.
If they are please repeat this step until you have found the one that is not up-to-date.
Reply With Quote
  #56  
Old 05-25-2008, 11:42 AM
J98680Bxxxxx J98680Bxxxxx is offline
 
Join Date: Jan 2008
Location: Bridge - Enterprise
Posts: 325
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Andreas View Post
DO NOT REMOVE THIS CONSTANT FROM vBulletin SCRIPTS
Never!

The Wikipedia article Mike-D posted is about smth. else.

If you are using the default style, unmodified files and no plugins you should not have any problems.
If you do have problems, please make sure that all your plugins and templates are up to date.

As you can clearly see from the E-Mail, the token is missing!
Please check again if all your templates are up-to-date.
If they are please repeat this step until you have found the one that is not up-to-date.

The constant is there, but set to false, until vBulletin Team comes out with a non retarded solution.
Reply With Quote
  #57  
Old 05-25-2008, 11:47 AM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Being false is even worse than not being there at all - as that will also disable the POST referrer whitelist check.

So with this setup your board is more unsecure then 3.6.9/3.7.0 RC 3.

Fixing your issues is quite simple: Upload all original non-image files, revert all templates and disable the plugin system.
If there are still issues afterwards, open a support ticket @ vbulletin.com

If you do not want to go this route, you will have to fix the installed modifications/templates yourself - refer to the article about CSRF protection.
Detailed instructions have been posted there.
Reply With Quote
  #58  
Old 05-25-2008, 11:56 AM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by J98680B2423E View Post
I am definitely one of those who is not using a Security Token. Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);
Thats a bit like deciding to remove all the locks from the dorrs to your house in the hope that no one will try and break in. Not a very good idea.
Reply With Quote
  #59  
Old 05-25-2008, 09:32 PM
stinger2's Avatar
stinger2 stinger2 is offline
 
Join Date: Jul 2005
Posts: 274
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
#0 /home/xxxxxxxxxx/www/forums/includes/functions.php line 2529: eval()
#1 /home/xxxxxxxxxxx/www/forums/includes/init.php line 418: fetch_error(security_token_missing,ltr,sendmessage .php)
#2 /home/xxxxxxxxxx/www/forums/global.php line 21: require_once(/home/xxxxxxxxxxxxx/www/forums/includes/init.php)

#3 /home/xxxxxxxxxx/www/forums/reputation.php line 46: require_once(/home/xxxxxxxxxxxx/www/forums/global.php)
#4 /home/xxxxxxxxx/php-cgi/phphandler line 37: include(/home/xxxxxxxxxx/www/forums/reputation.php)

POST Variables
==============
Array
(
[ajax] => 1
[securitytoken] =>
)

Request URI
===========
/forums/reputation.php?p=296211

Quote:
Missing or Invalid Security Token detected.

Script Call Backtrace
=====================
#0 /home/xxxxxxxx/www/forums/includes/functions.php line 2529: eval()
#1 /home/xxxxxxxxxx/www/forums/includes/init.php line 418: fetch_error(security_token_missing,ltr,sendmessage .php)
#2 /home/xxxxxxxxx/www/forums/global.php line 21: require_once(/home/xxxxxxxxxxxx/www/forums/includes/init.php)

#3 /home/xxxxxxxxxx/www/forums/search.php line 53: require_once(/home/xxxxxxxxxx/www/forums/global.php)
#4 /home/xxxxxxxxxxxx/php-cgi/phphandler line 37: include(/home/xxxxxxxxxx/www/forums/search.php)

POST Variables
==============
Array
(
[s] =>
[do] => process
[sortby] => lastpost
[forumchoice] => 0
[query] => shottas
[securitytoken] =>
)

Request URI
===========
/forums/search.php


i keep getting different missing security token messages........and i dont know how to deal with them.............is this normal, should we do something about it?

i get a message or two from members saying they got the message....can any one explain why these different messages? every one from a different php.
Reply With Quote
  #60  
Old 05-25-2008, 09:38 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Andreas, is there a way to set this hack up to be a little more specific on where the error is coming from maybe? That might help narrowing it down a bit in some places. I have gotten only a couple but they are in weird places as far as I can tell. One was even from the editpost.php and I don't have any hacks touching that.
Reply With Quote
  #61  
Old 05-27-2008, 03:39 PM
stinger2's Avatar
stinger2 stinger2 is offline
 
Join Date: Jul 2005
Posts: 274
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
Andreas, is there a way to set this hack up to be a little more specific on where the error is coming from maybe? That might help narrowing it down a bit in some places. I have gotten only a couple but they are in weird places as far as I can tell. One was even from the editpost.php and I don't have any hacks touching that.

I second that.........in other words................exactly what i wanted
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:40 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05412 seconds
  • Memory Usage 2,328KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (7)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete