vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=177013

Implementing CSRF Protection in modifications
by Marco van Herwaarden
24 Apr 2008 07:32

With the new version released today for vBulletin 3.6.10 and 3.7.0 RC4, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Scott MacVicar took the time to compile a short explanation on this new protection for the coders on vBulletin.org:

Changes for CSRF protection with third party modifications

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions

It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Dismounted 24 Apr 2008 08:20

Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


RedFoxy 24 Apr 2008 16:23

If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

Quote:

SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

GoTTi 24 Apr 2008 18:22

wow now THIS is a headache. i have security token errors all over my forum....

--------------- Added 24 Apr 2008 at 11:31 ---------------

so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

Wayne Luke 24 Apr 2008 19:09

Quote:

Originally Posted by GoTTi (Post 1498357)
so WHAT does this mean? that we have to redo ALL of our mods and templates with this CSRF or whatever code???

It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.

GoTTi 24 Apr 2008 20:51

wow now this is retarded....

echo2kk5 25 Apr 2008 00:52

Quote:

Originally Posted by Wayne Luke (Post 1498407)
It means you need to add the one line of HTML above to your templates and submission forms that are causing the errors.

Can someone give an example on how to do that? I am not a coder and get lost with this easily...now for the trained eye it's no doubt a piece of cake. For instance I was using the Cyb PayPal Donate Mod and upgrading to 3.6.10 broke it with that security token update. I posted in that thread yesterday but I don't think the creator has been around.

Aclikyano 25 Apr 2008 01:14

OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...

King Kovifor 25 Apr 2008 01:34

Quote:

Originally Posted by Aclikyano (Post 1498676)
OK...... wanna explain this for the SLOW?
which templates SPECIFICLY do we need to add WHAT SPECIFIC code? to make 3rd party mods (vb.com) to WORK correctly on our sites?

I think a few 100 people are STUCK on what to do even tho it was explained from "coders", leaving "non-coders" and only editors of codes or mods such as myself BAFFLED as to what Exactly and how Exactly to do the such above instructions...

You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.

valdet 25 Apr 2008 01:34

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added Thursday, 24 April 2008, 19 at 19:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?

DustyJoe 25 Apr 2008 01:39

=/ I dont get it, I have errors now too.. with RC 4

echo2kk5 25 Apr 2008 01:43

Quote:

Originally Posted by King Kovifor (Post 1498686)
You must add this to any form on your site. I haven't tried the query above, but it should work and you can add them.

What are the "forms"? and where do we edit them?

Aclikyano 25 Apr 2008 01:55

everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)

Wayne Luke 25 Apr 2008 02:24

Quote:

Originally Posted by Aclikyano (Post 1498699)
everyone has errors ^^ by FORMS i think he means TEMPLATES. (style settings, etc)

Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

echo2kk5 25 Apr 2008 02:36

Thank you Wayne. :up:


All times are GMT. The time now is 02:24.

Powered by vBulletin® Version 3.8.12
Copyright © 2019, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.