Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
  #91  
Old 23 May 2008, 21:35
WFZ's Avatar
WFZ WFZ is offline
 
Join Date: Oct 2007
Real name: Chris
does someone wanna' dix this on my forum for meh. :$
Reply With Quote
  #92  
Old 25 May 2008, 07:39
blindmedia ltd blindmedia ltd is offline
 
Join Date: May 2008
Real name: shaun
Originally Posted by WFZ View Post
does someone wanna' dix this on my forum for meh. :$
anyone wanna do that on mine to?
Reply With Quote
  #93  
Old 25 May 2008, 12:39
J98680Bxxxxx's Avatar
J98680Bxxxxx J98680Bxxxxx is offline
 
Join Date: Jan 2008
As few people are actually using a security token on forums (boards), it will be good if the vBulletin Development team could give an option in the Admin CP (->vBulletin Options) to switch on/off this "CSRF_PROTECTION" depending on whether a customer uses a Security Token or not.

I am definitely one of those who is not using a Security Token on my board (and will not be using it). Thus, from all 56 ".php" files in the "vB 3.7/upload" directory, I have changed all those
define('CSRF_PROTECTION', true);
to ->
define('CSRF_PROTECTION', false);

All my mods and plug-ings are working fine again and the board is running smoothly. No need to start chasing out authors, of those many mods I have installed, for updates.

Last edited by Paul M; 25 May 2008 at 12:58.
Reply With Quote
  #94  
Old 25 May 2008, 12:41
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Real name: Andreas
Please stop posting this Wikipedia article.
That is smth. totally different and actually only confuses people!
Reply With Quote
  #95  
Old 25 May 2008, 13:01
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #96  
Old 28 May 2008, 13:53
mehrdad220 mehrdad220 is offline
 
Join Date: Feb 2008
i am having this problem with Currentpoll module in VBadvanced, not sure which file i have to edit to get this fixed. any ideas?
Reply With Quote
  #97  
Old 28 May 2008, 14:24
dodge-downunder dodge-downunder is offline
 
Join Date: Nov 2007
well im by no means a coder and I am stuck with this BS

Ive searched the templates, fixed it but it still happens.

Im so over this...I really appreciate any assistance..ive read everything, done everything but cant sort it.

We need a lamans terms walk thru please!
Reply With Quote
  #98  
Old 28 May 2008, 20:09
pooffck1 pooffck1 is offline
 
Join Date: Apr 2008
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks
Reply With Quote
  #99  
Old 29 May 2008, 05:16
cache cache is offline
 
Join Date: Aug 2007
I have followed the instruction added the code after the <form and fixed the problem when I do a search. So it is not as bad as before.

However when the admin tries to delete thread, this security token occurs. I don't think there is another <form in the template style, where can I find the problem?
Reply With Quote
  #100  
Old 29 May 2008, 16:16
J98680Bxxxxx's Avatar
J98680Bxxxxx J98680Bxxxxx is offline
 
Join Date: Jan 2008
Originally Posted by pooffck1 View Post
Hi, i a complete NEWB at this and the only thing that is not working for me is the custom skin i made, does not support the SEARCH ENGINE on my header. It keeps giving me this message



i have absoutly no idea what is going on with that and i dont understand what this post (first post) is about beacuse it doesnt have right instructions on What template/php file i need to change, WHAT I NEED TO REPLACE WITH, WHERE IS IT?.

Someone please help me out on this

Thanks
Hi Pooffck1,

I am afraid that you will not get a satisfactory answer here, as it seems that no one really know what is happening with these random messages stating: "Your submission could not be processed because a security token ..."

This CSRF stuff seems to have been done in a big rush. Open a ticket at vB.com and ask their team to proceed with installation and debugging of your site.


--------------- Added 29 May 2008 at 18:48 ---------------

Originally Posted by Paul M View Post
Link removed.

I would suggest that people completely ignore what you posted as it is removing security from vb and thus re-opening the possiblity of attack. What you do to make your own forum vunerable is up to you, but we do not advise others to follow such a bad route.

If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):

Originally Posted by Marco van Herwaarden View Post
...

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Last edited by J98680Bxxxxx; 29 May 2008 at 18:48. Reason: Auto-Merged DoublePost
Reply With Quote
  #101  
Old 29 May 2008, 19:35
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by J98680B2423E View Post
If it was such a bad route, it would not has been implemented in a boolean form (Choice: True, False), but directly by whatever means in the code. Also it would not has been indicated in the opening post (you "should" not you "MUST"):
Lots of things are done via options in vb, that still doesnt mean its a good idea to turn them off. As for should/must - vb will still work without CSRF protection, but it will be insecure, therefore "should" is the correct term. Setting them to false, as you posted, is even worse than not setting the option at all, since that disables the old style protection as well.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #102  
Old 30 May 2008, 16:00
mtlcore mtlcore is offline
 
Join Date: Jul 2005
what do i have to edit, my users are getting these errors on the following page:

profile.php?do=dst
Reply With Quote
  #103  
Old 30 May 2008, 18:28
pooffck1 pooffck1 is offline
 
Join Date: Apr 2008
i had made my own custom style and the only problem on my board was that when i put a search engine on my header template, it gave my members a message saying something about security token


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and this is how it looked
but when i looked at other templates i saw that they had the security token line in the search.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

the bolded line is the extra line i put and it started to work

I hope this helps
Reply With Quote
  #104  
Old 01 Jun 2008, 03:55
xTerMn8R xTerMn8R is offline
 
Join Date: Mar 2004
Wink

I had similar problems with the Search functions using CMPS on the front end, yes the infamous Security Issue... but was easily fixed by adding the <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> to the adv_portal_search template right AFTER the <td class="$bgclass"> tag.

Although I understand these are NOT issues directly related to vbulletin core software, I really think that the vb staff should take into consideration that the reason most of us use this software is because of the wide varity of addon's available for it. That being said... perhapts a little more COMPATABILITY with add ons should be more carefully considered and tools to implement these fixes provided. Like when ya do the upgrade a script that will prompt you if you want it to check and upgrade all adv_portal*.* Templates that require it at.

I am an avid vb lover and Promote it to everyone I know, I've had my share of issues, but have ALWAYS found the vb staff to be very quick to respond to ANY and ALL issues I've had, so I hope we can stop the Hostile bashing and try to find a happy ground with CONSTRUCTIVE suggestions, Ya get more bees' with Honey folks....

Thank you staff, I appreciate the extra security having just gone through a Hijacked and very screwed up site not long ago. Hopefully these improvements will prevent that from happening in the future.

Be Patient,
Tom

PS: shouldn't it be Vbulletin article REPOSITORY? LOL
Reply With Quote
  #105  
Old 03 Jun 2008, 07:03
Goomzee Goomzee is offline
 
Join Date: Apr 2008
Real name: Tariq Rathore
i don;t understand which templates i have to edit and put above coding
__________________
Mortal Kombat Nexus Mortal Kombat X MKWallpapers MK Komics
Mortal Kombat Winamp skins, Animations, Movies, Dragon Renders on your 1 click
Pakistan 1st and Largest Mortal Kombat Gaming website
Reply With Quote
Reply

Similar Article
Article Author Type Replies Last Post
Show Thread Enhancements Stamps (CSRF protection added) misr.cc vBulletin 3.7 Add-ons 98 14 Oct 2012 13:54
Add-On Releases vBTube 1.2.9 (CSRF protection added) Playa82 vBulletin 3.7 Add-ons 434 22 Jan 2012 22:08
Mini Mods [ITECH] Inferno CSRF Auto Protection Inferno Tech vBulletin 3.6 Add-ons 15 02 Nov 2010 03:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 01:36.

Layout Options | Width: Wide Color: