Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
  #31  
Old 26 Apr 2008, 18:36
powerful_rogue's Avatar
powerful_rogue powerful_rogue is offline
 
Join Date: Jan 2007
Real name: Dave
Originally Posted by Boofo View Post
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.
Thats the problem I was having with vbpager. I looked for every <form.... and every method=post and put the security token code underneath.

Thats why I think its now an ajax issue. Ive tried to figure it out but to no avail. The odd thing is, it works fine in 3.6.10, but not in 3.7 RC4

--------------- Added 26 Apr 2008 at 20:35 ---------------

problem solved! I had a search around and tried the fix that was being used for a shoutbox.

I changed all 3 instances of "securitytoken=" to "&securitytoken=" in vbulletin_global.js and it did the trick!

Last edited by powerful_rogue; 26 Apr 2008 at 20:35. Reason: Auto-Merged DoublePost
Reply With Quote
  #32  
Old 26 Apr 2008, 22:57
rinkrat's Avatar
rinkrat rinkrat is offline
 
Join Date: Jan 2002
I can't save my vbulletin settings without this error.

What do I change to fix this? In a template?


I also can not import any hacks without an error.

Where do I fix this? In a template?

--------------- Added 26 Apr 2008 at 23:04 ---------------

Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

I am getting the error when I try to edit a template and save it so this will not work.
__________________
Los Angeles Kings Fan Page

Last edited by rinkrat; 26 Apr 2008 at 23:05. Reason: Auto-Merged DoublePost
Reply With Quote
  #33  
Old 26 Apr 2008, 23:42
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Originally Posted by rinkrat View Post
I am getting the error when I try to edit a template and save it so this will not work.
Note that what you quoted says to "add this line directly after the line containing the above", not directly after that code.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #34  
Old 26 Apr 2008, 23:53
rinkrat's Avatar
rinkrat rinkrat is offline
 
Join Date: Jan 2002
I cannot do anything, including editing templates, turning the board on or loading templates without the security error.
__________________
Los Angeles Kings Fan Page
Reply With Quote
  #35  
Old 26 Apr 2008, 23:55
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
You may want to run the upgrade script again so it makes the necessary changes or run the query listed back on the first page.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #36  
Old 27 Apr 2008, 00:08
cmedic101 cmedic101 is offline
 
Join Date: Feb 2008
Real name: Glenn
Thank you

I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working

thank you

cmedic
Reply With Quote
  #37  
Old 27 Apr 2008, 00:26
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
Originally Posted by rinkrat View Post
I cannot do anything, including editing templates, turning the board on or loading templates without the security error.
You should be able to work in the ACP as it is not affected. Maybe posting at vB.com or disabling your plugins by using this code in your config.php may solve your problem:

define('DISABLE_HOOKS', true);
__________________
Former vBulletin.org Staff Member

Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
Reply With Quote
  #38  
Old 27 Apr 2008, 07:20
Terrie's Avatar
Terrie Terrie is offline
 
Join Date: Jan 2008
Originally Posted by Dismounted View Post
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4
Reply With Quote
  #39  
Old 27 Apr 2008, 08:52
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Originally Posted by shahryar_neo View Post
sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?
It is the simplest it can be. Add the security token into the request.
Originally Posted by sv1cec View Post
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.
You can't unless you edit files directly as the fix is actually a very large one.
Originally Posted by Terrie View Post
what file do i need to place this into?
I've already added the 3 &'s before "securitytoken" in my clienscript/vbulletin_global.js
I have also updated ALL my templates per the security token instructions given and still
im having problems with every mod that uses java and ajax
I am running 3.7 RC4
You do not need to mess with any default vBulletin JS file.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #40  
Old 27 Apr 2008, 09:20
Opserty Opserty is offline
 
Join Date: Apr 2007
Originally Posted by Dismounted View Post
You do not need to mess with any default vBulletin JS file.
There have been a few errors in RC4 that have caused problems for a couple of ajax modifications, hence why some have edited vbulletin_global.js. http://www.vbulletin.com/forum/proje...?issueid=25287
Reply With Quote
  #41  
Old 27 Apr 2008, 13:22
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
 
Join Date: Jan 2002
Real name: Wayne
Originally Posted by rinkrat View Post
I cannot do anything, including editing templates, turning the board on or loading templates without the security error.
Then you will need to open a thread on vBulletin.com. The security changes should have absolutely no affect on the Admin CP and these changes do not apply to the Admin CP in anyway.
__________________
Wayne Luke
Get started with your own social network. Purchase and download vBulletin today.
Reply With Quote
  #42  
Old 27 Apr 2008, 15:05
bertwrld bertwrld is offline
 
Join Date: Nov 2006
Real name: Bert Cannavelli
Originally Posted by cmedic101 View Post
I added this line to all my custom templates and followed the instructions as listed.

No errors
No problems with any mods
casino is still working

thank you

cmedic
What templates did you edit in the casino?
Reply With Quote
  #43  
Old 28 Apr 2008, 01:01
slmoney slmoney is offline
 
Join Date: Jul 2007
I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.
Reply With Quote
  #44  
Old 28 Apr 2008, 01:26
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
Originally Posted by slmoney View Post
I hope I am not the only one scratching their head thinking..what?

I admit..I am not a coder..nor programmer. I've read the instructions over and over..and I still have no clue what goes where.

So far on my board the only item giving me a problem is the AJAX Latest Post Mod.

I'm probably asking too much if someone explains this so a 5th grader could understand it.

Thanks.
It would be within the javascript. What needs added would be found in the second post. That is about as far as I can explain it as I haven't taught myself AJAX yet.
__________________
Former vBulletin.org Staff Member

Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
Reply With Quote
  #45  
Old 28 Apr 2008, 16:37
yaoren's Avatar
yaoren yaoren is offline
 
Join Date: May 2007
Ok I'm at a loss since I've manually gone in and did the search in templates and added the line of code to each template that was missing the sercurity token and well, I'm still having the message pop up. I honestly don't know what mod is causing the issues since it pops up only in certain areas. Any other ideas?
Reply With Quote
Reply

Similar Article
Article Author Type Replies Last Post
Show Thread Enhancements Stamps (CSRF protection added) misr.cc vBulletin 3.7 Add-ons 98 14 Oct 2012 13:54
Add-On Releases vBTube 1.2.9 (CSRF protection added) Playa82 vBulletin 3.7 Add-ons 434 22 Jan 2012 22:08
Mini Mods [ITECH] Inferno CSRF Auto Protection Inferno Tech vBulletin 3.6 Add-ons 15 02 Nov 2010 03:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 19:15.

Layout Options | Width: Wide Color: