Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
  #61  
Old 05 May 2008, 22:17
PaulSonny PaulSonny is offline
 
Join Date: Dec 2006
Real name: Paul Cook
CSRF Issue.

Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.
__________________
Kind Regards, Paul.
Reply With Quote
  #62  
Old 06 May 2008, 11:34
Milad's Avatar
Milad Milad is offline
 
Join Date: May 2005
Real name: Milad
Originally Posted by PaulSonny View Post
Can anyone help me with this problem,

Details of the reported exploit are as follows;

Multiple CSRF Vulnerabilities
=============================

Example
------------------
if ($_REQUEST['do'] == 'deletereply'){
------------------

Because the "delete" command can be executed via a GET request (ie. URL in a signature), if a user with permission clicks a link that is specifically crafted, it can delete something. CSRF.

This is in my HelpCenter modification. I thought I had covered all CSRF issues but its seems I may have missed something but I dont know how to correct as ive covered everything from this thread.

Thanks, Paul.
make it via post request and use the security token!
Reply With Quote
  #63  
Old 06 May 2008, 17:32
dancue dancue is offline
 
Join Date: Feb 2008
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.
Reply With Quote
  #64  
Old 07 May 2008, 20:30
ikki29 ikki29 is offline
 
Join Date: Aug 2007
Originally Posted by dancue View Post
I'm trying to add the security token to a mod that is giving me an error message. The mod is very important and I'm not getting any answers from the author.

The mod uses AJAX, which is what is not working. When someone uses quickreply and posts their reply it's supposed to automatically reveal the hidden content. Instead it gives the security token issue.

Here are the templates. Must there be a change to the xml file also?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I understand it's the author's duty to solve the issue, but the author seems to have abandoned the mod.

I am not asking for the solution, but guidance.


I agree completely with the companion, I use this modification and tb I have these problems, it is a product very used in the forum and I cannot allow me the luxury of removing it, ask them please that they should help us in this topic, graces(thanks) Pd: since always I ask for excuses for my English one, for which I use one I translate of Spanish to groins, sie
Reply With Quote
  #65  
Old 07 May 2008, 20:45
scan-pa scan-pa is offline
 
Join Date: May 2006
Real name: Peter Kirk
Yes BIG Thank You to every one who got this needed info to us. This fixed all my mods that went down after the move to vB 3.7.0 Gold.........................


Now the mods I have been running for over 2.5 years are all back online...
Reply With Quote
  #66  
Old 08 May 2008, 18:45
dancue dancue is offline
 
Join Date: Feb 2008
Originally Posted by Dismounted View Post
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
Could someone please explain this further?

What did this look like before the edit? What are you editing? Is it a template, a plug-in?

Last edited by dancue; 09 May 2008 at 13:41.
Reply With Quote
  #67  
Old 09 May 2008, 01:37
juan71287 juan71287 is offline
 
Join Date: Dec 2003
Real name: Mario
Hi guys, I don't really understand this, what I want to do is make it so this does not show anymore.



Please help me take that off. Thanks.
Reply With Quote
  #68  
Old 09 May 2008, 11:00
Flep Flep is offline
 
Join Date: Jul 2007
wow ! This is a precious thread !

thank you
__________________
Flash tutorials
Reply With Quote
  #69  
Old 09 May 2008, 15:30
dssart dssart is offline
 
Join Date: May 2002
Greetings all,

Well, you guys are my last hope. I had a mod written for me last year, my forum members love it and at the moment it's running but when I upgrade I don't expect it to survive..so I'm trying to get a handle on this so that I can do it myself. The coder has long since disappeared so help is appreciated.

The beginning of this thread says that:

"To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT."

I have this line at the beginning of my mods .php file:

define('THIS_SCRIPT', 'dataawards_awards');

Do I add this:

define('CSRF_PROTECTION', true);

Directly below that line? will that solve the entire security token issue or do I need to hunt for form/posts? Talking about form/posts...is this one?:

$awarddisplay.= '<form action="' . htmlentities($_SERVER['PHP_SELF']) . '?addawards=' . $_REQUEST['addawards'] . '&amp;type=' . $type . '" method="POST">';

If I understand this correctly I need to find all form/posts (since you are posting and not requesting, thus the need for the security token):

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Thanks, I hope I can work through this on my own, but if anyone wants to make some money, I'd rather pay to have it done..PM if interested.
Reply With Quote
  #70  
Old 10 May 2008, 21:22
Behzad Varedi Behzad Varedi is offline
 
Join Date: Nov 2007
Real name: Behzad
Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
Thanks alot,

I do what you said and my problem is solved now...
thanks again
Reply With Quote
  #71  
Old 11 May 2008, 17:18
Ionsurge's Avatar
Ionsurge Ionsurge is offline
 
Join Date: Jan 2003
I've managed to rectify most of these errors myself, however, if I click the "Go Advanced" button on the quick reply part of viewing a thread, it shows the error? As far as I can tell, I've amended it all...

Any help? Have I missed a file?
Reply With Quote
  #72  
Old 11 May 2008, 18:31
ExTincTi0N's Avatar
ExTincTi0N ExTincTi0N is offline
 
Join Date: Mar 2008
Location: Texas
Real name: Taylor Jones
Ok I am having trouble with my skins.
Its the security token thing.
Where do I add it and where in it?
__________________
www.vbtree.com the newest and hotest vb skin site out.
www.artvenom.com where the venom of art resides.
Reply With Quote
  #73  
Old 11 May 2008, 23:45
steve1966 steve1966 is offline
 
Join Date: Dec 2007
Hi i have added the this <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> after value="$session[sessionhash to all my templates and my members are getting this

While performing a search in the Games forum, I received the following message:

"Your submission could not be processed because a security token was missing or mismatched."
please can someone tell me what i should do now as i am a little confused also do i need to do anything with this code

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

thanks

Last edited by steve1966; 12 May 2008 at 00:18.
Reply With Quote
  #74  
Old 12 May 2008, 06:40
setishock setishock is offline
 
Join Date: Feb 2008
Only time I get one is when I am uploading a flv movie clip. I got the first one up and that was it. Static picture attachments and albums are ok as are text posting. I created an flv attachment and mimed it with content-type: video/flv. This is not using a hack or mod but an inhouse feature.
So what would you suggest to fix it? I do have the passivevid product installed but all was ok till I created the flv attachment.
__________________
Working on new projects and expanding our horizons. Come by and see what we're up to now.
Reply With Quote
  #75  
Old 12 May 2008, 20:00
unitedbreaks's Avatar
unitedbreaks unitedbreaks is offline
 
Join Date: Aug 2006
Originally Posted by Wayne Luke View Post
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
Thank you for making it 'clear' on how to fix this issue. Much appreciation.
Reply With Quote
Reply

Similar Article
Article Author Type Replies Last Post
Show Thread Enhancements Stamps (CSRF protection added) misr.cc vBulletin 3.7 Add-ons 98 14 Oct 2012 14:54
Add-On Releases vBTube 1.2.9 (CSRF protection added) Playa82 vBulletin 3.7 Add-ons 434 22 Jan 2012 23:08
Mini Mods [ITECH] Inferno CSRF Auto Protection Inferno Tech vBulletin 3.6 Add-ons 15 02 Nov 2010 04:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 10:51.

Layout Options | Width: Wide Color: