Implementing CSRF Protection (security tokens) in modifications

Hoxxy

New Member
Changes for CSRF protection with third party modifications

With the new version of vBulletin 3.6.10 and 3.7.0 RC4 +, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP:
define('CSRF_PROTECTION', true);

With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

An absence of this defined constant within your files will result in the old style referrer checking being performed.

Template Changes
The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

PHP:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

Exempting Certain Actions
It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP:
define('CSRF_SKIP_LIST', 'action_one,action_two');

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP:
if (THIS_SCRIPT == 'example')
{
        $vbulletin->csrf_skip_list[] = 'action_three';
}

.......................................................................................................
AJAX requests
.......................................................................................................
You need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

PHP:
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
	success: this.handle_ajax_response,
	failure: this.handle_ajax_error,
	timeout: vB_Default_Timeout,
	scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

........................................................................................................
Searching for templates that need editing
........................................................................................................
If you want to search all template that you need to edit to add:
Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
you can use that query in your MySQL database or maintenance sql quiry:

Code:
SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
........................................................................................................
Security token errors
........................................................................................................
In your Admin CP under Styles & Template select Search In Templates...

Search for:
HTML:
value="$session[sessionhash]"

In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:

PHP:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.
 

dcuellar

New Member
Anyone figured out how to fix the error with itsid's hide hack?

This error is given when quick reply is posted.

I'd be really appreciative.
 

dcuellar

New Member
I'm completely lost. I have no idea how to fix this. I would very greatful to the person who can figure this out for me.
 

Hoxxy

New Member
dcuellar said:
I'm completely lost. I have no idea how to fix this. I would very greatful to the person who can figure this out for me.

There is currently no fix for this due to the fact the creator has no been aroungd for ages.

What I did myself was downgraded from 3.7 to 3.6.10 as it works on that version but I don't recommend you do this unless you really know what your doing as it took a while to do editing the database, templates and such and I still have some minor error but can work around them,
plus I asked on vbulletin.com and they said downgrading could not be done, so if their not recommending it, its probably not a good thing to do ;)
 

YuchiRO

New Member
Thank Hoxxy very much !
i have some problems with AJAX and all mod using ajax !

Code:
You need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN"

Where can i add this !?

when i diagnostics my forum i get a notice

Code:
The above setting will indicate if mod_security is preventing some AJAX requests from being submitted to vBulletin. If this shows Yes then you either need to disable mod_security or change the AJAX settings with the vBulletin Options and disable Problematic features.

Please help me !
Thanks
 

bluescorpion

New Member
The procedure is actually in Hoxxy's post:

To add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
Code:

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
success: this.handle_ajax_response,
failure: this.handle_ajax_error,
timeout: vB_Default_Timeout,
scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

I am probably missing your point if this doesn't solve your problem.

HTH
 

Hoxxy

New Member
kidzior said:
how to add this to vBSEO 3.1.0? ill disable vbseo my forum working good with out security tokens.

Dont thank every single post in a thread it wont get you anywhere with rank status or posts counts! (concider this a friendly warning).
 

Sakora

New Member
Hoxxy said:
Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP:
define('CSRF_PROTECTION', true);


Template Changes
The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

PHP:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
.

Exempting Certain Actions
It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

PHP:
define('CSRF_SKIP_LIST', 'action_one,action_two');

The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

PHP:
if (THIS_SCRIPT == 'example')
{
        $vbulletin->csrf_skip_list[] = 'action_three';
}

.......................................................................................................
AJAX requests
.......................................................................................................
You need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

PHP:
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
	success: this.handle_ajax_response,
	failure: this.handle_ajax_error,
	timeout: vB_Default_Timeout,
	scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

........................................................................................................
Searching for templates that need editing
........................................................................................................
If you want to search all template that you need to edit to add:
Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
you can use that query in your MySQL database or maintenance sql quiry:

Code:
SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
........................................................................................................
Security token errors
........................................................................................................
In your Admin CP under Styles & Template select Search In Templates...

Search for:
HTML:
value="$session[sessionhash]"

In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:

PHP:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Where exactly to i put everything im new at this and i have no clue
 

sahil3x1

New Member
i got solution i also face that type problem at that time i just change somefile like if i got in search i replace search.php(3.6.10) to search.php (3.6.8) and that working fine.
 

rajayasir

New Member
i couldnt find .. this_script .. and plzz tell me how to and where to add define('CSRF_PROTECTION', true); .. dis one .. :S plzz help i m getting problem ..
 

askHacker

New Member
Hello Hoxxy,

You've been great help. I made all the changes by adding the following line of security token under all posts.

Now I just have one small problem. The poll submission only doesn't work, despite changing the template.

So when I vote, I get the following error

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.


and the URL of the page is http://domain.com/forums/poll.php

What is reason and how is resolution?

Pls note this happens ONLY with the poll. All works fine after adding the tokens.

Thanks in advance
 
Another way to make sure your adding security tokens everywhere you need them is to search all your templates for :

Code:
value="$session[sessionhash]"

and immediately after, if it doesn't already exist, add:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
 

blur13th

New Member
askHacker said:
Hello Hoxxy,

You've been great help. I made all the changes by adding the following line of security token under all posts.

Now I just have one small problem. The poll submission only doesn't work, despite changing the template.

So when I vote, I get the following error

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.


and the URL of the page is http://domain.com/forums/poll.php

What is reason and how is resolution?

Pls note this happens ONLY with the poll. All works fine after adding the tokens.

Thanks in advance

me too.

any idea?
 
Top