Will the new vB version fix Security Tokens?
- Thread starter Xius
- Start date
From 3.6.10 vBulletin implimented somthing called CSRF protection,
Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.
Due to this styles and mod/hack designers have had to impliment this new protection feature so they will work with vbulletin correctly,
the basic thing to do with styles is to find:
and after it, add
in general its the same with mod/hacks but not always the case as with
ie: sids hide hack
a different reference string was needed.
Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.
Due to this styles and mod/hack designers have had to impliment this new protection feature so they will work with vbulletin correctly,
the basic thing to do with styles is to find:
HTML:
<input type="hidden" name="s" value="$session[sessionhash]" />
HTML:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />in general its the same with mod/hacks but not always the case as with
ie: sids hide hack
a different reference string was needed.