Implementing CSRF Protection (security tokens) in modifications

Discussion in 'Programming' started by Hoxxy, May 13, 2008.

  1. Hoxxy

    Hoxxy New Member

    Changes for CSRF protection with third party modifications

    With the new version of vBulletin 3.6.10 and 3.7.0 RC4 +, a new protection against Cross Site Request Forgery (CSRF) has been introduced. This new protection might influence the coding in modifications.

    Cross Site Request Forgery (CSRF) involves taking advantage of the stateless nature of HTTP, there are no ways to ensure the exact origin of a request, its also not possible to detect what was actually initiated by a user and what was forced by a third party script. A token was added to the latest version of each of the vBulletin products, with the release of 3.6.10 and 3.7.0 RC4 it is no longer possible to submit a POST request directly without passing in the known token.

    The addition of a security token for each POST request removes the ability for a remote page to force a user to submit an action. At the moment this protection will only apply to vBulletin files and third party files will need to opt into this protection and add the appropriate hidden field. This was done to preserve backwards compatibility.

    Adding Protection to your own files

    To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

    PHP:
    define('CSRF_PROTECTION'true);
    With this change all POST requests to this file will check for the presence of the securitytoken field and compare it to the value for the user, if its wrong an error message will be shown and execution with halt.

    If this value is set to false then all CSRF protection is removed for the file, this is appropriate for something that intentionally accepts remote POST requests.

    You should always add this to your file, even if you don't think the script is ever going to receive POST requests.

    An absence of this defined constant within your files will result in the old style referrer checking being performed.

    Template Changes
    The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

    PHP:
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]/>
    Again it is worthwhile adding this to your templates even if it is currently not using the CSRF protection.

    Exempting Certain Actions
    It may be appropriate to exempt a particular action from the CSRF protection, in this case you can add the following to the file.

    PHP:
    define('CSRF_SKIP_LIST''action_one,action_two');
    The above example would exempt both example.php?do=action_one and example.php?do=action_two from the CSRF protection, if the CSRF_SKIP_LIST constant is defined with no value then it will exempt the default action.

    If the skip list needs to be changed at runtime is it available within the registry object, using the init_startup hook the following code would be used to exempt 'example.php?do=action_three'.

    PHP:
    if (THIS_SCRIPT == 'example')
    {
            
    $vbulletin->csrf_skip_list[] = 'action_three';
    }
    .......................................................................................................
    AJAX requests
    .......................................................................................................
    You need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

    PHP:
    YAHOO.util.Connect.asyncRequest('POST'scriptpath '?do=ajax', {
        
    successthis.handle_ajax_response,
        
    failurethis.handle_ajax_error,
        
    timeoutvB_Default_Timeout,
        
    scopethis
    }, SESSIONURL 'securitytoken=' SECURITYTOKEN '&foo=' foo);
    ........................................................................................................
    Searching for templates that need editing
    ........................................................................................................
    If you want to search all template that you need to edit to add:
    Code:
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
    you can use that query in your MySQL database or maintenance sql quiry:

    Code:
    SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
    ........................................................................................................
    Security token errors
    ........................................................................................................
    In your Admin CP under Styles & Template select Search In Templates...

    Search for:
    HTML:
    value="$session[sessionhash]"
    In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:

    PHP:
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]/>
    Save the template.
     
  2. RSC

    RSC New Member

    Wow mate, that's amazing, really usefull
     
  3. dcuellar

    dcuellar New Member

    Anyone figured out how to fix the error with itsid's hide hack?

    This error is given when quick reply is posted.

    I'd be really appreciative.
     
  4. dcuellar

    dcuellar New Member

    I'm completely lost. I have no idea how to fix this. I would very greatful to the person who can figure this out for me.
     
  5. Hoxxy

    Hoxxy New Member

    There is currently no fix for this due to the fact the creator has no been aroungd for ages.

    What I did myself was downgraded from 3.7 to 3.6.10 as it works on that version but I don't recommend you do this unless you really know what your doing as it took a while to do editing the database, templates and such and I still have some minor error but can work around them,
    plus I asked on vbulletin.com and they said downgrading could not be done, so if their not recommending it, its probably not a good thing to do ;)
     
  6. dcuellar

    dcuellar New Member

    nevermind. Someone kindly posted a fix for this hack on the thread.
     
  7. YuchiRO

    YuchiRO New Member

    Thank Hoxxy very much !
    i have some problems with AJAX and all mod using ajax !

    Code:
    You need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN"
    Where can i add this !?

    when i diagnostics my forum i get a notice

    Code:
    The above setting will indicate if mod_security is preventing some AJAX requests from being submitted to vBulletin. If this shows Yes then you either need to disable mod_security or change the AJAX settings with the vBulletin Options and disable Problematic features.
    Please help me !
    Thanks
     
  8. bluescorpion

    bluescorpion New Member

    The procedure is actually in Hoxxy's post:

    To add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.
    Code:

    YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
    success: this.handle_ajax_response,
    failure: this.handle_ajax_error,
    timeout: vB_Default_Timeout,
    scope: this
    }, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

    I am probably missing your point if this doesn't solve your problem.

    HTH
     
  9. kidzior

    kidzior New Member

    how to add this to vBSEO 3.1.0? ill disable vbseo my forum working good with out security tokens.
     
  10. Hoxxy

    Hoxxy New Member

    Dont thank every single post in a thread it wont get you anywhere with rank status or posts counts! (concider this a friendly warning).
     
  11. kidzior

    kidzior New Member

    ok, sorry. Can you help me?
     
  12. Sakora

    Sakora New Member

    Where exactly to i put everything im new at this and i have no clue
     
  13. Hoxxy

    Hoxxy New Member

    If you are just getting security token errors just follow the last section
    "Security token errors"
     
  14. sahil3x1

    sahil3x1 New Member

    i got solution i also face that type problem at that time i just change somefile like if i got in search i replace search.php(3.6.10) to search.php (3.6.8) and that working fine.
     
  15. rajayasir

    rajayasir New Member

    i couldnt find .. this_script .. and plzz tell me how to and where to add define('CSRF_PROTECTION', true); .. dis one .. :S plzz help i m getting problem ..
     
  16. askHacker

    askHacker New Member

    Hello Hoxxy,

    You've been great help. I made all the changes by adding the following line of security token under all posts.

    Now I just have one small problem. The poll submission only doesn't work, despite changing the template.

    So when I vote, I get the following error

    Your submission could not be processed because a security token was missing.

    If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.


    and the URL of the page is http://domain.com/forums/poll.php

    What is reason and how is resolution?

    Pls note this happens ONLY with the poll. All works fine after adding the tokens.

    Thanks in advance
     
  17. arbab

    arbab New Member

    Thanks i will try
     
  18. Another way to make sure your adding security tokens everywhere you need them is to search all your templates for :

    Code:
    value="$session[sessionhash]"
    and immediately after, if it doesn't already exist, add:

    Code:
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
     
  19. blur13th

    blur13th New Member

    me too.

    any idea?
     
  20. the fanopsis

    the fanopsis New Member

    all i can see is "Content visible to registered users only."
    why is it so ?
     

Share This Page