TECH6.0

MisawaPlayer · #1 14-10-2008, 03:37 AM

in global.php, I find the following section of code:

PHP Code:

  // #############################################################################

// get style variables

$stylevar = fetch_stylevars($style, $vbulletin->userinfo);

 
if (defined('CSRF_ERROR'))

{

    define('VB_ERROR_LITE', true);

    eval('$headinclude = "' . fetch_template('headinclude') . '";');

    switch (CSRF_ERROR)

    {

        case 'missing':

            eval(standard_error(fetch_error('security_token_missing', $vbulletin->options['contactuslink'])));

            break;

 
        case 'guest':

            eval(standard_error(fetch_error('security_token_guest')));

            break;

 
        case 'invalid':

        default:

            eval(standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])));

    }

    exit;

}

I am seeing this code executed (CSRF_ERROR == 'invalid') intermittantly. It only happens when using IE, and never when I use Firefox as my browser (same exact user and actions). The problem is, it doesn't always happen with IE. I can have it fail (5-10 times), let it sit 5 minutes and resubmit the form, and it works fine. Or other times 20-30 minutes and it still won't work.

I want to know where CSRF_ERROR gets defined. It is not defined directly in global.php, so it must be defined elsewhere - possibly in the function "fetch_stylevars"? Where is that function found?

Can you tell me where this constant gets defined, after what checks. If you can direct me to a location where I can read the code that would be good enough.

Thanks in advance.

webwizzy · #2 14-10-2008, 03:14 PM

You need to define it in YOUR files. And you also need to add a hidden field in the POST form in the associated template. Its important to check for CSRF protection in your forms and is quite simple to implement as well.

Adding Protection to your own files

To opt your entire file into CSRF protection the following should be added to the top of the file under the define for THIS_SCRIPT.

PHP Code:

  define('CSRF_PROTECTION', true);

Template Changes

The following should be added to all of the forms which POST back to vBulletin or a vBulletin script. This will automatically be filled out with a 40 character hash that is unique to the user.

HTML Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Thats it! It won't throw any security token or CSRF errors now.

Read Create your own vBulletin-Powered page and go through the code.

Hope this helps

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

TECH6.0

Defining CSRF Protection