Thursday 24th July 2008
 
 
 
 
 
 

 
 
 

 
 
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Add the new vBulletin anti-CSRF security check in your vb mods

April 23, 2008 Author: Chris T Posted in: Code Tutorials, vBulletin
 

It should be proper for all plugins over vb.org to be updated shortly to implement this new security check, but anyway, this won’t any time soon by all the wanna be coders out there. So let me help you.

The new anti-CSRF is triggered by a specific constant on top of your script, the vb team selected this way to not break a few hundreds mods.

So on top of your script and before the call of the global.php ( under the define of the THIS_SCRIPT is a good place) add this line.

define('CSRF_PROTECTION', true);

Next step is to edit all your forms in your custom plugin templates to add a specific hidden input. A cool way to do this, is to open your product.xml and do a search for <form and under each of finds to add this line of code.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

And you are done! You can make a test after the first step to see this nice error during any Post Request that comes from the scripts you added the first line.

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

After a little search and if you think as i do you will find out how the new check works in the file includes/init.php lines 399-420.

Note that only Post requests are checked not GET too.

If for some reason you want your script to have this extra check but you also want for some reason to bypass it you must specify on top of your script something like this:

define('CSRF_SKIP_LIST', 'save,update,dosex');

Where each of save, update and dosex are the actions specified by the $_REQUEST['do'] or $_POST['do'] if you prefer that.

Happy Coding as always….

 
Views: 854 Tags: ,
 

Feed for this Entry Trackback Address The permalink
 

 

One Response to “Add the new vBulletin anti-CSRF security check in your vb mods”

 
#1 dancue Says:
May 13th, 2008 at 4:01 am

I’ve really tried and tried to get this to work but am unable to.

I am currently using sid’s hide hack and it will give me the security token error when I attempt to quickreply in order to view the hidden content.

Instead of revealing the content, the error message is revealed.

This is the mod I am referring to.

http://www.vbulletin.org/forum/showthread.php?t=130887

 

 

 

Leave a Comment

 
 
 
 

Blogroll

Recent Comments

RSS 3D Accelerator - News Feed

 

web stats
Copyright © T3-Design.com 2006-2008 All Rights Reserved