Comments on: vBulletin 3.7.0 Release Candidate 4 http://www.t3-design.com/vbulletin-370-release-candidate-4/ Tefra Was Here Thu, 20 Nov 2008 20:16:45 +0000 http://wordpress.org/?v=2.6.2 By: Chris T http://www.t3-design.com/vbulletin-370-release-candidate-4/#comment-81 Chris T Wed, 23 Apr 2008 20:00:04 +0000 http://www.t3-design.com/?p=270#comment-81 Except a few quick edits, that was a fast upgrade. The vb team is making the upgrade script better and better this time it can handle the auto update for the CSRF (cross-site request forgery) vulnerability for all custom templates. It took me only a few minutes, to add the new security check to vbsed too. What does it actually do ? It checks if POST request is done, and it checks for a hidden input that they added in every form which has a unique value for each user, so if you are not yourself there is pretty much no way to bypass this check. Unless of course if you are a lazy admin who likes to forget his cookies in some net cafe. In that case do yourself a favor and close your site, today. vBulletin had a security check for POST request from 3dparty domains, but it wasn't secure enough, god bless php Global variables. Except a few quick edits, that was a fast upgrade. The vb team is making the upgrade script better and better this time it can handle the auto update for the CSRF (cross-site request forgery) vulnerability for all custom templates.

It took me only a few minutes, to add the new security check to vbsed too. What does it actually do ?

It checks if POST request is done, and it checks for a hidden input that they added in every form which has a unique value for each user, so if you are not yourself there is pretty much no way to bypass this check. Unless of course if you are a lazy admin who likes to forget his cookies in some net cafe. In that case do yourself a favor and close your site, today.

vBulletin had a security check for POST request from 3dparty domains, but it wasn’t secure enough, god bless php Global variables.

]]>