Important: vBulletin Security Token Warnings

Discussion in 'vBulletin' started by Alex., Feb 15, 2010.

  1. Alex.

    Alex. The Ancient Dragon

    11,144
    1,052
    +972
    Recently a hash of errors have been coming up on several vBulletin board forums regarding a missing or invalid security token when members that are logged in experience a token error.

    A blame was put on Firefox 3.6, however that was dismissed when people realized Firefox doesn't handle security tokens or anything such as that. This conclusion was coincidental with the amount of boards upgrading to 3.8.4.

    People who may experience this error:

    1. Those who are running hacks not updated to the software version they are running.

    2. Custom styles that were bought.

    3. Styles that were not reverted after an upgrade.

    4. Those upgrading from the 3.6.x line of vBulletin software to the latest 3 series release, which is 3.8.4.

    5. Those who have custom styles being lent code from a parent style, therefore both styles must be checked for missing code.

    It does not matter if you are confident the templates are correct. The templates do get buggy during an upgrade or even a new install, however, the latter is extremely rare.

    This issue can affect any vBulletin product, so keep that in mind. Any security token warning that comes up is a vBulletin fault that you as a forum owner will have to address.

    Steps:

    1. Login into your ACP.

    2. Hand search all your templates for this line of code:

    Code:
    <input type="hidden" name="s" value="$session[sessionhash]" />
    3. Then directly under that line of code, add the following line of code:

    Code:
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
    4. Your original and current code should look like this:

    Code:
    <input type="hidden" name="s" value="$session[sessionhash]" />
    <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

    5. If it does not, you did something wrong. DO NOT SAVE THE TEMPLATE, but start over again.

    6. Do this for every single template missing that duo code. Additionally, you can have your work cut out for you if your members remember what URL the token showed up in. For example, if it ends with "DST", it means that the PHP call back and lookup for the server's time at the bottom of the forum is missing that security token. It would be located in your footer template.


    If you don't want to edit code because you're worried about messing things up, study the following picture then do as it is, and everything should work fine and the security token issue will be gone if everything is in check.

    This can be found in your ACP > Styles & Templates > Find & Replace Text.


    [​IMG]



    To expedite finding templates affected, you may run those SQL query in the vB admin pane. Courtesy of Poet JC.

    Code:
    SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC; 
     

    Attached Files:

    Last edited: Feb 15, 2010
    • Like Like x 1
    1
  2. ChopSuey

    ChopSuey Fan

    680
    95
    +7
    Thanks for the information Cipher!
     
  3. PoetJC

    PoetJC [* Jacq Of All Trades *]

    16,703
    1,207
    +2,372
    Hmmm - I think that's actually resulted from the CSRF protection that came with the release of 3.6.10 and 3.7 vBulletin. There's a specific report of the issue back in April 2008 at Implementing CSRF Protection in modifications

    Someone posted a handy query you can run in vBulletin AdminCP to help expedite the process of locating any templates which might need to be edited:

    Thanks for posting that info again though - some people probably didn't realize it was ever an issue or how to fix it.

    Jacquii.
     
    Last edited: Feb 15, 2010
  4. Alex.

    Alex. The Ancient Dragon

    11,144
    1,052
    +972
    Thank you, Jacquii. I forgot about that!

    And thank you for the query, I'll add it to the post original post right now. I saw a result of the query but couldn't find the actual query itself, Jacquii to the rescue. :p
     
  5. PoetJC

    PoetJC [* Jacq Of All Trades *]

    16,703
    1,207
    +2,372
    LOL
    I edited my post to put the "Hmmm - I think" part because I wasn't sure if this was something kinda new or what :p -- But yeah - thought I'd add that bit because I remember that post from way back - the query could have come in handy when I'd spent 7+ hours editing templates ARG

    Jacquii.
     
  6. Alex.

    Alex. The Ancient Dragon

    11,144
    1,052
    +972
    Yep, the Find & Replace seems the easiest for the inexperienced admin, or simply someone who gets a sick feeling at the mouth because of vBulletin. :lisa:
     
  7. PoetJC

    PoetJC [* Jacq Of All Trades *]

    16,703
    1,207
    +2,372
    I think the sick feeling might be all about the new new pricing policy. :lildevil:

    Jacquii.
     
  8. hari

    hari Tazmanian

    5,658
    555
    +43
    Alex, is there any watch to patch an earlier vB for this fault? I'm afraid I have no access to upgrades now as my owned version is "expired" and I don't want to shell out $195 to merely get access to the security patched versions.
     
  9. Alex.

    Alex. The Ancient Dragon

    11,144
    1,052
    +972
    Your version isn't susceptible to the error, so you're fine, for now. :) With Poet JC's post I found that the protection was put in place after your version.
     
  10. hari

    hari Tazmanian

    5,658
    555
    +43
    Ah, right. Thanks for the info. :)
     
  11. Beefy

    Beefy Biker Nerd

    109
    31
    +0
    I'm getting this error as well. I just tried the fix and it replaced code in a whole lot of templates, but it didn't fix the problem. The error is still there. :(

    Any help?
     
  12. Beefy

    Beefy Biker Nerd

    109
    31
    +0
    Nevermind.

    Found this after getting some rest and it fixed the problem for me. Thanks! :D

    http://www.vbulletin.com/forum/project.php?issueid=36856
     
  13. 50calray

    50calray Aspirant

    18
    0
    +0
    Cool, I wrote this off as some form of time out...it only happens when the site sets ideal for a while by me.

    Thanks,
     
Verification:
Draft saved Draft deleted