Issue: security token error

Issue Tools
- View Changes

September 27, 2016 11:04 PM
KevinL

New Member
security token error

security token error with additional thread tools installed

Hello,

I noticed yesterday with both VaultWiki and Additional Thread Tools Installed I receive a security token error. Once I disable VaultWiki the error goes away and I can commit the changes. Is this something that can be looked into?

Thank you!

HTML Code:

Your submission could not be processed because a security token was missing. If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

Issue Details

Issue Number 4720

Issue Type Bug

Project VaultWiki 4.x Series

Category Moderator Tools

Status Fixed

Priority 4 - Warnings / Script Errors

Affected Version 4.0.13

Fixed Version 4.0.15

Milestone (none)

Software DependencyvBulletin 4.x

License TypePaid

Users able to reproduce bug 0

Users unable to reproduce bug 0

Attachments 0

Assigned Users (none)

Tags (none)

September 28, 2016 9:27 AM
pegasus

VaultWiki Team
This occurs because VaultWiki incorrectly assumes that additionaltoolsfunctions.php is a wiki script. This occurs because of a bug in additionaltoolsfunctions.php. Unlike all front-end vBulletin php scripts, it does not define THIS_SCRIPT.

There is a security problem in additionaltoolsfunctions.php and its template markfl_att_threadtools_form. Although it works as you expect, it contains a security vulnerability, because it does not use security token protection. All vBulletin forms submitted over POST should use CSRF_PROTECTION to help prevent submissions that originate from other web sites that are not authorized by your forum.

For now you can work around the security token error from VaultWiki by editing vault/core/controller/start/vb3.php. Find:

Code:

if (!defined('THIS_SCRIPT'))

Replace with:

Code:

if (!defined('THIS_SCRIPT') AND defined('VW_SCRIPT'))

Please report the bugs in Additional Thread Tools to the appropriate support channel for that add-on.
Reply
September 28, 2016 3:09 PM

KevinL

New Member

Hello,

They updated their mod and I also made the change you suggested and I am still receiving the same error.

Also after making that change I was completely locked out of the admincp. All it said was 'access denied'

Thank you!

Reply
September 28, 2016 7:40 PM
pegasus

VaultWiki Team
I looked at the updated mod. They turned on CSRF_PROTECTION but did not actually implement it in their form templates. That is why you receive the security token error, because the forms do not identify themselves using the security token. You will still have this error even with VaultWiki disabled.

For the "Access Denied", edit the file again and find:

Code:

global $view_ctrl;

Before it, add:

Code:

else { if (!defined('THIS_SCRIPT')) { define('THIS_SCRIPT', 'fake_script'); } if (!defined('VB_ENTRY')) { define('VB_ENTRY', 1); } }
Reply

+ Reply

All times are GMT -4. The time now is 7:12 AM.

This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Learn more… Accept Remind me later

Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

Issue: security token error

Issue Tools