security token error with additional thread tools installed
Hello,
I noticed yesterday with both VaultWiki and Additional Thread Tools Installed I receive a security token error. Once I disable VaultWiki the error goes away and I can commit the changes. Is this something that can be looked into?
Thank you!
HTML Code:
Your submission could not be processed because a security token was missing.
If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
This occurs because VaultWiki incorrectly assumes that additionaltoolsfunctions.php is a wiki script. This occurs because of a bug in additionaltoolsfunctions.php. Unlike all front-end vBulletin php scripts, it does not define THIS_SCRIPT.
There is a security problem in additionaltoolsfunctions.php and its template markfl_att_threadtools_form. Although it works as you expect, it contains a security vulnerability, because it does not use security token protection. All vBulletin forms submitted over POST should use CSRF_PROTECTION to help prevent submissions that originate from other web sites that are not authorized by your forum.
For now you can work around the security token error from VaultWiki by editing vault/core/controller/start/vb3.php. Find:
Code:
if (!defined('THIS_SCRIPT'))
Replace with:
Code:
if (!defined('THIS_SCRIPT') AND defined('VW_SCRIPT'))
Please report the bugs in Additional Thread Tools to the appropriate support channel for that add-on.
I looked at the updated mod. They turned on CSRF_PROTECTION but did not actually implement it in their form templates. That is why you receive the security token error, because the forms do not identify themselves using the security token. You will still have this error even with VaultWiki disabled.
For the "Access Denied", edit the file again and find:
Code:
global $view_ctrl;
Before it, add:
Code:
else
{
if (!defined('THIS_SCRIPT'))
{
define('THIS_SCRIPT', 'fake_script');
}
if (!defined('VB_ENTRY'))
{
define('VB_ENTRY', 1);
}
}
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.