Go Back   Admin Zone Forums > The Software Zone > Forum Software > vBulletin

vBulletin Discuss vBulletin.

Reply
 
Thread Tools

  #1  
Old 02-15-2010, 06:56 AM
Alex.'s Avatar
Alex. Alex. is offline
The Ancient Dragon
 
Real Name: Alex
Join Date: Jul 2007
Admin Experience: Advanced
Location: US
Posts: 8,690
Alex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant future
Default Important: vBulletin Security Token Warnings
Recently a hash of errors have been coming up on several vBulletin board forums regarding a missing or invalid security token when members that are logged in experience a token error.

A blame was put on Firefox 3.6, however that was dismissed when people realized Firefox doesn't handle security tokens or anything such as that. This conclusion was coincidental with the amount of boards upgrading to 3.8.4.

People who may experience this error:

1. Those who are running hacks not updated to the software version they are running.

2. Custom styles that were bought.

3. Styles that were not reverted after an upgrade.

4. Those upgrading from the 3.6.x line of vBulletin software to the latest 3 series release, which is 3.8.4.

5. Those who have custom styles being lent code from a parent style, therefore both styles must be checked for missing code.

It does not matter if you are confident the templates are correct. The templates do get buggy during an upgrade or even a new install, however, the latter is extremely rare.

This issue can affect any vBulletin product, so keep that in mind. Any security token warning that comes up is a vBulletin fault that you as a forum owner will have to address.

Steps:

1. Login into your ACP.

2. Hand search all your templates for this line of code:

Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
3. Then directly under that line of code, add the following line of code:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
4. Your original and current code should look like this:

Code:
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

5. If it does not, you did something wrong. DO NOT SAVE THE TEMPLATE, but start over again.

6. Do this for every single template missing that duo code. Additionally, you can have your work cut out for you if your members remember what URL the token showed up in. For example, if it ends with "DST", it means that the PHP call back and lookup for the server's time at the bottom of the forum is missing that security token. It would be located in your footer template.


If you don't want to edit code because you're worried about messing things up, study the following picture then do as it is, and everything should work fine and the security token issue will be gone if everything is in check.

This can be found in your ACP > Styles & Templates > Find & Replace Text.






To expedite finding templates affected, you may run those SQL query in the vB admin pane. Courtesy of Poet JC.

Code:
SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
Attached Images
File Type: jpg sample.jpg (39.6 KB, 14 views)

Last edited by Alex.; 02-15-2010 at 07:34 AM..
Reply With Quote
  #2  
Old 02-15-2010, 07:16 AM
ChopSuey's Avatar
ChopSuey ChopSuey is offline
Tazmanian
 
Real Name: Corey
Join Date: Oct 2009
Admin Experience: Advanced
Location: The Last Frontier
Posts: 342
ChopSuey has a spectacular aura about
Default
Thanks for the information Cipher!
Reply With Quote
  #3  
Old 02-15-2010, 07:28 AM
PoetJC's Avatar
PoetJC PoetJC is offline
Miss Thick_Jacq
 
Real Name: Black Betty.
Join Date: Jul 2006
Admin Experience: Beginner
Location: Somewhere Booping...
Posts: 5,977
PoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond repute
Default
Quote:
Originally Posted by Cipher View Post
Recently a hash of errors have been coming up on several vBulletin board forums regarding a missing or invalid security token when members that are logged in experience a token error.
Hmmm - I think that's actually resulted from the CSRF protection that came with the release of 3.6.10 and 3.7 vBulletin. There's a specific report of the issue back in April 2008 at Implementing CSRF Protection in modifications

Someone posted a handy query you can run in vBulletin AdminCP to help expedite the process of locating any templates which might need to be edited:

Quote:
SELECT templateid , title , styleid FROM template WHERE template_un NOT LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />%' AND template_un LIKE '%<input type="hidden" name="s" value="$session[sessionhash]" />%' ORDER BY title ASC, styleid ASC;
Thanks for posting that info again though - some people probably didn't realize it was ever an issue or how to fix it.

Jacquii.
__________________
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
PoteQuotes.com | Home of Potent QuotablesCandiceFans.com | Schooling You in Soul



Last edited by PoetJC; 02-15-2010 at 07:32 AM.. Reason: briefly edited...
Reply With Quote
  #4  
Old 02-15-2010, 07:33 AM
Alex.'s Avatar
Alex. Alex. is offline
The Ancient Dragon
 
Real Name: Alex
Join Date: Jul 2007
Admin Experience: Advanced
Location: US
Posts: 8,690
Alex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant future
Default
Thank you, Jacquii. I forgot about that!

And thank you for the query, I'll add it to the post original post right now. I saw a result of the query but couldn't find the actual query itself, Jacquii to the rescue.
Reply With Quote
  #5  
Old 02-15-2010, 07:35 AM
PoetJC's Avatar
PoetJC PoetJC is offline
Miss Thick_Jacq
 
Real Name: Black Betty.
Join Date: Jul 2006
Admin Experience: Beginner
Location: Somewhere Booping...
Posts: 5,977
PoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond repute
Default
LOL
I edited my post to put the "Hmmm - I think" part because I wasn't sure if this was something kinda new or what :P -- But yeah - thought I'd add that bit because I remember that post from way back - the query could have come in handy when I'd spent 7+ hours editing templates ARG

Jacquii.
__________________
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
PoteQuotes.com | Home of Potent QuotablesCandiceFans.com | Schooling You in Soul


Reply With Quote
  #6  
Old 02-15-2010, 07:39 AM
Alex.'s Avatar
Alex. Alex. is offline
The Ancient Dragon
 
Real Name: Alex
Join Date: Jul 2007
Admin Experience: Advanced
Location: US
Posts: 8,690
Alex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant future
Default
Yep, the Find & Replace seems the easiest for the inexperienced admin, or simply someone who gets a sick feeling at the mouth because of vBulletin.
Reply With Quote
  #7  
Old 02-15-2010, 07:41 AM
PoetJC's Avatar
PoetJC PoetJC is offline
Miss Thick_Jacq
 
Real Name: Black Betty.
Join Date: Jul 2006
Admin Experience: Beginner
Location: Somewhere Booping...
Posts: 5,977
PoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond reputePoetJC has a reputation beyond repute
Default
I think the sick feeling might be all about the new new pricing policy.

Jacquii.
__________________
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
PoteQuotes.com | Home of Potent QuotablesCandiceFans.com | Schooling You in Soul


Reply With Quote
  #8  
Old 02-15-2010, 08:07 AM
hari hari is offline
Tazmanian
 
Real Name: Hari
Join Date: Jan 2006
Admin Experience: Intermediate
Posts: 2,829
hari is a glorious beacon of lighthari is a glorious beacon of lighthari is a glorious beacon of light
Default
Alex, is there any watch to patch an earlier vB for this fault? I'm afraid I have no access to upgrades now as my owned version is "expired" and I don't want to shell out $195 to merely get access to the security patched versions.
__________________
Goodbye, TAZ
Reply With Quote
  #9  
Old 02-15-2010, 08:36 AM
Alex.'s Avatar
Alex. Alex. is offline
The Ancient Dragon
 
Real Name: Alex
Join Date: Jul 2007
Admin Experience: Advanced
Location: US
Posts: 8,690
Alex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant futureAlex. has a brilliant future
Default
Your version isn't susceptible to the error, so you're fine, for now. With Poet JC's post I found that the protection was put in place after your version.
Reply With Quote
  #10  
Old 02-15-2010, 08:40 AM
hari hari is offline
Tazmanian
 
Real Name: Hari
Join Date: Jan 2006
Admin Experience: Intermediate
Posts: 2,829
hari is a glorious beacon of lighthari is a glorious beacon of lighthari is a glorious beacon of light
Default
Ah, right. Thanks for the info.
__________________
Goodbye, TAZ
Reply With Quote
  #11  
Old 03-22-2010, 12:38 AM
Beefy's Avatar
Beefy Beefy is offline
Biker Nerd
 
Real Name: Jeff
Join Date: Feb 2010
Admin Experience: Beginner
Location: Colorado
Posts: 109
Beefy is on a distinguished road
Default
I'm getting this error as well. I just tried the fix and it replaced code in a whole lot of templates, but it didn't fix the problem. The error is still there.

Any help?
Reply With Quote
  #12  
Old 03-22-2010, 01:14 PM
Beefy's Avatar
Beefy Beefy is offline
Biker Nerd
 
Real Name: Jeff
Join Date: Feb 2010
Admin Experience: Beginner
Location: Colorado
Posts: 109
Beefy is on a distinguished road
Default
Quote:
Originally Posted by Beefy View Post
I'm getting this error as well. I just tried the fix and it replaced code in a whole lot of templates, but it didn't fix the problem. The error is still there.

Any help?
Nevermind.

Found this after getting some rest and it fixed the problem for me. Thanks!

http://www.vbulletin.com/forum/proje...?issueid=36856
Reply With Quote
  #13  
Old 07-02-2010, 05:38 PM
50calray's Avatar
50calray 50calray is offline
TAZ Rookie
 
Real Name: Ray
Join Date: Jun 2009
Posts: 18
50calray is on a distinguished road
Default
Cool, I wrote this off as some form of time out...it only happens when the site sets ideal for a while by me.

Thanks,
__________________
[center]Semi-auto Rifles
Reply With Quote
Reply

  Admin Zone Forums > The Software Zone > Forum Software > vBulletin





Currently Active Users Viewing this Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security token missing when some members view threads weindians vBulletin 4 11-23-2009 03:41 PM
Getting Error Message: "Security Token Missing" in vb 3.8.3, Help! carfreak vBulletin 12 09-11-2009 08:34 AM
Error security token Godzilla vBulletin 5 07-04-2008 11:42 AM
VB pager Security Token Help DaveL General Programming Discussions 5 04-30-2008 11:04 AM
Important VB3 users....Do you have the latest security patch? Kathy vBulletin 13 04-12-2005 07:19 PM


 

All times are GMT -4. The time now is 10:35 AM.


Powered by: vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Page generated in 0.09292006 seconds with 14 queries
The Admin Zone copyright 2003-2014 All Rights Reserved. Content published on The Admin Zone requires permission for reprint.