Announcement

Collapse
No announcement yet.

Invalid Security Token on "Mark All Read"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • on4ya
    replied
    Thanks Zachery , This has solved my problem.

    Leave a comment:


  • Trevor Hannant
    replied
    Originally posted by Jamey View Post
    Any ideas? I have it too.
    Is yours in a pop-up box like the OP or in the default pages? Have you read the sticky at the top of this forum?

    Leave a comment:


  • Jamey
    replied
    Any ideas? I have it too.

    Leave a comment:


  • Zachery
    replied
    Check to make sure that when the page is opened the security hash is there.

    Leave a comment:


  • Falcon Capt
    replied
    Originally posted by Zachery View Post
    If you read the thread that i linked to, it tells you how to address the issue via a simple template edit, instead of breaking security protections.
    On my forum I use a script to give a pop-up box to be sure they want to "Mark All Read", adding the new code in the script caused the script not to work (it wouldn't mark all read, it said you need to specify a forum to mark read).

    Below is the script:

    Code:
    <script>
    <!--
    function markAsRead()
    {
     var markRead= confirm("Do you really want to mark all forums as read?");
     if (markRead== true)
     { window.location="forumdisplay.php?$session[sessionurl]do=markread&amp;markreadhash=$bbuserinfo[securitytoken]";
     }
     else
     {    
      }
    }
    //-->
    </script>
    Here is the code for the Mark All Read button that points to the script:

    Code:
    <td class="vbmenu_control"><a href="javascript:markAsRead();">$vbphrase[mark_forums_read]</a></td>
    So why doesn't it work when the following PHP code is in Forumdisplay.php??

    Code:
    // Prevent CSRF. See #32785
    $vbulletin->input->clean_array_gpc('r', array(
    'markreadhash' => TYPE_STR,
    ));
    if (!verify_security_token($vbulletin->GPC['markreadhash'], $vbulletin->userinfo['securitytoken_raw']))
    {
    eval(standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])));
    }

    Leave a comment:


  • Zachery
    replied
    Originally posted by Falcon Capt View Post
    Well it is either do that or have a bunch of aggrivated members... More than 50% of my members were getting this error after the upgrade to 3.8.5.
    If you read the thread that i linked to, it tells you how to address the issue via a simple template edit, instead of breaking security protections.

    Leave a comment:


  • cellarius
    replied
    Not only does it not help, but it opens up the security issue the code fixed. No offense, but advising users in the forum to do so and not even telling them about the risks involved is bad practice, IMHO.

    Leave a comment:


  • Homeworld'sa
    replied
    Do what Zachery is telling you to do. Removing the code doesn't help you at all.

    Leave a comment:


  • Falcon Capt
    replied
    Originally posted by prolific_one View Post
    I too am getting this issue after the update to 3.8.5 ... 3.8.4pl2 was fine...
    Originally posted by Falcon Capt View Post
    In FORUMDISPLAY.PHP remove the following code:


    Code:
     
    // Prevent CSRF. See #32785
    $vbulletin->input->clean_array_gpc('r', array(
    'markreadhash' => TYPE_STR,
    ));
    if (!verify_security_token($vbulletin->GPC['markreadhash'], $vbulletin->userinfo['securitytoken_raw']))
    {
    eval(standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])));
    }
    Originally posted by Zachery View Post
    Well it is either do that or have a bunch of aggrivated members... More than 50% of my members were getting this error after the upgrade to 3.8.5.

    Leave a comment:


  • Zachery
    replied
    You should not do that. http://www.vbulletin.com/forum/showt...rk-Forums-Read

    Leave a comment:


  • Falcon Capt
    replied
    Originally posted by prolific_one View Post
    I too am getting this issue after the update to 3.8.5 ... 3.8.4pl2 was fine...
    In FORUMDISPLAY.PHP remove the following code:


    Code:
     
    // Prevent CSRF. See #32785
    $vbulletin->input->clean_array_gpc('r', array(
    'markreadhash' => TYPE_STR,
    ));
    if (!verify_security_token($vbulletin->GPC['markreadhash'], $vbulletin->userinfo['securitytoken_raw']))
    {
    eval(standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])));
    }

    Leave a comment:


  • prolific_one
    replied
    I too am getting this issue after the update to 3.8.5 ... 3.8.4pl2 was fine...

    Leave a comment:


  • Abomination
    replied
    Thanks!

    I've been very curious if our 3.8.4 version has the issue.

    Leave a comment:


  • Falcon Capt
    replied
    Actually the problem just started occuring in 3.8.5, 3.8.4PL2 was fine. They added the security token to the Mark All Read function in 3.8.5 and it is causing random problems. The problem is occuring on a wide range of machines/browser combinations. Appears to be most prevalent on mobile devices but has also been reported to me on machines like a laptop running WinXP and Firefox.

    Leave a comment:


  • Abomination
    replied
    Someone said something like this was fixed in 3.8.5, you may want to look for more information. There is an announcement about it at the top of the forums.

    Leave a comment:

Related Topics

Collapse

Working...
X