Inferno Tech
04-22-2008, 10:00 PM
----------------------------------
[ITech] Inferno CSRF Auto Protection
Created By Inferno Technologies (http://www.infernotechnologies.net)
Copyright 2004-2008
All rights reserved
Project Development Team: Zero Tolerance
Project Lead: Iain "Decado" Kidd
Support Forum: N/A (Supported here)
----------------------------------
Installation
Simply upload the product XML (Inferno CSRF Auto Protection.xml).
Project Description
This is a minor modification aimed at 3.6.10 (untested on vB 3.7 RC4, do so at your own will) which will automatically apply CSRF protection on the fly to forms which don't have security tokens and scripts which don't have security flags set. The purpose of this is to allow a seemless upgrade to 3.6.10 without having modifications break, but also to quickly apply the protection on them too.
However, this modification relies on the use of vBulletins print_output() function, some modifications will not use this for several reasons, and in these rare instances this modification will add protection to the scripts while not being able to add security tokens, you can disable auto-protection script by script if you find this occurs for you. Simply edit the plugin '[I.CSRF] Set CSRF Flag' and you'll find in the code an example on how to add a script to the exemption list. For instance, if you wanted to add the script 'MY_COOL_SOFTWARE' to the exemption list, simply add the following code:
$_icsrf_exclude[] = 'MY_COOL_SOFTWARE';
Under this code:
$_icsrf_exclude = array();
This modification should also apply security tokens for normal vBulletin templates in the instance that the vBulletin upgrader failed to automatically edit the template for you.
Other Features
When using vBulletin in debug mode, the debug information displayed at the bottom will display existing protected forms, and how many forms have been auto-protected by Inferno CSRF.
Feedback is welcome, enjoy :)
- Zero Tolerance
[ITech] Inferno CSRF Auto Protection
Created By Inferno Technologies (http://www.infernotechnologies.net)
Copyright 2004-2008
All rights reserved
Project Development Team: Zero Tolerance
Project Lead: Iain "Decado" Kidd
Support Forum: N/A (Supported here)
----------------------------------
Installation
Simply upload the product XML (Inferno CSRF Auto Protection.xml).
Project Description
This is a minor modification aimed at 3.6.10 (untested on vB 3.7 RC4, do so at your own will) which will automatically apply CSRF protection on the fly to forms which don't have security tokens and scripts which don't have security flags set. The purpose of this is to allow a seemless upgrade to 3.6.10 without having modifications break, but also to quickly apply the protection on them too.
However, this modification relies on the use of vBulletins print_output() function, some modifications will not use this for several reasons, and in these rare instances this modification will add protection to the scripts while not being able to add security tokens, you can disable auto-protection script by script if you find this occurs for you. Simply edit the plugin '[I.CSRF] Set CSRF Flag' and you'll find in the code an example on how to add a script to the exemption list. For instance, if you wanted to add the script 'MY_COOL_SOFTWARE' to the exemption list, simply add the following code:
$_icsrf_exclude[] = 'MY_COOL_SOFTWARE';
Under this code:
$_icsrf_exclude = array();
This modification should also apply security tokens for normal vBulletin templates in the instance that the vBulletin upgrader failed to automatically edit the template for you.
Other Features
When using vBulletin in debug mode, the debug information displayed at the bottom will display existing protected forms, and how many forms have been auto-protected by Inferno CSRF.
Feedback is welcome, enjoy :)
- Zero Tolerance