vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.6 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=194)
-   -   Mini Mods - [ITECH] Inferno CSRF Auto Protection (https://vborg.vbsupport.ru/showthread.php?t=176985)

Inferno Tech 04-22-2008 10:00 PM
[ITECH] Inferno CSRF Auto Protection
 
----------------------------------
[ITech] Inferno CSRF Auto Protection
Created By Inferno Technologies (http://www.infernotechnologies.net)
Copyright 2004-2008
All rights reserved
Project Development Team: Zero Tolerance
Project Lead: Iain "Decado" Kidd
Support Forum: N/A (Supported here)
----------------------------------

Installation

Simply upload the product XML (Inferno CSRF Auto Protection.xml).

Project Description

This is a minor modification aimed at 3.6.10 (untested on vB 3.7 RC4, do so at your own will) which will automatically apply CSRF protection on the fly to forms which don't have security tokens and scripts which don't have security flags set. The purpose of this is to allow a seemless upgrade to 3.6.10 without having modifications break, but also to quickly apply the protection on them too.

However, this modification relies on the use of vBulletins print_output() function, some modifications will not use this for several reasons, and in these rare instances this modification will add protection to the scripts while not being able to add security tokens, you can disable auto-protection script by script if you find this occurs for you. Simply edit the plugin '[I.CSRF] Set CSRF Flag' and you'll find in the code an example on how to add a script to the exemption list. For instance, if you wanted to add the script 'MY_COOL_SOFTWARE' to the exemption list, simply add the following code:
Code:
$_icsrf_exclude[] = 'MY_COOL_SOFTWARE';
Under this code:
Code:
$_icsrf_exclude = array();
This modification should also apply security tokens for normal vBulletin templates in the instance that the vBulletin upgrader failed to automatically edit the template for you.

Other Features

When using vBulletin in debug mode, the debug information displayed at the bottom will display existing protected forms, and how many forms have been auto-protected by Inferno CSRF.

Feedback is welcome, enjoy :)

- Zero Tolerance

Guest190829 04-23-2008 09:47 PM
Hm...The majority of modifications using print_output() are probably utilizing separate files, so backwards compatibility shouldn't even be a problem since Jelsoft has already defined the constant needed to activate the new token protocol.

Inferno Tech 04-23-2008 09:49 PM
Here's hoping so, the idea is really to add protection to those now (Some people are security freaks :p).

- Zero Tolerance

Jasem 04-25-2008 07:40 AM
Thank you, Nice share

sv1cec 04-26-2008 06:03 AM
Any ideas what can one do to close this plug in vB 3.0.xx??

I have a heavily hacked site, with so many mods that I do not even consider upgrading it to the latest version.

Any idea would be really appreciated.

Wobbly Goblin 04-26-2008 07:14 AM
Wow...nice work Zero! This fixed the Personal Notepad & Event Attendance mods.

Sure hope someone comes up with a fix for the Casino.

Thank you,
Nick

IvyKeepMommy 04-26-2008 02:04 PM
While it fixed the board issues on RC4... it broke the notices feature in the admin cp (now I get a security token problem on the backend after installing).

Sorry, I have to uninstall. :(

lange 04-26-2008 07:46 PM
I would like to be sure.

With this mod, no need to update to 3.6.10 ?

Inferno Tech 04-26-2008 11:09 PM
IvyKeepMommy

It will cause some things to break, you can add those scripts in the exclusion :)

Wobbly Goblin

Glas to hear it!

lange

No, this is for 3.6.10 to automatically make all mods use CSRF protection :)

- Zero Tolerance

dtv100 04-28-2008 05:22 PM
Quote:
Originally Posted by Inferno Tech (Post 1500196)
IvyKeepMommy

It will cause some things to break, you can add those scripts in the exclusion :)


- Zero Tolerance
when i try to search for a user on main admincp I get a error if I disable this hack error disappear any way to fix this ?


All times are GMT. The time now is 02:21 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01094 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete