Mini Mods - [ITECH] Inferno CSRF Auto Protection

----------------------------------
[ITech] Inferno CSRF Auto Protection
Created By Inferno Technologies (http://www.infernotechnologies.net)
Copyright 2004-2008
All rights reserved
Project Development Team: Zero Tolerance
Project Lead: Iain "Decado" Kidd
Support Forum: N/A (Supported here)
----------------------------------

Installation

Simply upload the product XML (Inferno CSRF Auto Protection.xml).

Project Description

This is a minor modification aimed at 3.6.10 (untested on vB 3.7 RC4, do so at your own will) which will automatically apply CSRF protection on the fly to forms which don't have security tokens and scripts which don't have security flags set. The purpose of this is to allow a seemless upgrade to 3.6.10 without having modifications break, but also to quickly apply the protection on them too.

However, this modification relies on the use of vBulletins print_output() function, some modifications will not use this for several reasons, and in these rare instances this modification will add protection to the scripts while not being able to add security tokens, you can disable auto-protection script by script if you find this occurs for you. Simply edit the plugin '[I.CSRF] Set CSRF Flag' and you'll find in the code an example on how to add a script to the exemption list. For instance, if you wanted to add the script 'MY_COOL_SOFTWARE' to the exemption list, simply add the following code:

Code:

$_icsrf_exclude[] = 'MY_COOL_SOFTWARE';

Under this code:

Code:

$_icsrf_exclude = array();

This modification should also apply security tokens for normal vBulletin templates in the instance that the vBulletin upgrader failed to automatically edit the template for you.

Other Features

When using vBulletin in debug mode, the debug information displayed at the bottom will display existing protected forms, and how many forms have been auto-protected by Inferno CSRF.

Feedback is welcome, enjoy

- Zero Tolerance

Hm...The majority of modifications using print_output() are probably utilizing separate files, so backwards compatibility shouldn't even be a problem since Jelsoft has already defined the constant needed to activate the new token protocol.

[Inferno Tech]

Here's hoping so, the idea is really to add protection to those now (Some people are security freaks ).

- Zero Tolerance

[Jasem]

Thank you, Nice share

[sv1cec]

Any ideas what can one do to close this plug in vB 3.0.xx??

I have a heavily hacked site, with so many mods that I do not even consider upgrading it to the latest version.

Any idea would be really appreciated.

[Wobbly Goblin]

Wow...nice work Zero! This fixed the Personal Notepad & Event Attendance mods.

Sure hope someone comes up with a fix for the Casino.

Thank you,
Nick

[IvyKeepMommy]

While it fixed the board issues on RC4... it broke the notices feature in the admin cp (now I get a security token problem on the backend after installing).

Sorry, I have to uninstall.

[lange]

I would like to be sure.

With this mod, no need to update to 3.6.10 ?

[Inferno Tech]

IvyKeepMommy

It will cause some things to break, you can add those scripts in the exclusion

Wobbly Goblin

Glas to hear it!

lange

No, this is for 3.6.10 to automatically make all mods use CSRF protection

- Zero Tolerance

[dtv100]

Quote:

Originally Posted by Inferno Tech

IvyKeepMommy

It will cause some things to break, you can add those scripts in the exclusion


- Zero Tolerance

when i try to search for a user on main admincp I get a error if I disable this hack error disappear any way to fix this ?