[n] Template Security

[n] Template Security 1.1.0

No permission to download

nanocode

Active member
Apantic submitted a new resource:

[A] Template Security - Enhance the security on your site for yourself and for your members.

Enhance the security on your site using this very basic add-on. There has been a surprising increase in malicious attacks to XenForo sites through injection of malicious code into your templates. Limiting the access of all templates to yourself and a small handful may not always be a possibility, so this add-on allows you to limit certain templates to certain users, reducing vulnerability to key templates like login handlers, page_container, change password pages, etc. in case a staff...

Read more about this resource...
 
Last edited:
Small bug present (forgot a bracket). Going to fix this in 1.1, which is also going to feature support for template modification changes, as a way to circumvent this. Give me a few moments.
 
Apantic updated [A] Template Security with a new update entry:

1.1.0 Update

Feature Additions:
  • Alerts will now be sent to all super admins if a restricted template is attempted to be modified
  • This template now supports checking template modifications the same way, to prevent circumvention through that system

Bug fixes:
  • No longer supports all template cases being lowercase. Template case MUST be as is normally (so PAGE_CONTAINER, helper_user_form, etc. page_container will *not* work). This caused a bug in previous...

Read the rest of this update entry...
 
I have no idea what templates need to be protected, lol. Do I just install it and then use those 4 examples you have listed in the overview?

Will this add-on help to prevent this problem that happened to another forum?.....
The malicious code was added to the login templates using a staff member's account who had their login details compromised.
 
Last edited:
I have no idea what templates need to be protected, lol. Do I just install it and then use those 4 examples you have listed in the overview?

Will this add-on help to prevent this problem that happened to another forum?.....
That'd be some of the basics (in the overview), so yeah, they're some good examples to start with.

It'll help, though not completely prevent but it'll attempt to prevent and definitely alert for manual review.
 
Somebody must've data dumped my password(s) from another forum because my PS account recently got hacked and I have been worried about my forum's security as well so thank you very much for this add-on.
 
@Apantic a few silly questions...

In the zip file for 1.1.0, there is a zip file for 1.0.0 included...any reason?

Also, in the upload directory there is an xml file in /install/data. I'm not used to seeing anything in the upload folders of an addon other than library, js, or styles...does this file need to be uploaded into the data directory?

For reference, I use Chris D's install & upgrade but the zip uploader screws up the file placement sometimes so I unzip all the addons, combine everything into one set of folders for upload, rip the xml's to another folder then upload all the files and use old skool to run all the xmls simultaneously. So I just noticed the funky file and figured I'd ask...
 
In the zip file for 1.1.0, there is a zip file for 1.0.0 included...any reason?
Nope, just the older version made available there.

Also, in the upload directory there is an xml file in /install/data. I'm not used to seeing anything in the upload folders of an addon other than library, js, or styles...does this file need to be uploaded into the data directory?
No, that's just another way to install from the .xml. We attached one you can upload, or you can upload from server using that link (so install from install/data/addon-blah.xml)

For reference, I use Chris D's install & upgrade but the zip uploader screws up the file placement sometimes so I unzip all the addons, combine everything into one set of folders for upload, rip the xml's to another folder then upload all the files and use old skool to run all the xmls simultaneously. So I just noticed the funky file and figured I'd ask...
Can you rephrase this, sorry? It won't work with Chris D's installer but you can upload the files manually and it'll work fine.
 
Although this add-on takes a bit of tweaking, it's certainly worth the time and effort it requires.

Once installed, if/when the non-Superadmin tries to Save All Changes on a 'protected' template they'll see…

Screen Shot 2016-07-30 at 8.23.40 PM.webp

Or if they choose the Save and Exit button, they'll see…

Screen Shot 2016-07-30 at 8.31.18 PM.webp
Meanwhile, as soon as any revision is attempted (to protected templates), you'll see an Alert about such...
Screen Shot 2016-07-30 at 9.12.12 PMa.webp
 
Last edited:
Back
Top Bottom