Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options
PCI Compliance and Vanilla Forums
tsabat
New
Hey guys, over at Wufoo we're required to have periodic PCI scans. We got dinged in our most recent scan after updating to Vanilla Forums from punBB, but Mark was great in helping us get our site in order. Below you'll find the steps we took to get PCI compliant.
The first issue had to do with XSS issues. The original version was susceptible to XSS linkbait problems. Version 2.13 cleared those issues up.
Next had to do with sending secure info (un/pw/email) over insecure channels. Be aware that, in the current state, the following actions are insecure by default: signup, password reset, sign-in, user preferences.
The steps outlined below will force ssl in the areas our PCI scan complained about:
1. Turn off entry form popups so that the user is redirected to the https login form instead of loading it in an in-page, non-ssl form. This is done by adding a configuration setting to your conf/config.php file: $Configuration['Garden']['SignIn']['Popup'] = FALSE;
2. Vanilla Forums has a ForceSSL() function that checks the current url of the page and redirects to the SSL version if not currently on it. In order for this to work, you need to (a) apply another flag in your conf/config.php file that allows SSL to be used: $Configuration['Garden']['AllowSSL'] = TRUE;
Next you need to (b) call the ForceSSL(); function at the top of any controller method that you want to force SSL on. The entry screen, for example is in applications/dashboard/controllers/class.entrycontroller.php, go to the SignIn() method, and add ForceSSL(); on the first line of the method. Then if you go to http://wufoo.com/forum/entry/signin, it will redirect you to https://wufoo.com/forum/entry/signin.
This method works for all of the instances mentioned in our PCI report, just add it to the controller methods mentioned: EntryController.PasswordRequest(), EntryController.SignIn(), and EntryController.Register().
Passwords are also saved through user profiles and in the user management dashboard. You can use the same method there, but since both forms are also in in-page popups, you will have to manually make them stop popping the password reset forms. The forms are popped based on a CSS "Popup" definition on the anchor. For example, in the user profile there is a link to "Change your Password" that has "Popup" in the class assignment. Remove the "Popup" class, and it will stop popping and instead load the full page. Add the ForceSSL() to that method, and you're good to go. The files/methods are:
applications/dashboard/controllers/class.profilecontroller.php, method Password()
applications/dashboard/controllers/class.usercontroller.php, method Edit()
The first issue had to do with XSS issues. The original version was susceptible to XSS linkbait problems. Version 2.13 cleared those issues up.
Next had to do with sending secure info (un/pw/email) over insecure channels. Be aware that, in the current state, the following actions are insecure by default: signup, password reset, sign-in, user preferences.
The steps outlined below will force ssl in the areas our PCI scan complained about:
1. Turn off entry form popups so that the user is redirected to the https login form instead of loading it in an in-page, non-ssl form. This is done by adding a configuration setting to your conf/config.php file: $Configuration['Garden']['SignIn']['Popup'] = FALSE;
2. Vanilla Forums has a ForceSSL() function that checks the current url of the page and redirects to the SSL version if not currently on it. In order for this to work, you need to (a) apply another flag in your conf/config.php file that allows SSL to be used: $Configuration['Garden']['AllowSSL'] = TRUE;
Next you need to (b) call the ForceSSL(); function at the top of any controller method that you want to force SSL on. The entry screen, for example is in applications/dashboard/controllers/class.entrycontroller.php, go to the SignIn() method, and add ForceSSL(); on the first line of the method. Then if you go to http://wufoo.com/forum/entry/signin, it will redirect you to https://wufoo.com/forum/entry/signin.
This method works for all of the instances mentioned in our PCI report, just add it to the controller methods mentioned: EntryController.PasswordRequest(), EntryController.SignIn(), and EntryController.Register().
Passwords are also saved through user profiles and in the user management dashboard. You can use the same method there, but since both forms are also in in-page popups, you will have to manually make them stop popping the password reset forms. The forms are popped based on a CSS "Popup" definition on the anchor. For example, in the user profile there is a link to "Change your Password" that has "Popup" in the class assignment. Remove the "Popup" class, and it will stop popping and instead load the full page. Add the ForceSSL() to that method, and you're good to go. The files/methods are:
applications/dashboard/controllers/class.profilecontroller.php, method Password()
applications/dashboard/controllers/class.usercontroller.php, method Edit()
1