diff --git a/bureau/admin/adm_add.php b/bureau/admin/adm_add.php
old mode 100644
new mode 100755
index dd7681c3..7c874e22
--- a/bureau/admin/adm_add.php
+++ b/bureau/admin/adm_add.php
@@ -60,7 +60,7 @@ if (isset($error) && $error) {
 }
 ?>
 <form method="post" action="adm_doadd.php" id="main" name="main" autocomplete="off">
-
+  <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/adm_authip_whitelist.php b/bureau/admin/adm_authip_whitelist.php
old mode 100644
new mode 100755
index d9b5701b..c17698ea
--- a/bureau/admin/adm_authip_whitelist.php
+++ b/bureau/admin/adm_authip_whitelist.php
@@ -44,6 +44,7 @@ $list_ip = $authip->list_ip_whitelist();
         <legend><?php __("Add an IP");?> - <a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></legend>
         <span id="form_add_ip">
         <form method="post" action="adm_authip_whitelist.php" name="main" id="main">
+   <?php csrf_get(); ?>
           <p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
           <input type="hidden" name="id" value="" id="edit_id" />
           <p>
diff --git a/bureau/admin/adm_deactivate.php b/bureau/admin/adm_deactivate.php
old mode 100644
new mode 100755
index 442410b0..da1d9218
--- a/bureau/admin/adm_deactivate.php
+++ b/bureau/admin/adm_deactivate.php
@@ -69,6 +69,7 @@ if (! ($confirmed ) ) {
 
   ?>
   <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
+     <?php csrf_get(); ?>
   <input type="hidden" name="uid" value="<?php echo $uid?>" />
   <?php __("Redirection URL:") ?> <input type="text" name="redirect" class="int" value="http://example.com/" />
   <input type="submit" name="submit" class="inb" value="<?php __("Confirm")?>" />
diff --git a/bureau/admin/adm_defquotas.php b/bureau/admin/adm_defquotas.php
old mode 100644
new mode 100755
index bce32137..eccc2461
--- a/bureau/admin/adm_defquotas.php
+++ b/bureau/admin/adm_defquotas.php
@@ -59,6 +59,7 @@ if (isset($error) && $error) {
 }
 ?>
 <form method="post" action="adm_dodefquotas.php">
+  <?php csrf_get(); ?>
 <p>
 <input type="hidden" name="action" value="add" />
 <input type="text" name="type" class="int" />
@@ -69,6 +70,7 @@ if (isset($error) && $error) {
 <?php
 ?>
 <form method="post" action="adm_dodefquotas.php">
+  <?php csrf_get(); ?>
 <table border="0" cellpadding="4" cellspacing="0">
 <tr class="lst">
 <td>
@@ -90,6 +92,7 @@ foreach($quota->listtype() as $type) {
 <span class="inb"><a href="adm_defquotas.php?synchronise=1"><?php __("Synchronise user's quota (only to upper value)"); ?></a></span>  
 
 <form method="post" action="adm_dodefquotas.php">
+  <?php csrf_get(); ?>
 <div>
 <input type="hidden" name="action" value="modify" />
 <?php
diff --git a/bureau/admin/adm_dodefquotas.php b/bureau/admin/adm_dodefquotas.php
old mode 100644
new mode 100755
index 4151c491..8cd0351e
--- a/bureau/admin/adm_dodefquotas.php
+++ b/bureau/admin/adm_dodefquotas.php
@@ -66,6 +66,7 @@ if($action == "add") {
     <h3><?php printf(_("Deleting quota %s"),$type); ?> : </h3>
 
     <form action="adm_dodefquotas.php" method="post">
+ <?php csrf_get(); ?>
       <input type="hidden" name="action" value="delete" />
       <input type="hidden" name="type" value="<?php echo $type ?>" />
       <input type="hidden" name="del_confirm" value="y" />
diff --git a/bureau/admin/adm_dodel.php b/bureau/admin/adm_dodel.php
old mode 100644
new mode 100755
index 03a765c9..893bba8a
--- a/bureau/admin/adm_dodel.php
+++ b/bureau/admin/adm_dodel.php
@@ -67,6 +67,7 @@ if($del_confirm == "y"){
     <body>
     <h3><?php printf(_("Deleting users")); ?> : </h3>
     <form action="adm_dodel.php" method="post">
+ <?php csrf_get(); ?>
       <input type="hidden" name="action" value="delete" />
       <input type="hidden" name="del_confirm" value="y" />
       <p class="alert alert-warning"><?php __("WARNING : Confirm the deletion of the users"); ?></p>
diff --git a/bureau/admin/adm_doms.php b/bureau/admin/adm_doms.php
old mode 100644
new mode 100755
index 78fdf5e8..8e395f01
--- a/bureau/admin/adm_doms.php
+++ b/bureau/admin/adm_doms.php
@@ -65,6 +65,7 @@ $c=$admin->dom_list(true,$forcecheck);
 <?php __("If you want to force the check of NS, MX, IP on domains, click the link"); ?> <a href="adm_doms.php?force=1"><?php __("Show domain list with refreshed checked NS, MX, IP information"); ?></a>
 </p>
 <form method="post" action="adm_dodom.php" name="main" id="main">
+  <?php csrf_get(); ?>
 <table class="tlist" id="dom_list_table">
 <thead>
     <tr><th></th><th><?php __("Action"); ?></th><th><?php __("Domain"); ?></th><th><?php __("Creator"); ?></th><th><?php __("Connect as"); ?></th><th><?php __("OK?"); ?></th><th><?php __("Status"); ?></th></tr>
diff --git a/bureau/admin/adm_doms_def_type.php b/bureau/admin/adm_doms_def_type.php
old mode 100644
new mode 100755
index 76e4a9c7..3ca20956
--- a/bureau/admin/adm_doms_def_type.php
+++ b/bureau/admin/adm_doms_def_type.php
@@ -43,6 +43,7 @@ if (!empty($domup)) {
 $tab = $dom->lst_default_subdomains();
 ?>
 <form method="post" action="adm_doms_def_type.php" name="main" id="main">
+  <?php csrf_get(); ?>
     <table class="tlist">
         <tr><th>&nbsp;</th><th><?php __("Sub"); ?></th><th><?php __("Type"); ?></th><th><?php __("settings"); ?></th><th><?php __("Concerned"); ?></th><th><?php __("Activation"); ?></th></tr>
         <?php for ($i = 0; $i < count($tab) + 1; $i++) { ?>
diff --git a/bureau/admin/adm_domstypeedit.php b/bureau/admin/adm_domstypeedit.php
old mode 100644
new mode 100755
index 1bf8e3fb..7d5ec8cc
--- a/bureau/admin/adm_domstypeedit.php
+++ b/bureau/admin/adm_domstypeedit.php
@@ -68,6 +68,7 @@ if (isset($error_edit) && $error_edit) {
 } ?>
 
 <form action="adm_domstypedoedit.php" method="post" name="main" id="main">
+   <?php csrf_get(); ?>
     <input type="hidden" name="name" value="<?php echo $d['name']; ?>" />
     <table class="tedit">
       <tr>
diff --git a/bureau/admin/adm_edit.php b/bureau/admin/adm_edit.php
old mode 100644
new mode 100755
index 3b4cdb40..2829e2ba
--- a/bureau/admin/adm_edit.php
+++ b/bureau/admin/adm_edit.php
@@ -63,7 +63,7 @@ if (!$r=$admin->get($uid)) {
   }
 ?>
 <form method="post" action="adm_doedit.php" name="main" id="main" autocomplete="off">
-
+  <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
@@ -136,6 +136,7 @@ if (!$r=$admin->get($uid)) {
 
 <?php if($r['duration']) { ?>
 <form method="post" action="adm_dorenew.php">
+   <?php csrf_get(); ?>
 <input type="hidden" name="uid" value="<?php echo $uid ?>" />
 <table border="1" cellspacing="0" cellpadding="4" class="tedit">
 <tr>
diff --git a/bureau/admin/adm_email.php b/bureau/admin/adm_email.php
old mode 100644
new mode 100755
index e69b3790..55da9058
--- a/bureau/admin/adm_email.php
+++ b/bureau/admin/adm_email.php
@@ -57,7 +57,7 @@ if (isset($error) && $error) {
 
 ?>
 <form method="post" action="adm_email.php">
-
+  <?php csrf_get(); ?>
 <table cellspacing="1" cellpadding="4" border="0" align="center" class='tedit'>
 	<tr>
 	  <th align="right"><b><?php __("From");?></b></th>
diff --git a/bureau/admin/adm_list.php b/bureau/admin/adm_list.php
old mode 100644
new mode 100755
index af501319..2b58bc9e
--- a/bureau/admin/adm_list.php
+++ b/bureau/admin/adm_list.php
@@ -89,6 +89,7 @@ if ($mem->user["admlist"] == 0) { // Normal (large) mode
 <fieldset style="clear:both;">
     <legend><?php __("Filters"); ?></legend>
     <form method="post" action="adm_list.php">
+  <?php csrf_get(); ?>
         <p>
             <label>
 		<input type="radio" name="pattern_type" value="login" id="pattern_type_login" <?php if (!$pattern_type || $pattern_type === 'login') echo ' checked="checked" '; ?>/>
@@ -149,6 +150,7 @@ if (!is_array($accountList) || empty($accountList)) {
 ?>
 
 <form method="post" action="adm_dodel.php">
+      <?php csrf_get(); ?>
     <?php
 // Depending on the admin's choice, let's show a short list or a long list.
 
diff --git a/bureau/admin/adm_mxaccount.php b/bureau/admin/adm_mxaccount.php
old mode 100644
new mode 100755
index 079b0446..ba3209ba
--- a/bureau/admin/adm_mxaccount.php
+++ b/bureau/admin/adm_mxaccount.php
@@ -91,7 +91,7 @@ for($i=0;$i<count($c);$i++) { ?>
     <?php } ?>
 <p><?php __("If you want to allow a new server to access your mx-hosted domain list, give him an account."); ?></p>
 <form method="post" action="adm_mxaccount.php" name="main" id="main" autocomplete="off">
-
+  <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/adm_passpolicy.php b/bureau/admin/adm_passpolicy.php
old mode 100644
new mode 100755
index 260e05d8..8b679e0b
--- a/bureau/admin/adm_passpolicy.php
+++ b/bureau/admin/adm_passpolicy.php
@@ -84,6 +84,7 @@ if (!empty($edit)) {
 																	     <p><b><?php echo $c[$edit]["description"]; ?></b></p>
 
 <form method="post" action="adm_passpolicy.php">
+ <?php csrf_get(); ?>
 <input type="hidden" name="doedit" value="<?php echo $edit; ?>"/> 
 <table class="tlist">
 <tr>
diff --git a/bureau/admin/adm_quotaedit.php b/bureau/admin/adm_quotaedit.php
old mode 100644
new mode 100755
index e274e672..57413e61
--- a/bureau/admin/adm_quotaedit.php
+++ b/bureau/admin/adm_quotaedit.php
@@ -63,6 +63,7 @@ $mem->unsu();
 	}
 ?>
 <form method="post" action="adm_quotadoedit.php">
+  <?php csrf_get(); ?>
 <table class="tedit">
 <tr><th><input type="hidden" name="uid" value="<?php echo $uid ?>" />
 <?php __("Username"); ?></th><td colspan="3"><code><big><?php echo $us["login"]; ?></big></code>&nbsp;</td></tr>
diff --git a/bureau/admin/adm_slavedns.php b/bureau/admin/adm_slavedns.php
old mode 100644
new mode 100755
index a1cd004d..253ba2b3
--- a/bureau/admin/adm_slavedns.php
+++ b/bureau/admin/adm_slavedns.php
@@ -110,6 +110,7 @@ if (is_array($c)) { ?>
 <p><?php __("If you want to allow an ip address or class to connect to your dns server, enter it here. Choose 32 as a prefix for single ip address."); ?></p>
 
 <form method="post" action="adm_slavedns.php" name="main" id="main">
+  <?php csrf_get(); ?>
   <table class="tedit">
     <tr><th><label for="newip"><?php __("IP Address"); ?></label></th><th><label for="newclass"><?php __("Prefix"); ?></label></th></tr>
     <tr>
@@ -154,7 +155,7 @@ if (is_array($c)) { ?>
 <p><?php __("If you want to allow a new server to access your domain list, give him an account."); ?></p>
 
 <form method="post" action="adm_slavedns.php" name="main" id="main" autocomplete="off">
-
+  <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/adm_tld.php b/bureau/admin/adm_tld.php
old mode 100644
new mode 100755
index d47b0e94..d55e51e3
--- a/bureau/admin/adm_tld.php
+++ b/bureau/admin/adm_tld.php
@@ -69,6 +69,7 @@ $c=$admin->listtld();
 </p>
 <p><span class="ina"><a href="adm_tldadd.php"><?php __("Add a new TLD"); ?></a></span></p>
 <form method="post" action="adm_tld.php" name="main" id="main">
+  <?php csrf_get(); ?>
 <table class="tlist">
 <tr><th colspan="2"> </th><th><?php __("TLD"); ?></th><th><?php __("Allowed Mode"); ?></th></tr>
 <?php
diff --git a/bureau/admin/adm_tldadd.php b/bureau/admin/adm_tldadd.php
old mode 100644
new mode 100755
index 44f29411..280c360b
--- a/bureau/admin/adm_tldadd.php
+++ b/bureau/admin/adm_tldadd.php
@@ -60,7 +60,7 @@ include_once ("head.php");
 </p>
 
 <form method="post" action="adm_tlddoadd.php" name="main" id="main">
-
+  <?php csrf_get(); ?>
 <table class="tedit">
 <tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php ehe( (isset($tld)?$tld:'') ); ?>" size="20" maxlength="64" /></td></tr>
 <tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" id="mode" class="inl">
diff --git a/bureau/admin/adm_tldedit.php b/bureau/admin/adm_tldedit.php
old mode 100644
new mode 100755
index 090dce53..b52cf168
--- a/bureau/admin/adm_tldedit.php
+++ b/bureau/admin/adm_tldedit.php
@@ -60,6 +60,7 @@ include_once("head.php");
 <h3><?php __("Edit a TLD"); ?></h3>
 
 <form method="post" action="adm_tlddoedit.php">
+  <?php csrf_get(); ?>
 <table id="main" class="tedit">
 <tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><code><?php echo $tld; ?></code><input type="hidden" name="tld" id="tld" value="<?php echo $tld; ?>" /></td></tr>
 <tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" class="inl" id="mode">
diff --git a/bureau/admin/adm_variables.php b/bureau/admin/adm_variables.php
old mode 100644
new mode 100755
index 9e40812a..047b2162
--- a/bureau/admin/adm_variables.php
+++ b/bureau/admin/adm_variables.php
@@ -53,6 +53,7 @@ include_once ("head.php");
 </p>
 
 <form method="post" action="adm_variables.php">
+  <?php csrf_get(); ?>
 <table border="0" cellpadding="4" cellspacing="0" class='tlist'>
 <tr><th><?php __("Names"); ?></th><th><?php __("Value"); ?></th><th><?php __("Comment"); ?></th></tr>
 <?php
diff --git a/bureau/admin/bro_editor.php b/bureau/admin/bro_editor.php
old mode 100644
new mode 100755
index 435a805f..8d9959fb
--- a/bureau/admin/bro_editor.php
+++ b/bureau/admin/bro_editor.php
@@ -80,6 +80,7 @@ $content=$bro->content($R,$editfile);
 ?>
 
 <form action="bro_editor.php" method="post"><br />
+  <?php csrf_get(); ?>
 <div id="tabsfile">
   <ul>
     <li class="view"><a href="#tabsfile-view"><?php __("View"); ?></a></li>
diff --git a/bureau/admin/bro_main.php b/bureau/admin/bro_main.php
old mode 100644
new mode 100755
index cf03f6f4..3156ba27
--- a/bureau/admin/bro_main.php
+++ b/bureau/admin/bro_main.php
@@ -96,6 +96,7 @@ if (!empty($formu) && $formu) {
           ?>
             <h3><?php printf(_("Deleting files and/or directories")); ?> : </h3>
             <form action="bro_main.php" method="post" name="main" id="main">  
+ <?php csrf_get(); ?>
             <input type="hidden" name="formu" value="2" />
             <input type="hidden" name="actdel" value="1" />
             <input type="hidden" name="R" value="<?php ehe($R)?>" />
@@ -184,6 +185,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
 <td class="formcell">
 
 <form action="bro_main.php" enctype="multipart/form-data" method="post">
+   <?php csrf_get(); ?>
 <input type="hidden" name="R" value="<?php echo $R; ?>" />
 <input type="hidden" name="formu" value="3" />
 
@@ -200,6 +202,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
 
 <?php __("New file or folder:"); ?><br />
 <form action="bro_main.php" method="post" name="nn" id="nn">
+   <?php csrf_get(); ?>
 <input type="hidden" name="R" value="<?php echo $R; ?>" />
 <table><tr>
 <td><input type="text" class="int" name="nomfich" id="nomfich" size="22" maxlength="255" /></td>
@@ -221,6 +224,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
 if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d)) {
   echo "<table cellpadding=\"6\">\n";
   echo "<form action=\"bro_main.php\" method=\"post\">\n";
+  csrf_get(); 
   echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
   echo "<input type=\"hidden\" name=\"formu\" value=\"4\" />\n";
   echo "<tr><th colspan=\"2\">"._("Rename")."</th></tr>";
@@ -237,6 +241,7 @@ if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d))
 /* [ML] Changer les permissions : */
 if ($formu==2 && ! (empty($actperms)) && count($d)) {
   echo "<form action=\"bro_main.php\" method=\"post\">\n";
+  csrf_get();
   echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
   echo "<input type=\"hidden\" name=\"formu\" value=\"7\" />\n";
   echo "<p>"._("Permissions")."</p>";
@@ -277,6 +282,7 @@ if (count($c)) {
 
   ?>
     <form action="bro_main.php" method="post" name="main" id="main">
+   <?php csrf_get(); ?>
     <input type="hidden" name="R" value="<?php echo $R; ?>" />
     <input type="hidden" name="formu" value="2" />
 
diff --git a/bureau/admin/bro_pref.php b/bureau/admin/bro_pref.php
old mode 100644
new mode 100755
index 0c284079..d50e9b7a
--- a/bureau/admin/bro_pref.php
+++ b/bureau/admin/bro_pref.php
@@ -60,7 +60,7 @@ include_once("head.php");
 <hr id="topbar"/>
 <br />
 <form action="bro_pref.php" method="post">
-
+  <?php csrf_get(); ?>
 
 <table cellpadding="6" border="1" cellspacing="0" class='tedit'>
 <tr><th><?php __("Horizontal window size"); ?></th><td><select class="inl" name="editsizex">
diff --git a/bureau/admin/browseforfolder2.php b/bureau/admin/browseforfolder2.php
old mode 100644
new mode 100755
index 6a23af65..3beb5cce
--- a/bureau/admin/browseforfolder2.php
+++ b/bureau/admin/browseforfolder2.php
@@ -139,6 +139,7 @@ if ($errbrowsefold) {
   reset($ar);
   ?>
     <form method="post" id="main" name="main" action="browseforfolder2.php">
+       <?php csrf_get(); ?>
     <p>
     <input type="hidden" name="caller" value="<?php echo $caller; ?>" />
     <input type="hidden" name="lastcurdir" value="<?php echo $curdir; ?>" />
diff --git a/bureau/admin/cron.php b/bureau/admin/cron.php
old mode 100644
new mode 100755
index 1ae06b56..10f5b7fc
--- a/bureau/admin/cron.php
+++ b/bureau/admin/cron.php
@@ -27,7 +27,7 @@ $lst_cron = $cron->lst_cron();
 <?php } ?>
 
 <form method="post" action="cron.php" id="main" name="cron" >
-
+  <?php csrf_get(); ?>
 
 <table class="tlist">
 <!--
diff --git a/bureau/admin/dom_add.php b/bureau/admin/dom_add.php
old mode 100644
new mode 100755
index 1bc9803c..b2be95bd
--- a/bureau/admin/dom_add.php
+++ b/bureau/admin/dom_add.php
@@ -53,6 +53,7 @@ exit();
 if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
 ?>
 <form method="post" action="dom_doadd.php" id="main">
+  <?php csrf_get(); ?>
 <p>
 <label for="newdomain"><b><?php __("Domain name"); ?> :</b></label> <span class="int" id="newdomwww">www.</span><input type="text" class="int" id="newdomain" name="newdomain" value="<?php ehe($newdomain); ?>" size="32" maxlength="255" /> <a class="inb configure" href="dom_import.php"><?php __("Advanced import"); ?></a>
 </p>
diff --git a/bureau/admin/dom_dodel.php b/bureau/admin/dom_dodel.php
old mode 100644
new mode 100755
index f401005f..b1217cb5
--- a/bureau/admin/dom_dodel.php
+++ b/bureau/admin/dom_dodel.php
@@ -68,6 +68,7 @@ if ($del_confirm!="y") {
 
 <?php __("This will delete the related sub-domains too."); ?></p>
 <form method="post" action="dom_dodel.php" id="main">
+ <?php csrf_get(); ?>
 <p>
 <input type="hidden" name="del_confirm" value="y" />
 <input type="hidden" name="domain" value="<?php echo $domain ?>" />
diff --git a/bureau/admin/dom_edit.inc.php b/bureau/admin/dom_edit.inc.php
old mode 100644
new mode 100755
index f1835bd4..a1901c11
--- a/bureau/admin/dom_edit.inc.php
+++ b/bureau/admin/dom_edit.inc.php
@@ -29,6 +29,7 @@ $dom->unlock();
 ?>
 
 <form action="dom_subdoedit.php" method="post" name="main" id="main">
+   <?php csrf_get(); ?>
     <table border="0">
         <tr>
             <td>
diff --git a/bureau/admin/dom_edit.php b/bureau/admin/dom_edit.php
old mode 100644
new mode 100755
index 2f559f0f..ca7fb46f
--- a/bureau/admin/dom_edit.php
+++ b/bureau/admin/dom_edit.php
@@ -263,7 +263,7 @@ if (!$r['noerase']) {
 <div id="tabsdom-params">
 <h3><?php __("DNS &amp; Email parameters"); ?></h3>
 <form action="dom_editdns.php?domain=<?php echo urlencode($r["name"]) ?>" method="post" id="fdns" name="fdns" onSubmit="return destruction_alert();">
-
+ <?php csrf_get(); ?>
 <table class="tlist2">
 <tr>
   <td><?php __("Manage the DNS on the server ?"); ?></td>
@@ -321,6 +321,7 @@ if (!$r['noerase']) {
   <h3><?php __("Domain removal"); ?></h3>
   <?php printf(_("If you want to destroy the domain %s, click on the button below. Warning: this also deletes all FTP accounts, email, mailing lists associated with the domain and subdomains."),$domain); ?><br />
   <form action="dom_dodel.php?domain=<?php echo urlencode($domain) ?>" method="post">
+ <?php csrf_get(); ?>
     <p>
       <input type="submit" class="inb delete" name="detruire" value="<?php printf(_("Delete %s from this server"),$domain); ?>" />
     </p>
diff --git a/bureau/admin/dom_import.php b/bureau/admin/dom_import.php
old mode 100644
new mode 100755
index 8ff24769..64c3d000
--- a/bureau/admin/dom_import.php
+++ b/bureau/admin/dom_import.php
@@ -90,6 +90,7 @@ if ($save) {
 
 
 <form method="post" action="dom_import.php">
+    <?php csrf_get(); ?>
   <table>
     <tr>
       <td>
diff --git a/bureau/admin/dom_subdel.php b/bureau/admin/dom_subdel.php
old mode 100644
new mode 100755
index d5e16714..ab2116a2
--- a/bureau/admin/dom_subdel.php
+++ b/bureau/admin/dom_subdel.php
@@ -59,6 +59,7 @@ if (isset($error) && $error) {
 <hr id="topbar"/>
 <br />
 <form action="dom_subdodel.php" method="post">
+  <?php csrf_get(); ?>
   <p class="alert alert-warning">
     <input type="hidden" name="sub_domain_id" value="<?php echo $sub_domain_id ?>" />
     <?php __("WARNING : You are going to delete a sub-domain."); ?></p>
diff --git a/bureau/admin/ftp_del.php b/bureau/admin/ftp_del.php
old mode 100644
new mode 100755
index df8f23cf..c87c2cc8
--- a/bureau/admin/ftp_del.php
+++ b/bureau/admin/ftp_del.php
@@ -76,6 +76,7 @@ if(!empty($confirm_del)) {
   </ul>
 
   <form method="post" action="ftp_del.php" name="main" id="main">
+      <?php csrf_get(); ?>
     <?php foreach($lst_todel as $t) {
       echo "<input type='hidden' name='del_$t' value='$t' >\n";
     } ?>
diff --git a/bureau/admin/ftp_doedit.php b/bureau/admin/ftp_doedit.php
old mode 100644
new mode 100755
index 4f7c2425..35697bf3
--- a/bureau/admin/ftp_doedit.php
+++ b/bureau/admin/ftp_doedit.php
@@ -39,7 +39,6 @@ $fields = array (
 );
 getFields($fields);
 
-
 if ($pass != $passconf) {
   $error = _("Passwords do not match");
   include_once("head.php");
diff --git a/bureau/admin/ftp_edit.php b/bureau/admin/ftp_edit.php
old mode 100644
new mode 100755
index 5072a010..144f637c
--- a/bureau/admin/ftp_edit.php
+++ b/bureau/admin/ftp_edit.php
@@ -65,7 +65,7 @@ if (isset($error) && $error) {
 }
 ?>
 <form method="post" action="ftp_doedit.php" name="main" id="main" autocomplete="off">
-
+<?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/ftp_list.php b/bureau/admin/ftp_list.php
old mode 100644
new mode 100755
index 87ba07d9..17214dd5
--- a/bureau/admin/ftp_list.php
+++ b/bureau/admin/ftp_list.php
@@ -68,6 +68,7 @@ if (isset($error) && $error && !$noftp) {
 ?>
 
 <form method="post" action="ftp_del.php">
+   <?php csrf_get(); ?>
 <table class="tlist" id="ftp_list_table">
 <thead>
   <tr><th colspan="2"> </th><th><?php __("Enabled"); ?></th><th><?php __("Username"); ?></th><th><?php __("Folder"); ?></th></tr>
diff --git a/bureau/admin/hta_add.php b/bureau/admin/hta_add.php
old mode 100644
new mode 100755
index 331a01f7..7266899f
--- a/bureau/admin/hta_add.php
+++ b/bureau/admin/hta_add.php
@@ -50,6 +50,7 @@ if (isset($error) && $error) {
 } ?>
 
 <form method="post" action="hta_doadd.php" name="main" id="main">
+  <?php csrf_get(); ?>
   <table border="1" cellspacing="0" cellpadding="4" class='tedit'>
     <tr>
       <th><label for="dir"><?php __("Folder"); ?></label></th>
diff --git a/bureau/admin/hta_adduser.php b/bureau/admin/hta_adduser.php
old mode 100644
new mode 100755
index 8b421644..8b2b3e25
--- a/bureau/admin/hta_adduser.php
+++ b/bureau/admin/hta_adduser.php
@@ -45,7 +45,7 @@ getFields($fields);
 ?>
 
 <form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
-
+  <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/hta_dodeluser.php b/bureau/admin/hta_dodeluser.php
old mode 100644
new mode 100755
index a5270def..62bb4798
--- a/bureau/admin/hta_dodeluser.php
+++ b/bureau/admin/hta_dodeluser.php
@@ -57,6 +57,7 @@ include_once('head.php');
   </ul>
 
   <form method="post" action="hta_dodeluser.php" name="main" id="main">
+  <?php csrf_get(); ?>
     <input type='hidden' name='dir' value='<?php echo $dir;?>' >
     <?php foreach($d as $t) {
       echo "<input type='hidden' name='d[$t]' value='$t' >\n";
diff --git a/bureau/admin/hta_edit.php b/bureau/admin/hta_edit.php
old mode 100644
new mode 100755
index eacd2ace..4ea1ec1c
--- a/bureau/admin/hta_edit.php
+++ b/bureau/admin/hta_edit.php
@@ -57,6 +57,7 @@ if (!$dir) {
      reset($r);
 ?>
 <form method="post" action="hta_dodeluser.php">
+   <?php csrf_get(); ?>
 <table cellspacing="0" cellpadding="4" class='tlist'>
   <tr>
     <th colspan="2" ><input type="hidden" name="dir" value="<?php echo $dir?>"> </th>
@@ -91,7 +92,7 @@ for($i=0;$i<count($r);$i++){ ?>
   <legend><h3><?php __("Adding an authorized user"); ?></h3></legend>
 
   <form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
-
+   <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/hta_edituser.php b/bureau/admin/hta_edituser.php
old mode 100644
new mode 100755
index ce4c6493..2faddef9
--- a/bureau/admin/hta_edituser.php
+++ b/bureau/admin/hta_edituser.php
@@ -44,6 +44,7 @@ getFields($fields);
 <?php if (!empty($error) ) { echo "<p class=\"alert alert-danger\">$error</p>"; } ?>
 
 <form method="post" action="hta_doedituser.php" name="main" id="main" autocomplete="off">
+  <?php csrf_get(); ?>
 
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
diff --git a/bureau/admin/hta_list.php b/bureau/admin/hta_list.php
old mode 100644
new mode 100755
index 5648e802..f2a93cfc
--- a/bureau/admin/hta_list.php
+++ b/bureau/admin/hta_list.php
@@ -64,6 +64,7 @@ $mem->show_help("hta_list2");
 </p>
 
 <form method="post" action="hta_del.php">
+  <?php csrf_get(); ?>
 <table class="tlist">
   <tr><th colspan="2"> </th><th><?php __("Folder"); ?></th></tr>
 <?php
diff --git a/bureau/admin/index.php b/bureau/admin/index.php
old mode 100644
new mode 100755
index 335bfb12..6b1e3193
--- a/bureau/admin/index.php
+++ b/bureau/admin/index.php
@@ -93,6 +93,7 @@ if ( empty($logo) ||  ! $logo ) {
         <?php if (!empty($authip_token)) { echo "<p style='color:red;'>";__("You are attemping to connect without IP restriction."); echo "</p>"; } ?>
             <div class="menu-title"><?php __("AlternC access"); ?></div>
 	    <form action="login.php" method="post" name="loginform" target="_top">
+      <?php csrf_get(); ?>
             <div class="menu-content">
                 <div><label for="username"><?php echo _("Username"); ?></label></td><td><input type="text" class="int" name="username" id="username" value="" maxlength="128" autocapitalize="none" /></div>
                 <div><label for="password"><?php echo _("Password"); ?></label></td><td><input type="password" class="int" name="password" id="password" value="" maxlength="128" /></div>
diff --git a/bureau/admin/ip_main.php b/bureau/admin/ip_main.php
old mode 100644
new mode 100755
index 7f5794c6..57c4d34c
--- a/bureau/admin/ip_main.php
+++ b/bureau/admin/ip_main.php
@@ -89,6 +89,7 @@ $lac = $authip->list_affected();
   <p><?php __("You need to have some 'Known IP and networks' defined below to define a new rule.") ?></p>
 <?php } else { ?>
 <form method="post" action="ip_main.php" name="main" id="main">
+   <?php csrf_get(); ?>
 <table class="tlistb">
   <tbody>
     <tr valign="top">
@@ -176,6 +177,7 @@ foreach($list_ip as $i) {
 <p><a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></p>
 <span id="form_add_ip">
 <form method="post" action="ip_main.php" name="main" >
+   <?php csrf_get(); ?>
   <p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
 
   <input type="hidden" name="id" value="" id="edit_id" />
diff --git a/bureau/admin/mail_del.php b/bureau/admin/mail_del.php
old mode 100644
new mode 100755
index d67caffe..2cfa10ae
--- a/bureau/admin/mail_del.php
+++ b/bureau/admin/mail_del.php
@@ -56,6 +56,7 @@ if ($confirm=="y") {
 <br />
 <p><?php __("Please confirm the deletion of the following mail accounts:"); ?></p>
 <form method="post" action="mail_del.php" id="main">
+  <?php csrf_get(); ?>
 <p>
 <input type="hidden" name="confirm" value="y" />
 <input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />
diff --git a/bureau/admin/mail_edit.php b/bureau/admin/mail_edit.php
old mode 100644
new mode 100755
index 53bf9f06..442a9f5e
--- a/bureau/admin/mail_edit.php
+++ b/bureau/admin/mail_edit.php
@@ -62,7 +62,7 @@ if (isset($error)) {
 ?>
 
 <form action="mail_doedit.php" method="post" name="main" id="main" autocomplete="off">
-
+   <?php csrf_get(); ?>
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
 <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
diff --git a/bureau/admin/mail_list.php b/bureau/admin/mail_list.php
old mode 100644
new mode 100755
index 10cdff34..e84140de
--- a/bureau/admin/mail_list.php
+++ b/bureau/admin/mail_list.php
@@ -77,6 +77,7 @@ if ($fatal) {
     <td>
 <?php if ($quota->cancreate("mail")) { ?>
     <form method="post" action="mail_doadd.php" id="main" name="mail_create">
+    <?php csrf_get(); ?>
       <input type="text" class="int intleft" style="text-align: right" name="mail_arg" value="<?php ehe($mail_arg); ?>" size="24" id="mail_arg" maxlength="255" /><span id="emaildom" class="int intright"><?php echo "@".$domain; ?></span>
       <input type="hidden" name="domain_id"  value="<?php echo $domain_id;?>" />
       <input type="submit" name="submit" class="inb add" value="<?php __("Create this email address"); ?>"  onClick="return false_if_empty('mail_arg', '<?php echo addslashes(_("Can't have empty mail."));?>');" />
@@ -122,6 +123,7 @@ if (empty($allmails_list) && empty($search)) {
 </td></tr></table>
 
 <form method="post" action="mail_del.php">
+   <?php csrf_get(); ?>
  <input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />
 <table class="tlist">
 <tr><th></th><th></th><th><?php __("Enabled");?></th><th style="text-align:right"><?php __("Address"); ?></th><th><?php __("Pop/Imap"); ?></th><th><?php __("Other recipients"); ?></th><th><?php __("Last login time"); ?></th></tr>
diff --git a/bureau/admin/mem_param.php b/bureau/admin/mem_param.php
old mode 100644
new mode 100755
index aa7c1591..ea6a9013
--- a/bureau/admin/mem_param.php
+++ b/bureau/admin/mem_param.php
@@ -78,6 +78,7 @@ echo "<p>";
  __("help_chg_passwd"); ?>
 </p>
 <form method="post" action="mem_passwd.php" name="main" id="main" autocomplete="off">
+    <?php csrf_get(); ?>
 
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
@@ -96,6 +97,7 @@ echo "<p>";
 <div id="tabsmem-mail">
 <h3><?php __("Change the email of the account"); ?></h3>
 <form method="post" action="mem_chgmail.php">
+  <?php csrf_get(); ?>
 	<table border="1" cellspacing="0" cellpadding="4" class="tedit">
 		<tr><td colspan="2"><?php __("help_chg_mail"); ?></td></tr>
 		<tr><th><?php __("Current mailbox"); ?></th><td><big><code><?php echo $mem->user["mail"]; ?></code></big></td></tr>
@@ -107,6 +109,7 @@ echo "<p>";
 <div id="tabsmem-help">
 		<h3><?php __("Online help settings"); ?></h3>
 <form method="post" action="mem_param.php">
+  <?php csrf_get(); ?>
 	<table border="1" cellspacing="0" cellpadding="4" class="tedit">
                 <tr><td colspan="2"><?php __("help_help_settings"); ?></td></tr>
 		<tr><th><label for="showhelp"><?php __("Do you want to see the help texts and links on each page?"); ?></label></th><td><input type="checkbox" class="inc" id="showhelp" name="showhelp" value="1" <?php if ($mem->get_help_param()) echo "checked=\"checked\""; ?> /></td></tr>
@@ -120,6 +123,7 @@ if ($mem->user["su"]) {
 <div id="tabsmem-admin">
 <h3><?php __("Admin preferences"); ?></h3>
 <form method="post" action="mem_admin.php">
+<?php csrf_get(); ?>
 <table border="1" cellspacing="0" cellpadding="4" class="tedit">
 <tr><th><?php __("Members list view"); ?></th><td><select name="admlist" class="inl">
 <option value="0"<?php if ($mem->user["admlist"]==0) echo " selected=\"selected\""; ?>><?php __("Large view"); ?></option>
diff --git a/bureau/admin/piwik_site_dodel.php b/bureau/admin/piwik_site_dodel.php
old mode 100644
new mode 100755
index 2bac3fae..6cf1bba3
--- a/bureau/admin/piwik_site_dodel.php
+++ b/bureau/admin/piwik_site_dodel.php
@@ -66,6 +66,7 @@ include_once('head.php');
 <br />
 
   <form method="post" action="piwik_site_dodel.php" name="main" id="main">
+  <?php csrf_get(); ?>
     <input type="hidden" name="siteid"  value="<?php echo $siteid;?>" />
     <input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
     <input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_sitelist.php'" />
diff --git a/bureau/admin/piwik_sitelist.php b/bureau/admin/piwik_sitelist.php
old mode 100644
new mode 100755
index 8714312b..8ebb7c24
--- a/bureau/admin/piwik_sitelist.php
+++ b/bureau/admin/piwik_sitelist.php
@@ -82,6 +82,7 @@ if ($quota->cancreate("piwik")) {
 ?>
 <h3><?php __("Add a new website");?></h3>
 <form method="post" action="piwik_addsites.php" id="main" name="addsites" >
+ <?php csrf_get(); ?>
 	<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
 	<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
 </form>
@@ -162,6 +163,7 @@ foreach ($sitelist as $site ){
 	// If a site was selected
 	if ($site_id != -1 && in_array($site_id, $piwik_alternc_sites)) {
 		echo '<form method="post">';
+		csrf_get();
 		echo '<dl>';
 		foreach ($piwik->get_users_access_from_site($site_id) AS $piwik_user => $cred) {
 			printf("<dt>%s:</dt>\n\t<dd>%s</dd>\n", $piwik_user, piwik_right_widget('right', $piwik_user, $cred));
diff --git a/bureau/admin/piwik_user_dodel.php b/bureau/admin/piwik_user_dodel.php
old mode 100644
new mode 100755
index 65da8d74..0c54a5e6
--- a/bureau/admin/piwik_user_dodel.php
+++ b/bureau/admin/piwik_user_dodel.php
@@ -64,6 +64,7 @@ include_once('head.php');
 <br />
 
   <form method="post" action="piwik_user_dodel.php" name="main" id="main">
+  <?php csrf_get(); ?>
     <input type="hidden" name="login"  value="<?php echo $login;?>" />
     <input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
     <input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_userlist.php'" />
diff --git a/bureau/admin/piwik_useradmin.php b/bureau/admin/piwik_useradmin.php
old mode 100644
new mode 100755
index 2179c5cc..a80385b5
--- a/bureau/admin/piwik_useradmin.php
+++ b/bureau/admin/piwik_useradmin.php
@@ -131,6 +131,7 @@ if (count($available_user_sites)>0)
 foreach ($available_user_sites AS $current_id_site => $available_user_site)
 {
 	printf('<li>%s <form method="post"><input type="hidden" name="site_id" value="%d">
+<input type="hidden" name="csrf" value="'.csrf_get(true).'" />
 <select name="right">
 	<option value="noaccess">%s</option>
 	<option value="view">%s</option>
diff --git a/bureau/admin/piwik_userlist.php b/bureau/admin/piwik_userlist.php
old mode 100644
new mode 100755
index 7557942b..620cb07f
--- a/bureau/admin/piwik_userlist.php
+++ b/bureau/admin/piwik_userlist.php
@@ -40,6 +40,7 @@ if ($quota->cancreate("piwik")) {
 ?>
 <h3><?php __("Create a new piwik account");?></h3>
 <form method="post" action="piwik_addaccount.php" id="main" name="addaccount" >
+ <?php csrf_get(); ?>
 	<input type="text" class="int" name="account_name" size="20" id="account_name" maxlength="32" value="<?php if ($quotapiwik['u']==0) {echo $mem->user["login"];}?>"/>
 	<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
 </form>
@@ -52,6 +53,7 @@ if ($quotapiwik['u']>0) {
 ?>
 <h3><?php __("Add a new website");?></h3>
 <form method="post" action="piwik_addsites.php" id="main" name="addsites" >
+<?php csrf_get(); ?>
 	<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
 	<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
 </form>
diff --git a/bureau/admin/sql_bck.php b/bureau/admin/sql_bck.php
old mode 100644
new mode 100755
index ede76677..723f0792
--- a/bureau/admin/sql_bck.php
+++ b/bureau/admin/sql_bck.php
@@ -65,6 +65,7 @@ if (is_array($r)) {
 <h3><?php printf(_("Manage the SQL backup for database %s"),$r["db"]); ?></h3>
 
 <form action="sql_dobck.php" method="post" id="main" name="main">
+ <?php csrf_get(); ?>
 <table class="tedit">
 <tr>
 	<th><label><?php __("Do MySQL backup?"); ?></label></th>
diff --git a/bureau/admin/sql_del.php b/bureau/admin/sql_del.php
old mode 100644
new mode 100755
index 71903900..893301d2
--- a/bureau/admin/sql_del.php
+++ b/bureau/admin/sql_del.php
@@ -75,6 +75,7 @@ if (!$found) {
 <p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following SQL databases"); ?><br />
 <?php __("This will delete all the tables currently in those db."); ?></p>
 <form method="post" action="sql_del.php" id="main">
+  <?php csrf_get(); ?>
 <p>
 <input type="hidden" name="confirm" value="y" />
 <?php
diff --git a/bureau/admin/sql_list.php b/bureau/admin/sql_list.php
old mode 100644
new mode 100755
index 8cd8402c..05f6913e
--- a/bureau/admin/sql_list.php
+++ b/bureau/admin/sql_list.php
@@ -50,6 +50,7 @@ $r=$mysql->get_userslist();
 if($rdb){
 ?>
 <form method="post" action="sql_del.php" name="main" id="main">
+    <?php csrf_get(); ?>
 <table class="tlist">
    <tr><th>&nbsp;</th><th><?php __("Database"); ?></th><?php if ( variable_get('sql_allow_users_backups') ) { ?><th><?php __("Backup"); ?></th><?php } // sql_allow_users_backups ?><th><?php __("Restore"); ?></th><th><?php __("Show Settings"); ?></th><th><?php __("Size"); ?></th></tr>
 
@@ -91,6 +92,7 @@ for($i=0;$i<count($rdb);$i++) {
 <?php }else{
 ?>
 <form method="post" action="sql_doadd.php" id="main2" name="main2">
+   <?php csrf_get(); ?>
 <table class="tedit">
 <tr>
   <th><label for="dbn"><?php __("MySQL Database"); ?></label></th>
diff --git a/bureau/admin/sql_restore.php b/bureau/admin/sql_restore.php
old mode 100644
new mode 100755
index 0f2b2e59..cb515c41
--- a/bureau/admin/sql_restore.php
+++ b/bureau/admin/sql_restore.php
@@ -62,6 +62,7 @@ __("Warning: Write the complete path and the filename. <br />For example if your
 echo "</p>";
 ?>
 <form action="sql_dorestore.php" method="post">
+  <?php csrf_get(); ?>
 <input type="hidden" name="id" value="<?php echo $id ?>" />
 <p><label for="restfile"><?php __("Please enter the path and the filename containing SQL data to be restored."); ?></label></p>
 <p><input type="text" class="int" id="restfile" name="restfile" size="35" maxlength="255" value="<?php ehe($filename); ?>" /> <input class="inb" type="submit" name="submit" onClick='return restfilenotempty();' value="<?php __("Restore my database"); ?>" /><i><?php __("Tip: you can restore a file directly in the File Browser");?></i></p>
diff --git a/bureau/admin/sql_users_add.php b/bureau/admin/sql_users_add.php
old mode 100644
new mode 100755
index a82e0cbf..209ab7bb
--- a/bureau/admin/sql_users_add.php
+++ b/bureau/admin/sql_users_add.php
@@ -54,6 +54,7 @@ getFields($fields);
 	}
 ?>
 <form method="post" action="sql_users_doadd.php" id="main" name="main" autocomplete="off">
+  <?php csrf_get(); ?>
 
 <!-- honeypot fields -->
 <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
diff --git a/bureau/admin/sql_users_del.php b/bureau/admin/sql_users_del.php
old mode 100644
new mode 100755
index 56a8afe0..d558984d
--- a/bureau/admin/sql_users_del.php
+++ b/bureau/admin/sql_users_del.php
@@ -32,6 +32,7 @@ $fields = array (
         "confirm"                => array ("post", "string", ""),
 );
 getFields($fields);
+
 if(!isset($error)){
 	$error="";
 }
@@ -61,6 +62,7 @@ include_once("head.php");
 <p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following MySQL users"); ?><br />
 </p>
 <form method="post" action="sql_users_del.php" id="main">
+  <?php csrf_get(); ?>
 <p>
 <input type="hidden" name="confirm" value="y" />
 <?php
diff --git a/bureau/admin/sql_users_doadd.php b/bureau/admin/sql_users_doadd.php
old mode 100644
new mode 100755
index 707b65c7..169980e7
--- a/bureau/admin/sql_users_doadd.php
+++ b/bureau/admin/sql_users_doadd.php
@@ -36,7 +36,6 @@ $fields = array (
 );
 getFields($fields);
 
-
 if(!empty($usern)){
   if (!$mysql->add_user($usern,$password,$passconf)) {
     $error=$err->errstr();
diff --git a/bureau/admin/sql_users_list.php b/bureau/admin/sql_users_list.php
old mode 100644
new mode 100755
index 6fc173b9..b2eadf4a
--- a/bureau/admin/sql_users_list.php
+++ b/bureau/admin/sql_users_list.php
@@ -47,6 +47,7 @@ if (isset($error) && $error) {
   if($r){ // if there is some userlist
 ?>
 <form method="post" action="sql_users_del.php">
+      <?php csrf_get(); ?>
 <table cellspacing="0" cellpadding="4" class="tlist">
    <tr><th>&nbsp;</th><th><?php __("User"); ?></th><th><?php __("Rights"); ?></th><th><?php __("Password");?></th></tr>
 <?php
diff --git a/bureau/admin/sql_users_password.php b/bureau/admin/sql_users_password.php
old mode 100644
new mode 100755
index 908fd79a..f9f41142
--- a/bureau/admin/sql_users_password.php
+++ b/bureau/admin/sql_users_password.php
@@ -53,6 +53,7 @@ if (! empty($error) ) {
 ?>
 
 <form method="post" action="sql_users_dopassword.php" autocomplete="off">
+  <?php csrf_get(); ?>
 <input type="hidden" name="id" value="<?php echo $id; ?>" />
 
 <!-- honeypot fields -->
diff --git a/bureau/admin/sql_users_rights.php b/bureau/admin/sql_users_rights.php
old mode 100644
new mode 100755
index 35d98360..b235d248
--- a/bureau/admin/sql_users_rights.php
+++ b/bureau/admin/sql_users_rights.php
@@ -54,6 +54,7 @@ if ($r) {
 ?>
 
 <form method="post" action="sql_users_dorights.php">
+    <?php csrf_get(); ?>
 <input type="hidden" name="id" value="<?php echo $id; ?>" />
 <table cellspacing="0" cellpadding="4" class="tlist ombrage">
    <tr class="petit">
diff --git a/bureau/admin/vm.php b/bureau/admin/vm.php
old mode 100644
new mode 100755
index 9bf93b95..6c9c3dc9
--- a/bureau/admin/vm.php
+++ b/bureau/admin/vm.php
@@ -68,6 +68,7 @@ include_once("head.php");
 ?>
 <p class="alert alert-info"><?php __("You can start a virtual machine."); ?></p>
 <form method="post" action="vm.php">
+   <?php csrf_get(); ?>
    <input type="hidden" name="action" value="start" />
 <input type="submit" class="inb ok" name="go" value="<?php __("Click here to start a virtual machine."); ?>" />
 </form>
@@ -85,6 +86,7 @@ include_once("head.php");
 ?>
 <p class="alert alert-info"><?php __("You can stop your virtual machine."); ?></p>
 <form method="post" action="vm.php">
+<?php csrf_get(); ?>
    <input type="hidden" name="action" value="stop" />
 <input type="submit" class="inb cancel" name="go" value="<?php __("Click here to stop your running virtual machine."); ?>" />
 </form>
diff --git a/bureau/class/config.php b/bureau/class/config.php
old mode 100644
new mode 100755
index 96246879..5d4894d5
--- a/bureau/class/config.php
+++ b/bureau/class/config.php
@@ -209,6 +209,17 @@ if ($oldid && $oldid != $cuid) {
     $isinvited = true;
 }
 
+// CHECK CSRF for ALL POSTS : 
+// you MUST add    <?php csrf_get(); ?>  after ALL <form method="post" in AlternC !
+if (count($_POST)) {
+  if (csrf_check()<=0) {
+    $error=$err->errstr();
+    require_once("main.php");
+    exit();
+  }
+}
+
+
 // Init some vars
 variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string'));
 
diff --git a/bureau/class/functions.php b/bureau/class/functions.php
old mode 100644
new mode 100755
index b2b8398f..0e26b24a
--- a/bureau/class/functions.php
+++ b/bureau/class/functions.php
@@ -1080,14 +1080,20 @@ function panel_islocked() {
  * to the session cookie. We also need the $db pdo object
  * @return the csrf cookie to add into a csrf hidden field in your form
  */
-function csrf_get() {
+function csrf_get($return=false) {
     global $db;
+    static $token="";
     if (!isset($_SESSION["csrf"])) {
         $_SESSION["csrf"]=md5(rand().rand().rand());
     }
-    $token=md5(rand().rand().rand());
-    $db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token));
-    return $token;
+    if ($token=="") {
+      $token=md5(rand().rand().rand());
+      $db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token));
+    }
+    if ($return) 
+        return $token;
+    echo '<input type="hidden" name="csrf" value="'.$token.'" />';
+    return true;        
 }
 
 /** Check a CSRF token against the current session
@@ -1096,8 +1102,11 @@ function csrf_get() {
  * @return $result integer 0 for invalid token, 1 for good token, -1 for expired token (already used)
  * if a token is invalid or expired, an $err is raised, that can be displayed
  */
-function csrf_check($token) {
+function csrf_check($token=null) {
     global $db,$err;
+
+    if (is_null($token)) $token=$_POST["csrf"];
+
     if (!isset($_SESSION["csrf"])) {
         $err->raise("functions", _("The posted form token is incorrect. Maybe you need to allow cookies"));
         return 0; // no csrf cookie :/
@@ -1120,6 +1129,7 @@ function csrf_check($token) {
         $err->raise("functions", _("Your token is expired. Please refill the form."));
         return -1; // expired
     }
-    $db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token));
+    $db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token)); 
+    $db->exec("DELETE FROM csrf WHERE created<DATE_SUB(NOW(), INTERVAL 1 DAY);");
     return 1;
-}
\ No newline at end of file
+}
diff --git a/bureau/class/local.php b/bureau/class/local.php
old mode 100644
new mode 100755
diff --git a/install/upgrades/3.4.5.sql b/install/upgrades/3.4.5.sql
old mode 100644
new mode 100755
index 1d8263fd..c8b35726
--- a/install/upgrades/3.4.5.sql
+++ b/install/upgrades/3.4.5.sql
@@ -7,4 +7,4 @@ CREATE TABLE IF NOT EXISTS `csrf` (
   `used` tinyint(3) unsigned NOT NULL DEFAULT '0'
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='csrf tokens for AlternC forms';
 
-ALTER TABLE `csrf` ADD PRIMARY KEY (`session`,`token`), ADD KEY `created` (`created`);
+ALTER TABLE `csrf` ADD PRIMARY KEY (`cookie`,`token`), ADD KEY `created` (`created`);