Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Pages: [1] 2

Author Topic: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60  (Read 17818 times)

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« on: May 08, 2007, 08:58:51 PM »

Updated for sNews 1.6 - May 27.07 (thanks to Codetwist for the extra function tweak!)
If you are using sNews 1.5.30 and getting hacked, you can upgrade to 1.5.31 to take advantage of the security changes. sNews 1.5.31 is basically the same as 1.5.30 in terms of functionality. So, if you want to keep using an existing 1.5.30 site but have the best of security, these simple modifications will do the trick.

If you have already upgraded to 1.5.31 or 1.6.0... but you aren't 100% confident in the security changes made to it, you can apply these mods and your site will be 100% secure against hacker intrusion even if our sNews hackers figure out how to get into the latest default 1.5.31 package.

IMPORTANT NOTE: This modification will only work properly in "single user" versions of sNews. It will work with the default releases of sNews 1.5.30, 1.5.31 and 1.6.0. It should (not tested) work with the sNews MESU (Modular, Enhanced, Single User) package. It will not work with the sNews MEMU package or bakercad's MU package... since they have multiple-user functionality.

Step 1 - all 3 versions: Add the blue section into the db variables array at the top of snews.php. This gives you three variables allowing you to insert your own custom values for username, password and a secret name for your login function. These will over-ride the username and password settings in the database settings table, and make your login panel invisible.
Quote
// DATABASE VARIABLES
function db($variable) {
   $db = array();
   // uname & password over-ride - use only if not using dbase login info & check.
   $db['user'] = 'user_name'; // Insert login username
   $db['pass'] = 'pass_word'; // insert login password
   // login link replacement, example - snooby21
   // use the url to access the login panel - http://www.your-domain.com/snooby21/
   $db['loginLink'] = 'snooby21';
Step 2 - all 3 versions: Replace the login case string in function center by searching for the first string and replacing it with the two lines below it:
Quote
case 'login': login(); break;

   // for your unique login link in URL
   case db('loginLink'): login(); break;
Step 3 - 1.5.30: Search for and replace the startup function with both of these functions:
Quote
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == "rss") {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
           $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      if ($user === db('user') && $pass === db('pass')) {
      $_SESSION[db('website').'Logged_In'] = 'True'; $_SESSION['uname'] = s('username'); $_SESSION['Website'] = db('website');
} } }
snews_startup();

// USER/PASS CHECK
# Use this function with hard-coded u-name & password override only.
function checkUserPass($input) {  // checks and strips tags out of username entry.
   $output = clean(cleanXSS($input));
   # remove what's left of HTML tags
   $output = strip_tags($output);
   # user and pass: non-english characters and numbers only, min 4/ max 8
   if (ctype_alnum($output) === true && strlen($output) > 3 && strlen($output) < 9) {
      return $output;
   }
   else {return null;}
}
Or, for 1.5.31: Search for and replace the startup function with this one:
Quote
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == 'rss') {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      $inputCalc = is_numeric($_POST['calc']) ? $_POST['calc'] : null;
      $sum = is_numeric($_POST['sum']) ? $_POST['sum'] : null;
      $calc = $inputCalc === $sum ? $inputCalc : null;
      if ($user === db('user') && $pass === db('pass') && $calc) {
      $_SESSION[db('website').'Logged_In'] = token();
      }
   }
}
snews_startup();
Or, for 1.6: Search for and replace the startup function with this one (patched, Jan.20.08):
Quote
// STARTUP
# 1.60 - Use this function with hard-coded u-name, password & custom login link override only.
function snews_startup() {
   connect_to_db();
   $categorySEF = get_id('category');
   $articleSEF = get_id('article');
   if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
   $homeSEF = l('home_sef');
   $categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
   $articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
        switch(true) {
            case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
            case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
            header('Location: '.db('website').'404/'); exit;
        break;
        }
    }
   if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();
Step 4 - remove the login function link  - <? login_link(); ?> - from the footer (or wherever it is) in your index.php file.

Step 5 - In the Language Variables array - find this string and delete login from it (bram's note, added June 10.07):
Quote
$l['cat_listSEF'] = $l['home_sef'].',archive,contact,sitemap,rss-articles,rss-pages,rss-comments,login, administration,admin_category,admin_article,article_new,extra_new,page_new,
categories,articles,extra_contents,pages,settings,files,logout';
When you want to login, insert the URL to your secret login function in your browser address bar. Once you have it displayed, save this URL in an easily accessible folder in your Favorites. Use this link to access your site's login page from now on.

Added Jan.20.08:
As an added bonus... if you'd like to be able to change the path-name to your login panel now and then... from the Settings Admin Panel instead of editing the engine file... this mod will add this to your Settings Admin Panel.

Oh... and I forgot to mention... (tho it is rather obvious)... make sure you enter your username and password in the new variable strings at the top of snews.php so they'll be there to check against your entries in the login panel. :)
« Last Edit: January 20, 2008, 07:15:54 PM by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #1 on: May 09, 2007, 02:26:22 AM »

*Sticky this thread*
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

Linc

  • Newbie
  • *
  • Karma: 0
  • Posts: 36
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #2 on: May 20, 2007, 04:16:20 AM »

I s this alright to use for 1.6? I mean, it seems to work, but the the startup function has changed considerably in 1.6. I'm not sure about flat-out replacing it. I just want to use the custom login link functionality.
Logged

tyee

  • Jr. Member
  • **
  • Karma: 0
  • Posts: 56
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #3 on: May 20, 2007, 08:14:56 PM »

Yes, I'm wondering too whether I can do this for 1.6 before I actually upgrade?
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #4 on: May 21, 2007, 02:16:58 AM »

The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.

MIKA... if you are reading this... have you any idea why the custom login link mod only works with the variable value set as "login" in 1.6 while any value works in 1.5.31?
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Linc

  • Newbie
  • *
  • Karma: 0
  • Posts: 36
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #5 on: May 27, 2007, 06:50:20 PM »

Quote from: keyrocks
The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.
I don't know if this'll help you or not, but if I make a category named snooby21 (i.e. the name of the custom login link), the login link works. I reckon the problem lies in the new startup function, but that's about as far as I've gotten.
Logged

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #6 on: May 27, 2007, 07:16:17 PM »

IMHO for this MOD following check at snews_startup() :
Code: [Select]
if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}
should be extended with test for custom login string:
Code: [Select]
if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}
Logged

Linc

  • Newbie
  • *
  • Karma: 0
  • Posts: 36
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #7 on: May 27, 2007, 07:30:07 PM »

That works, of course. There's some damn smart people on this forum, thankfully.

Much obliged, codetwist.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #8 on: May 27, 2007, 08:16:48 PM »

@ codetwist...
Thanks for the solution. Works great. I've added the 1.6 startuup function to the first post in this string. I'll post the updated version to the 1.6 Mods section as a co-mod. :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

centered

  • Guest
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #9 on: June 06, 2007, 02:34:39 PM »

Awesome mod

For 1.4: (NOT FULLY TESTED!!!)
Following Keyrocks first thread:

0. backup!

1.  Add this underneath
Code: [Select]
$s['prefix'] = ""; // Table prefix for multiple sNews systems on one database (if you don't need it just leave it blank)Add
Code: [Select]
    // login link replacement, example - snooby21
    // use the url to access the login panel - http://www.your-domain.com/snooby21/
    $s['loginLink'] = 'snooby21';
2. in the center reaplce the login case
Code: [Select]
// case "login":
// login();
// break;
case s('loginLink'): login(); break;
3. Not sure what is going on here.. so I didn't try and change anything but....
3a.  In display menu_items , replace the loggin in part with
Code: [Select]
if (isset($_SESSION['Logged_In'])) {
echo "<li><a href='" .s('website'). "categories/'>". l('categories') ."</a></li>";
echo "<li><a href='" .s('website'). "new/'>". l('new_article') ."</a></li>";
echo "<li><a href='" .s('website'). "unpublished/'>". l('unpublished_articles') ."</a></li>";
echo "<li><a href='" .s('website'). "images/'>". l('images') ."</a></li>";
echo "<li><a href='". s('website') ."logout/'>". l('logout') ."</a></li>";
}
This adds a logout link while you are logged in without having to go back to your loginlink again
« Last Edit: November 21, 2007, 02:13:44 AM by equilni »
Logged

mattonik

  • Full Member
  • ***
  • Karma: 7
  • Posts: 123
    • http://www.mattonik.sk
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #10 on: June 08, 2007, 12:52:01 PM »

wow great mod:) like it, including in my enhanced admin edition
Logged

bramsyuur

  • Hero Member
  • *****
  • Karma: 23
  • Posts: 873
    • http://snews.vietbee.net
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #11 on: June 10, 2007, 01:21:55 AM »

@Key's and all users of this MOD:
You need to remove the 'hardcoded' word login from the "System Variables $l['cat_listSEF']" section to prevent to be showed in the breadcrumbs line tags. I you don't remove it, you don't get an 404 error and all seems to be good. :)
Logged
La comunidad sNews en tu idioma!
Comunidad sNews en Espaņol

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #12 on: June 10, 2007, 09:59:40 PM »

Thanks for the 'heads up' Bram. I'll add this to the first post. :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Armen

  • Sr. Member
  • ****
  • Karma: 41
  • Posts: 338
    • http://www.funnydays.ru
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #13 on: October 03, 2007, 11:36:47 AM »

Just a friendly tip: why don't you move this sticky to the 1.6 forum.

I don't think new snews users even know about these useful technics.
Logged
Now ogres, oh, they're much worse. They'll make a suit from your freshly peeled skin. They'll shave your liver, squeeze the jelly from your eyes... Actually, it's quite good on toast.

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #14 on: October 03, 2007, 03:30:59 PM »

Thanks for suggestion Armen... I posted a new topic there and linked it to this topic.  ;)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU
Pages: [1] 2