Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 [2]

Author Topic: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60  (Read 17820 times)

mfaraklit

  • Newbie
  • *
  • Karma: 1
  • Posts: 20
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #15 on: October 17, 2007, 04:00:30 PM »

i applied all process. in the snews 1,6 MEMU but i didnt not occur. so there now a login problem exist. how i repair? again install??
Thanks
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #16 on: October 17, 2007, 05:06:48 PM »

Please note that this mod is only meant to be used in the default releases of sNews. You definitely do not want to try using it with the MEMU or backercad's MU packages because they are programmed to provide Multiple User functionality. You cannot over-ride many usernames and passwords with one hard-coded uname and password.  ;)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #17 on: January 20, 2008, 11:34:23 AM »

Applied: it's working well.
Thnaks a lot Doug
On my sNews file I had a patched version of the startup function
Maybe first post should be updated with:
Quote
function snews_startup() {
   connect_to_db();
   $categorySEF = get_id('category');
   $articleSEF = get_id('article');
   if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
   $homeSEF = l('home_sef');
   $categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
   $articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
        switch(true) {
            case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
         # Patch/fix applied - Oct.08.07
         // case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator'))  && (!is_numeric($articleCatID)||$articleCatID!=$categoryID)):
         # Patch/fix applied Keyrocks 07/12
         case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator'))  && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
         # un-patched string
         //case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
         header('Location: '.db('website').'404/'); exit;
       break;
      }
   }
   if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();
See:
- incorrect category/article linking
and:
- PATCHED - snews.php (1.6) Updated: Jan.14.0

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #18 on: January 20, 2008, 07:18:53 PM »

On my sNews file I had a patched version of the startup function - Maybe first post should be updated with (the patch):

Thanks for the reminder Sven... the patch was identified and posted long after this mod was first posted. I've added it to the first post.  :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Joost

  • Guest
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #19 on: January 31, 2008, 06:40:19 AM »

Found this:
$_POST['Loginform'] as is  checked as long as it is send to index.php. To make use of the secret location, you would have to do something like this:


Code: [Select]
<?php
if ($categorySEF == db('loginLink')'){

 if (isset($_POST['
Loginform'])) {
      $user = checkUserPass($_POST['
uname']);
      $pass = checkUserPass($_POST['
pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('
user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('
username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('
website').'Logged_In'] = token();}

}
?>

In function login

Change:
Code: [Select]
db('website').'administration/
to

Code: [Select]
db('website').'db('loginLink').'/'
Consider putting the inlog check in function center.
The fix is not tested.
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #20 on: August 20, 2010, 10:08:50 AM »

For 1.7, this is untested but should work:

0. backup

1. In the #Contstants section, at the end add:
Code: [Select]
// Secret Login Link
define('_LOGINSEF', 'logmein');
You can change the second parameter to whatever the secret link is

2. Remove 'login' from the cat_listSEF and add the login constant
Code: [Select]
$l['cat_listSEF'] = 'archive,contact,sitemap,'._LOGINSEF;
3. Slightly further down, do the same thing:
Code: [Select]
// die( notification(2,l('err_Login'), 'login'));
die( notification(2,l('err_Login'), _LOGINSEF));

4. In function center(), find the first line, comment it out and add the second
Code: [Select]
// case 'login':
case _LOGINSEF:

5. In function administration(), find the first line, comment it out and add the second:
Code: [Select]
// echo( notification(1,l('error_not_logged_in'),'login'));
echo( notification(1,l('error_not_logged_in'),_LOGINSEF));

** Suggestion **
6. In the index.php, instead of removing the login_link(), do this:
Code: [Select]
<?php if (_ADMIN) { echo '|  'login_link(); } ?>
The whole footer line would be this:
Code: [Select]
<p>This site is powered by <a href="http://snewscms.com/" title="sNews CMS" onclick="target='_blank';">sNews</a> <?php if (_ADMIN) { echo '|  'login_link(); } ?></p>
Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #21 on: August 25, 2010, 12:12:57 PM »

Hello Jason
tested here, but the login link drives to a 404. ???

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #22 on: August 25, 2010, 01:28:56 PM »

Did you revise the cat_listSEF line?

Code: [Select]
// EQ
$l['cat_listSEF'] = 'archive,contact,sitemap,'._LOGINSEF;
// $l['cat_listSEF'] = 'archive,contact,sitemap,login';

Or in function center():

Code: [Select]
// EQ
// case 'login':
case _LOGINSEF:
login(); break;
Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
« Reply #23 on: August 25, 2010, 03:03:41 PM »

Yes I got those too. ???

EDIT: forgot a comma in the cat_listSEF.  Fixed!
« Last Edit: August 25, 2010, 03:08:22 PM by Sven »
Logged
Pages: 1 [2]