sNews Forum

Previous sNews versions => sNews 1.5 Final => Mods/addons => Topic started by: Keyrocks on May 08, 2007, 08:58:51 pm

Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on May 08, 2007, 08:58:51 pm
Updated for sNews 1.6 - May 27.07 (thanks to Codetwist for the extra function tweak!)
If you are using sNews 1.5.30 and getting hacked, you can upgrade to 1.5.31 to take advantage of the security changes. sNews 1.5.31 is basically the same as 1.5.30 in terms of functionality. So, if you want to keep using an existing 1.5.30 site but have the best of security, these simple modifications will do the trick.

If you have already upgraded to 1.5.31 or 1.6.0... but you aren't 100% confident in the security changes made to it, you can apply these mods and your site will be 100% secure against hacker intrusion even if our sNews hackers figure out how to get into the latest default 1.5.31 package.

IMPORTANT NOTE: This modification will only work properly in "single user" versions of sNews. It will work with the default releases of sNews 1.5.30, 1.5.31 and 1.6.0. It should (not tested) work with the sNews MESU (Modular, Enhanced, Single User) package. It will not work with the sNews MEMU package or bakercad's MU package... since they have multiple-user functionality.

Step 1 - all 3 versions: Add the blue section into the db variables array at the top of snews.php. This gives you three variables allowing you to insert your own custom values for username, password and a secret name for your login function. These will over-ride the username and password settings in the database settings table, and make your login panel invisible.
Quote
// DATABASE VARIABLES
function db($variable) {
   $db = array();
   // uname & password over-ride - use only if not using dbase login info & check.
   $db['user'] = 'user_name'; // Insert login username
   $db['pass'] = 'pass_word'; // insert login password
   // login link replacement, example - snooby21
   // use the url to access the login panel - http://www.your-domain.com/snooby21/
   $db['loginLink'] = 'snooby21';
Step 2 - all 3 versions: Replace the login case string in function center by searching for the first string and replacing it with the two lines below it:
Quote
case 'login': login(); break;

   // for your unique login link in URL
   case db('loginLink'): login(); break;
Step 3 - 1.5.30: Search for and replace the startup function with both of these functions:
Quote
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == "rss") {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
           $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      if ($user === db('user') && $pass === db('pass')) {
      $_SESSION[db('website').'Logged_In'] = 'True'; $_SESSION['uname'] = s('username'); $_SESSION['Website'] = db('website');
} } }
snews_startup();

// USER/PASS CHECK
# Use this function with hard-coded u-name & password override only.
function checkUserPass($input) {  // checks and strips tags out of username entry.
   $output = clean(cleanXSS($input));
   # remove what's left of HTML tags
   $output = strip_tags($output);
   # user and pass: non-english characters and numbers only, min 4/ max 8
   if (ctype_alnum($output) === true && strlen($output) > 3 && strlen($output) < 9) {
      return $output;
   }
   else {return null;}
}
Or, for 1.5.31: Search for and replace the startup function with this one:
Quote
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == 'rss') {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      $inputCalc = is_numeric($_POST['calc']) ? $_POST['calc'] : null;
      $sum = is_numeric($_POST['sum']) ? $_POST['sum'] : null;
      $calc = $inputCalc === $sum ? $inputCalc : null;
      if ($user === db('user') && $pass === db('pass') && $calc) {
      $_SESSION[db('website').'Logged_In'] = token();
      }
   }
}
snews_startup();
Or, for 1.6: Search for and replace the startup function with this one (patched, Jan.20.08):
Quote
// STARTUP
# 1.60 - Use this function with hard-coded u-name, password & custom login link override only.
function snews_startup() {
   connect_to_db();
   $categorySEF = get_id('category');
   $articleSEF = get_id('article');
   if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
   $homeSEF = l('home_sef');
   $categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
   $articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
        switch(true) {
            case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
            case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
            header('Location: '.db('website').'404/'); exit;
        break;
        }
    }
   if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();
Step 4 - remove the login function link  - <? login_link(); ?> - from the footer (or wherever it is) in your index.php file.

Step 5 - In the Language Variables array - find this string and delete login from it (bram's note, added June 10.07):
Quote
$l['cat_listSEF'] = $l['home_sef'].',archive,contact,sitemap,rss-articles,rss-pages,rss-comments,login, administration,admin_category,admin_article,article_new,extra_new,page_new,
categories,articles,extra_contents,pages,settings,files,logout';
When you want to login, insert the URL to your secret login function in your browser address bar. Once you have it displayed, save this URL in an easily accessible folder in your Favorites. Use this link to access your site's login page from now on.

Added Jan.20.08:
As an added bonus... if you'd like to be able to change the path-name to your login panel now and then... from the Settings Admin Panel instead of editing the engine file... this mod (http://snewscms.com/forum/index.php?topic=6582.0) will add this to your Settings Admin Panel.

Oh... and I forgot to mention... (tho it is rather obvious)... make sure you enter your username and password in the new variable strings at the top of snews.php so they'll be there to check against your entries in the login panel. :)
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: piXelatedEmpire on May 09, 2007, 02:26:22 am
*Sticky this thread*
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Linc on May 20, 2007, 04:16:20 am
I s this alright to use for 1.6? I mean, it seems to work, but the the startup function has changed considerably in 1.6. I'm not sure about flat-out replacing it. I just want to use the custom login link functionality.
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: tyee on May 20, 2007, 08:14:56 pm
Yes, I'm wondering too whether I can do this for 1.6 before I actually upgrade?
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on May 21, 2007, 02:16:58 am
The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.

MIKA... if you are reading this... have you any idea why the custom login link mod only works with the variable value set as "login" in 1.6 while any value works in 1.5.31?
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Linc on May 27, 2007, 06:50:20 pm
Quote from: keyrocks
The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.
I don't know if this'll help you or not, but if I make a category named snooby21 (i.e. the name of the custom login link), the login link works. I reckon the problem lies in the new startup function, but that's about as far as I've gotten.
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: codetwist on May 27, 2007, 07:16:17 pm
IMHO for this MOD following check at snews_startup() :
Code: [Select]
if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}
should be extended with test for custom login string:
Code: [Select]
if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Linc on May 27, 2007, 07:30:07 pm
That works, of course. There's some damn smart people on this forum, thankfully.

Much obliged, codetwist.
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on May 27, 2007, 08:16:48 pm
@ codetwist...
Thanks for the solution. Works great. I've added the 1.6 startuup function to the first post in this string. I'll post the updated version to the 1.6 Mods section as a co-mod. :)
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: centered on June 06, 2007, 02:34:39 pm
Awesome mod

For 1.4: (NOT FULLY TESTED!!!)
Following Keyrocks first thread:

0. backup!

1.  Add this underneath
Code: [Select]
$s['prefix'] = ""; // Table prefix for multiple sNews systems on one database (if you don't need it just leave it blank)Add
Code: [Select]
    // login link replacement, example - snooby21
    // use the url to access the login panel - http://www.your-domain.com/snooby21/
    $s['loginLink'] = 'snooby21';
2. in the center reaplce the login case
Code: [Select]
// case "login":
// login();
// break;
case s('loginLink'): login(); break;
3. Not sure what is going on here.. so I didn't try and change anything but....
3a.  In display menu_items , replace the loggin in part with
Code: [Select]
if (isset($_SESSION['Logged_In'])) {
echo "<li><a href='" .s('website'). "categories/'>". l('categories') ."</a></li>";
echo "<li><a href='" .s('website'). "new/'>". l('new_article') ."</a></li>";
echo "<li><a href='" .s('website'). "unpublished/'>". l('unpublished_articles') ."</a></li>";
echo "<li><a href='" .s('website'). "images/'>". l('images') ."</a></li>";
echo "<li><a href='". s('website') ."logout/'>". l('logout') ."</a></li>";
}
This adds a logout link while you are logged in without having to go back to your loginlink again
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: mattonik on June 08, 2007, 12:52:01 pm
wow great mod:) like it, including in my enhanced admin edition
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: bramsyuur on June 10, 2007, 01:21:55 am
@Key's and all users of this MOD:
You need to remove the 'hardcoded' word login from the "System Variables $l['cat_listSEF']" section to prevent to be showed in the breadcrumbs line tags. I you don't remove it, you don't get an 404 error and all seems to be good. :)
Title: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on June 10, 2007, 09:59:40 pm
Thanks for the 'heads up' Bram. I'll add this to the first post. :)
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Armen on October 03, 2007, 11:36:47 am
Just a friendly tip: why don't you move this sticky to the 1.6 forum.

I don't think new snews users even know about these useful technics.
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on October 03, 2007, 03:30:59 pm
Thanks for suggestion Armen... I posted a new topic there and linked it to this topic.  ;)
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: mfaraklit on October 17, 2007, 04:00:30 pm
i applied all process. in the snews 1,6 MEMU but i didnt not occur. so there now a login problem exist. how i repair? again install??
Thanks
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on October 17, 2007, 05:06:48 pm
Please note that this mod is only meant to be used in the default releases of sNews. You definitely do not want to try using it with the MEMU or backercad's MU packages because they are programmed to provide Multiple User functionality. You cannot over-ride many usernames and passwords with one hard-coded uname and password.  ;)
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Sven on January 20, 2008, 11:34:23 am
Applied: it's working well.
Thnaks a lot Doug
On my sNews file I had a patched version of the startup function
Maybe first post should be updated with:
Quote
function snews_startup() {
   connect_to_db();
   $categorySEF = get_id('category');
   $articleSEF = get_id('article');
   if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
   $homeSEF = l('home_sef');
   $categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
   $articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
        switch(true) {
            case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
         # Patch/fix applied - Oct.08.07
         // case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator'))  && (!is_numeric($articleCatID)||$articleCatID!=$categoryID)):
         # Patch/fix applied Keyrocks 07/12
         case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator'))  && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
         # un-patched string
         //case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
         header('Location: '.db('website').'404/'); exit;
       break;
      }
   }
   if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();
See:
- incorrect category/article linking  (http://snewscms.com/forum/index.php?topic=4728.0)
and:
- PATCHED - snews.php (1.6) Updated: Jan.14.0 (http://snewscms.com/forum/index.php?topic=6076.0)
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Keyrocks on January 20, 2008, 07:18:53 pm
On my sNews file I had a patched version of the startup function - Maybe first post should be updated with (the patch):

Thanks for the reminder Sven... the patch was identified and posted long after this mod was first posted. I've added it to the first post.  :)
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Joost on January 31, 2008, 06:40:19 am
Found this:
$_POST['Loginform'] as is  checked as long as it is send to index.php. To make use of the secret location, you would have to do something like this:


Code: [Select]
<?php
if ($categorySEF == db('loginLink')'){

 if (isset($_POST['
Loginform'])) {
      $user = checkUserPass($_POST['
uname']);
      $pass = checkUserPass($_POST['
pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('
user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('
username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('
website').'Logged_In'] = token();}

}
?>

In function login

Change:
Code: [Select]
db('website').'administration/
to

Code: [Select]
db('website').'db('loginLink').'/'
Consider putting the inlog check in function center.
The fix is not tested.
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: nukpana on August 20, 2010, 10:08:50 am
For 1.7, this is untested but should work:

0. backup

1. In the #Contstants section, at the end add:
Code: [Select]
// Secret Login Link
define('_LOGINSEF', 'logmein');
You can change the second parameter to whatever the secret link is

2. Remove 'login' from the cat_listSEF and add the login constant
Code: [Select]
$l['cat_listSEF'] = 'archive,contact,sitemap,'._LOGINSEF;
3. Slightly further down, do the same thing:
Code: [Select]
// die( notification(2,l('err_Login'), 'login'));
die( notification(2,l('err_Login'), _LOGINSEF));

4. In function center(), find the first line, comment it out and add the second
Code: [Select]
// case 'login':
case _LOGINSEF:

5. In function administration(), find the first line, comment it out and add the second:
Code: [Select]
// echo( notification(1,l('error_not_logged_in'),'login'));
echo( notification(1,l('error_not_logged_in'),_LOGINSEF));

** Suggestion **
6. In the index.php, instead of removing the login_link(), do this:
Code: [Select]
<?php if (_ADMIN) { echo '|  'login_link(); } ?>
The whole footer line would be this:
Code: [Select]
<p>This site is powered by <a href="http://snewscms.com/" title="sNews CMS" onclick="target='_blank';">sNews</a> <?php if (_ADMIN) { echo '|  'login_link(); } ?></p>
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Sven on August 25, 2010, 12:12:57 pm
Hello Jason
tested here, but the login link drives to a 404. ???
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: nukpana on August 25, 2010, 01:28:56 pm
Did you revise the cat_listSEF line?

Code: [Select]
// EQ
$l['cat_listSEF'] = 'archive,contact,sitemap,'._LOGINSEF;
// $l['cat_listSEF'] = 'archive,contact,sitemap,login';

Or in function center():

Code: [Select]
// EQ
// case 'login':
case _LOGINSEF:
login(); break;
Title: Re: SIMPLE SECURITY MOD - for 1.5.30 - 1.5.31 - 1.60
Post by: Sven on August 25, 2010, 03:03:41 pm
Yes I got those too. ???

EDIT: forgot a comma in the cat_listSEF.  Fixed!