Updated for sNews 1.6 - May 27.07 (thanks to Codetwist for the extra function tweak!)
If you are using sNews 1.5.30 and getting hacked, you can upgrade to 1.5.31 to take advantage of the security changes. sNews 1.5.31 is basically the same as 1.5.30 in terms of functionality. So, if you want to keep using an existing 1.5.30 site but have the best of security, these simple modifications will do the trick.
If you have already upgraded to 1.5.31 or 1.6.0... but you aren't 100% confident in the security changes made to it, you can apply these mods and your site will be 100% secure against hacker intrusion even if our sNews hackers figure out how to get into the latest default 1.5.31 package.
IMPORTANT NOTE: This modification will only work properly in "single user" versions of sNews. It will work with the default releases of sNews 1.5.30, 1.5.31 and 1.6.0. It should (not tested) work with the sNews MESU (Modular, Enhanced, Single User) package.
It will not work with the sNews MEMU package or bakercad's MU package... since they have multiple-user functionality.
Step 1 - all 3 versions: Add the blue section into the db variables array at the top of snews.php. This gives you three variables allowing you to insert your own custom values for username, password and a secret name for your login function. These will over-ride the username and password settings in the database settings table, and make your login panel invisible.
// DATABASE VARIABLES
function db($variable) {
$db = array();
// uname & password over-ride - use only if not using dbase login info & check.
$db['user'] = 'user_name'; // Insert login username
$db['pass'] = 'pass_word'; // insert login password
// login link replacement, example - snooby21
// use the url to access the login panel - http://www.your-domain.com/snooby21/
$db['loginLink'] = 'snooby21';
Step 2 - all 3 versions: Replace the login case string in function center by searching for the first string and replacing it with the two lines below it:
case 'login': login(); break;
// for your unique login link in URL
case db('loginLink'): login(); break;
Step 3 - 1.5.30: Search for and replace the startup function with both of these functions:
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
connect_to_db();
if (get_id('category') == "rss") {rss(); die;}
update_articles();
if (isset($_POST['Loginform'])) {
$user = checkUserPass($_POST['uname']);
$pass = checkUserPass($_POST['pass']);
if ($user === db('user') && $pass === db('pass')) {
$_SESSION[db('website').'Logged_In'] = 'True'; $_SESSION['uname'] = s('username'); $_SESSION['Website'] = db('website');
} } }
snews_startup();
// USER/PASS CHECK
# Use this function with hard-coded u-name & password override only.
function checkUserPass($input) { // checks and strips tags out of username entry.
$output = clean(cleanXSS($input));
# remove what's left of HTML tags
$output = strip_tags($output);
# user and pass: non-english characters and numbers only, min 4/ max 8
if (ctype_alnum($output) === true && strlen($output) > 3 && strlen($output) < 9) {
return $output;
}
else {return null;}
}
Or, for 1.5.31: Search for and replace the startup function with this one:
// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
connect_to_db();
if (get_id('category') == 'rss') {rss(); die;}
update_articles();
if (isset($_POST['Loginform'])) {
$user = checkUserPass($_POST['uname']);
$pass = checkUserPass($_POST['pass']);
$inputCalc = is_numeric($_POST['calc']) ? $_POST['calc'] : null;
$sum = is_numeric($_POST['sum']) ? $_POST['sum'] : null;
$calc = $inputCalc === $sum ? $inputCalc : null;
if ($user === db('user') && $pass === db('pass') && $calc) {
$_SESSION[db('website').'Logged_In'] = token();
}
}
}
snews_startup();
Or, for 1.6: Search for and replace the startup function with this one (patched, Jan.20.08):
// STARTUP
# 1.60 - Use this function with hard-coded u-name, password & custom login link override only.
function snews_startup() {
connect_to_db();
$categorySEF = get_id('category');
$articleSEF = get_id('article');
if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
$homeSEF = l('home_sef');
$categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
$articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
header('Location: '.db('website').'404/'); exit;
break;
}
}
if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
update_articles();
if (isset($_POST['Loginform'])) {
$user = checkUserPass($_POST['uname']);
$pass = checkUserPass($_POST['pass']);
// Username and password check string, for hard-coded $db variables at top of file only.
if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
//if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
$_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();
Step 4 - remove the login function link -
<? login_link(); ?> - from the footer (or wherever it is) in your index.php file.
Step 5 - In the Language Variables array - find this string and delete
login from it (bram's note, added June 10.07):
$l['cat_listSEF'] = $l['home_sef'].',archive,contact,sitemap,rss-articles,rss-pages,rss-comments,login, administration,admin_category,admin_article,article_new,extra_new,page_new,
categories,articles,extra_contents,pages,settings,files,logout';
When you want to login, insert the URL to your secret login function in your browser address bar. Once you have it displayed, save this URL in an easily accessible folder in your Favorites. Use this link to access your site's login page from now on.
Added Jan.20.08:As an added bonus... if you'd like to be able to change the path-name to your login panel now and then... from the Settings Admin Panel instead of editing the engine file...
this mod will add this to your Settings Admin Panel.
Oh... and I forgot to mention... (tho it is rather obvious)... make sure you enter your username and password in the new variable strings at the top of snews.php so they'll be there to check against your entries in the login panel.
