Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Keyrocks]

Updated for sNews 1.6 - May 27.07 (thanks to Codetwist for the extra function tweak!)
If you are using sNews 1.5.30 and getting hacked, you can upgrade to 1.5.31 to take advantage of the security changes. sNews 1.5.31 is basically the same as 1.5.30 in terms of functionality. So, if you want to keep using an existing 1.5.30 site but have the best of security, these simple modifications will do the trick.

If you have already upgraded to 1.5.31 or 1.6.0... but you aren't 100% confident in the security changes made to it, you can apply these mods and your site will be 100% secure against hacker intrusion even if our sNews hackers figure out how to get into the latest default 1.5.31 package.

IMPORTANT NOTE: This modification will only work properly in "single user" versions of sNews. It will work with the default releases of sNews 1.5.30, 1.5.31 and 1.6.0. It should (not tested) work with the sNews MESU (Modular, Enhanced, Single User) package. It will not work with the sNews MEMU package or bakercad's MU package... since they have multiple-user functionality.

Step 1 - all 3 versions: Add the blue section into the db variables array at the top of snews.php. This gives you three variables allowing you to insert your own custom values for username, password and a secret name for your login function. These will over-ride the username and password settings in the database settings table, and make your login panel invisible.

// DATABASE VARIABLES
function db($variable) {
   $db = array();
   // uname & password over-ride - use only if not using dbase login info & check.
   $db['user'] = 'user_name'; // Insert login username
   $db['pass'] = 'pass_word'; // insert login password
   // login link replacement, example - snooby21
   // use the url to access the login panel - http://www.your-domain.com/snooby21/
   $db['loginLink'] = 'snooby21';

Step 2 - all 3 versions: Replace the login case string in function center by searching for the first string and replacing it with the two lines below it:

case 'login': login(); break;

   // for your unique login link in URL
   case db('loginLink'): login(); break;

Step 3 - 1.5.30: Search for and replace the startup function with both of these functions:

// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == "rss") {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
           $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      if ($user === db('user') && $pass === db('pass')) {
      $_SESSION[db('website').'Logged_In'] = 'True'; $_SESSION['uname'] = s('username'); $_SESSION['Website'] = db('website');
} } }
snews_startup();

// USER/PASS CHECK
# Use this function with hard-coded u-name & password override only.
function checkUserPass($input) {  // checks and strips tags out of username entry.
   $output = clean(cleanXSS($input));
   # remove what's left of HTML tags
   $output = strip_tags($output);
   # user and pass: non-english characters and numbers only, min 4/ max 8
   if (ctype_alnum($output) === true && strlen($output) > 3 && strlen($output) < 9) {
      return $output;
   }
   else {return null;}
}

Or, for 1.5.31: Search for and replace the startup function with this one:

// STARTUP
# Use this function with hard-coded u-name & password override only.
function snews_startup() {
   connect_to_db();
   if (get_id('category') == 'rss') {rss(); die;}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      $inputCalc = is_numeric($_POST['calc']) ? $_POST['calc'] : null;
      $sum = is_numeric($_POST['sum']) ? $_POST['sum'] : null;
      $calc = $inputCalc === $sum ? $inputCalc : null;
      if ($user === db('user') && $pass === db('pass') && $calc) {
      $_SESSION[db('website').'Logged_In'] = token();
      }
   }
}
snews_startup();

Or, for 1.6: Search for and replace the startup function with this one (patched, Jan.20.08):

// STARTUP
# 1.60 - Use this function with hard-coded u-name, password & custom login link override only.
function snews_startup() {
   connect_to_db();
   $categorySEF = get_id('category');
   $articleSEF = get_id('article');
   if (false !== strpos($categorySEF, 'rss-')) {rss_contents($categorySEF, $articleSEF);}
   $homeSEF = l('home_sef');
   $categoryID = $categorySEF == $homeSEF ? 0 : retrieve('id', 'categories', 'seftitle', $categorySEF);
   $articleCatID = retrieve('category', 'articles', 'seftitle', $articleSEF);
if (!empty($categorySEF) && $categorySEF != '404') {
        switch(true) {
            case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
            case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && (!is_numeric($articleCatID) && $articleCatID!=$categoryID)):
            header('Location: '.db('website').'404/'); exit;
        break;
        }
    }
   if ($categorySEF == '404') {header('HTTP/1.1 404 Not Found');}
   update_articles();
   if (isset($_POST['Loginform'])) {
      $user = checkUserPass($_POST['uname']);
      $pass = checkUserPass($_POST['pass']);
      // Username and password check string, for hard-coded $db variables at top of file only.
      if ($user === db('user') && $pass === db('pass') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
      //if (md5($user) === s('username') && md5($pass) === s('password') && mathCaptcha($_POST['calc'], $_POST['sum'])) {
         $_SESSION[db('website').'Logged_In'] = token();
}}}
snews_startup();

Step 4 - remove the login function link  - <? login_link(); ?> - from the footer (or wherever it is) in your index.php file.

Step 5 - In the Language Variables array - find this string and delete login from it (bram's note, added June 10.07):

$l['cat_listSEF'] = $l['home_sef'].',archive,contact,sitemap,rss-articles,rss-pages,rss-comments,login, administration,admin_category,admin_article,article_new,extra_new,page_new,
categories,articles,extra_contents,pages,settings,files,logout';

When you want to login, insert the URL to your secret login function in your browser address bar. Once you have it displayed, save this URL in an easily accessible folder in your Favorites. Use this link to access your site's login page from now on.

Added Jan.20.08:
As an added bonus... if you'd like to be able to change the path-name to your login panel now and then... from the Settings Admin Panel instead of editing the engine file... this mod will add this to your Settings Admin Panel.

Oh... and I forgot to mention... (tho it is rather obvious)... make sure you enter your username and password in the new variable strings at the top of snews.php so they'll be there to check against your entries in the login panel.

[piXelatedEmpire]

*Sticky this thread*

[Linc]

I s this alright to use for 1.6? I mean, it seems to work, but the the startup function has changed considerably in 1.6. I'm not sure about flat-out replacing it. I just want to use the custom login link functionality.

[tyee]

Yes, I'm wondering too whether I can do this for 1.6 before I actually upgrade?

[Keyrocks]

The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.

MIKA... if you are reading this... have you any idea why the custom login link mod only works with the variable value set as "login" in 1.6 while any value works in 1.5.31?

[Linc]

The password override mod works in 1.6 but... for some reason I've not been able to understand yet... the custom login link only works if the value in the variable is set to "login". Which is why I haven't updated it for 1.6 yet.

I don't know if this'll help you or not, but if I make a category named snooby21 (i.e. the name of the custom login link), the login link works. I reckon the problem lies in the new startup function, but that's about as far as I've gotten.

[codetwist]

IMHO for this MOD following check at snews_startup() :

Code: [Select]

if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}should be extended with test for custom login string:

Code: [Select]

if (!empty($categorySEF) && $categorySEF != '404') {
switch(true) {
case ((!$categoryID || !is_numeric($categoryID)) && check_category($categorySEF) == false && $categorySEF != db('loginLink') ):
case (!empty($articleSEF) && false === strpos($articleSEF,l('paginator')) && !is_numeric($articleCatID)):
header('Location: '.db('website').'404/'); exit;
    break;
}
}

[Linc]

That works, of course. There's some damn smart people on this forum, thankfully.

Much obliged, codetwist.

[Keyrocks]

@ codetwist...
Thanks for the solution. Works great. I've added the 1.6 startuup function to the first post in this string. I'll post the updated version to the 1.6 Mods section as a co-mod.

[centered]

Awesome mod

For 1.4: (NOT FULLY TESTED!!!)
Following Keyrocks first thread:

0. backup!

1.  Add this underneath

Code: [Select]

$s['prefix'] = ""; // Table prefix for multiple sNews systems on one database (if you don't need it just leave it blank)Add

Code: [Select]

    // login link replacement, example - snooby21
    // use the url to access the login panel - http://www.your-domain.com/snooby21/
    $s['loginLink'] = 'snooby21';2. in the center reaplce the login case

Code: [Select]

// case "login":
// login();
// break;
case s('loginLink'): login(); break;3. Not sure what is going on here.. so I didn't try and change anything but....
3a.  In display menu_items , replace the loggin in part with

Code: [Select]

if (isset($_SESSION['Logged_In'])) {
echo "<li><a href='" .s('website'). "categories/'>". l('categories') ."</a></li>";
echo "<li><a href='" .s('website'). "new/'>". l('new_article') ."</a></li>";
echo "<li><a href='" .s('website'). "unpublished/'>". l('unpublished_articles') ."</a></li>";
echo "<li><a href='" .s('website'). "images/'>". l('images') ."</a></li>";
echo "<li><a href='". s('website') ."logout/'>". l('logout') ."</a></li>";
}This adds a logout link while you are logged in without having to go back to your loginlink again

[mattonik]

wow great mod:) like it, including in my enhanced admin edition

[bramsyuur]

@Key's and all users of this MOD:
You need to remove the 'hardcoded' word login from the "System Variables $l['cat_listSEF']" section to prevent to be showed in the breadcrumbs line tags. I you don't remove it, you don't get an 404 error and all seems to be good.

[Keyrocks]

Thanks for the 'heads up' Bram. I'll add this to the first post.

[Armen]

Just a friendly tip: why don't you move this sticky to the 1.6 forum.

I don't think new snews users even know about these useful technics.

[Keyrocks]

Thanks for suggestion Armen... I posted a new topic there and linked it to this topic.