HackVersion: BETA 2.1

German:

Mit diesem Hack k?nnt ihr ein Board mit einem Passwortschutz versehen.
Das Passwort wird im Adminbereich unter:

Forums and Moderators
--> modify
---> das board w?hlen

eingegeben.

Dieser Hack ist erst einmal eine BETA. In der Endversion Soll der Hack sollen die gesch?tzten Beitr?ge auch nicht von einem unberechtigten ?ber die Suchfunktion
gefunden werden k?nnen und man soll auch den Zugriff auf die gesch?tzten Boards selbst wieder (als normaler member) aufheben k?nnen.

Hack ansehen:
Gesch?tztes Board:
http://www.the-afterburner.com/vbulletin/forumdisplay.php?s=&forumid=30
Ein Topic in diesem Board:
http://www.the-afterburner.com/vbulletin/showthread.php?s=&threadid=1029

Der Hack im Anhang ist in Deutsch

English:

You can make a board password protected with this hack.
You can insert the password here:

Forums and Moderators
--> modify
---> choose a board

Remember this is only a BETA

suggestion for the final:
- no matches in the searchengine if a board is protected and the member hasn?t access to this board
- unsubscribe a access to a password protected board

Sorry for my english

see this hack in action:
protected board:
http://www.the-afterburner.com/vbulletin/forumdisplay.php?s=&forumid=30
a topic in a protected board:
http://www.the-afterburner.com/vbulletin/showthread.php?s=&threadid=1029

the hack in the attachment is in german the english version is below in a reply.

@ VB Support

If you want to use this Hack in your next version - you can do this


UPDATED 30.08.2001 to BETA 2.1

nice :)

here is the english version of this hack

What is the password? btw if you try to login to the thread it says no forum is specified...

I cant post the password of my example link because its my xxx section and if a "no adult" it read this member has access to aduld stuff.

I will check the bug

OK I fixed the bug.
Now BETA 1.1 is available

If you installed BETA 1.0

replace the:
"fehler_password_showtopic" template
with:

English:


<center>A password is required to enter this forum. Please enter it below: <br>
<form action="forumdisplay.php" method="POST">
<input type="password" name="password">
<br>
<input type="hidden" name="action" value="dopassword">
<input type="hidden" name="forumid" value=$thread[forumid]>
<input type="submit" value="Abschicken">
</form></center>


German:


<center>Du ben?tigst ein Passwort um dieses Topic zu lesen.<br>Bitte das Passwort hier eingeben und auf Abschicken klicken: <br>
<form action="forumdisplay.php" method="POST">
<input type="password" name="password">
<br>
<input type="hidden" name="action" value="dopassword">
<input type="hidden" name="forumid" value=$thread[forumid]>
<input type="submit" value="Abschicken">
</form></center>

GREAT hack!!

BETA 2 is available

now you can protect each board with a different passwort
to download click on the attachment in the first postings

nice hack whens beta 3 coming lol

Originally posted by Afterburner
BETA 2 is available

now you can protect each board with a different passwort
to download click on the attachment in the first postings

after install this hack, there are a databases error while use cp add new member.

@ pipi

What kind of error ? I need the error message.
I dont have this problem on my board

Originally posted by Afterburner
@ pipi

What kind of error ? I need the error message.
I dont have this problem on my board

error message as below, thanks

Database error in vBulletin: Invalid SQL: UPDATE userfield SET userspezial43=1
WHERE userid='2'
mysql error: Unknown column 'userspezial43' in 'field list'
mysql error number: 1054
Date: Thursday 30th of August 2001 12:29:46 AM
Script: /forums/forumdisplay.php

ok, here is the fix:

open the user.php from your admin folder, look for this code:


$sql = "";
$profilefields=$DB_site->query("SELECT profilefieldid,title FROM profilefield");
while ($profilefield=$DB_site->fetch_array($profilefields)) {
$varname="field$profilefield[profilefieldid]";
$sql.=",'".addslashes($$varname)."'";
}
$DB_site->query("INSERT INTO userfield VALUES ($userid$sql)");

$action="modify";

echo "<p>Record added</p>";

}



and replace the code with this code:


$sql = "";
$userfieldsnames="(userid";
$profilefields=$DB_site->query("SELECT profilefieldid,title FROM profilefield");
while ($profilefield=$DB_site->fetch_array($profilefields)) {
$userfieldsnames.=",field$profilefield[profilefieldid]";
$varname="field$profilefield[profilefieldid]";
$sql.=",'".addslashes($$varname)."'";
}
$userfieldsnames.=')';
$DB_site->query("INSERT INTO userfield $userfieldsnames VALUES ($userid$sql)");

$action="modify";

echo "<p>Record added</p>";

}

I uploaded the new version, if you have installed BETA 2 you can update with the steps in the post before

Hmmm slight prob i've added the hack without any errors, i ran the passwordhack.php first and deleted it after. and it said that it had completed the tables and to carry on with the Hack itself, so now i've finished it the board looks no different at all ????? there's no options in the control panel that i can see where you enter the password ?? Or an i missing something here :))))))))

any demo please ! thanks !

there's a demo on the first Post :) and that's what i can't see :) :)

go to your control panel
click on modify (Forums and Moderators)
choose a board and insert a password, up to now this board is password protected

Is it just me or is this the most un-secure password protect set-up around?

Please don't think me rude.......I installed this and there are holes everywhere.

First of all I have vbportal installed. Understandably....this was not written to accomidate that but aside fro those holes in the vb forum itself there is the link at the top of the main forum page "Active Posts" (or something like that).........then there is the little button by the membername in the table on the main forum page for "last post" (or something).....then there is the search feature.......do a search on the membername you see as the last poster in the forum nad with the results you are in......plus...once someone gets in.....if they never log out.....you can't get them out.....they will be able to waltz right in without any logins or anything.....and let's not forget about clicking on the membername of the last poster on the front of that forum and in his profile there is the link to a post inside and you are in again.

Is there any updates to this hack that will close all these holes?

I really want this to work because I don't want to make the forum private...it is too much work to add all the names

Thanks in advance....drives

You can see the titel of the postings but you can´t access the boards wich are protected. This is only a "see the topic title hole"

then is it a cookie thing that allows me to get in that forum from all these links everywhere?

I cleared all cookies, temp internet files, everything but all I have to do is login to my board and go to that forum and I am in.

The only time I can't get in is if I am not logged into the board

Originally posted by drives_fast
then is it a cookie thing that allows me to get in that forum from all these links everywhere?

I cleared all cookies, temp internet files, everything but all I have to do is login to my board and go to that forum and I am in.

The only time I can't get in is if I am not logged into the board

yes this is right, if you insert the correct password you are able to access the board every time, this settings are in your profile in the database, see in the instruction file from the hack there you can find my suggestions for the next version:
unsubscribe a password protected board.

is there any way to get those that have already gotten in through a hole out?

is it possible to code in that the cookie not be set for access to the protected forum?

in other words.....make it so everyone with the password have to put it in every time they visit that forum?

I have some that got in.......I need to be able to get them out

Well....after further investigation....there are definately holes in this.

I registered a name and then tried to access the protected forum......could not get in.....good.

I removed all instances of "view new posts" or anything similar

went to the search feature.....typed in a name of someone that posted in the protected forum.....boom...there are the links and yes.....you can click them and get in. (mind you that I never entered a password to access the protected forum before trying these things)

backed out of that and went to that members profile and clicked on the last post (in the protected forum) and boom.....in again

So I say....there are holes in this.

I tried these thing on your board (afterburner) and they did not work......maybe some tweaks you did to yours that aren't documented in the installation file?

I really want this to work but need some help to make it either not search and list threads in protected forums from every angle or something......

anybody....please?

did you modified the showtopic.php correctly ? I have the same code in the description of the hack than in my board.



download the showthread.php and make a backup of this file

look for this code (ca 205):

if (!$thread['visible']) {
$idname="thread";
eval("standarderror(\"".gettemplate("error_invalidid")."\");");
exit;
}

$forum=getforuminfo($thread['forumid']);

add below this code:

// Password-Hack-by Afterburner-Start
if ($forum['password']) {
$boardid="userspezial$thread[forumid]";
if ($bbuserinfo[$boardid] != 1) {
eval("standarderror(\"".gettemplate('fehler_password_showtopic')."\");");
exit;
}
}
// Password-Hack-by Afterburner-End

upload the showthread.php.

yes...I have that in there exactly as you shoed it

do you think it could be this:....."userspezial$thread" instead of spelled "userspecial$thread" that is causing the problem?

My board is in english

userspezial$thread is the correct version
with z not with c

I am still looking for a working version of this hack. I am willing to pay for it as long as it doesn't have any holes in it.

I tried the same tactics on afterberners site and the holes aren't there but on my board they are. I followed the instructions to the tee and even removed the hack and re-installed it but if I click on the name of the last poster in that forum and then clicl the last post they made (in the protected forum) I can get right in.

If someone has a "Secure" version of this and wants some bucks, please contact me.

I will however need refrences from the people that run this site because I am still dealing with one person that has not followed through with what I payed him for.

Thanks in advance......drives

Is it possible to make this hack work for version 2.2.0?

I would be interested in hole free password protection as well.

I will make the hack as soon as possible available for 2.2.0 and try to fix the bugs.

Afterburner plz release die 2.2.0 version *g*

$sql = "";
$profilefields=$DB_site->query("SELECT profilefieldid,title FROM profilefield");
while ($profilefield=$DB_site->fetch_array($profilefields)) {
$varname="field$profilefield[profilefieldid]";
$sql.=",'".addslashes($$varname)."'";
}
$DB_site->query("INSERT INTO userfield VALUES ($userid$sql)");

$action="modify";

echo "<p>Record added</p>";

}

replace it with:

$sql = "";
$userfieldsnames="(userid";
$profilefields=$DB_site->query("SELECT profilefieldid,title FROM profilefield");
while ($profilefield=$DB_site->fetch_array($profilefields)) {
$userfieldsnames.=",field$profilefield[profilefieldid]";
$varname="field$profilefield[profilefieldid]";
$sql.=",'".addslashes($$varname)."'";
}
$userfieldsnames.=')';
$DB_site->query("INSERT INTO userfield $userfieldsnames VALUES ($userid$sql)");

$action="modify";

echo "<p>Record added</p>";

}

i cann't find this in user.php it cann't work on 2.20~~

or someone know how to fix it??

Afterburner plz release die 2.2.0 version *g*


I agree *g* ..

It does NOT work on 2.2.0

which stinks.. hehe

anybody want to get paid to fix this hack for me and my v2.0.3?

I have had to dissable my search feature because of the holes and I would really like to use that feature again.

Again....I am willing to pay