PDA

View Full Version : Confirm password on non vb pages


Dr.CustUmz
02-25-2015, 11:34 AM
The ideas sound, just need help making it happen.

So ive created an external page and on this page as of now all i have is a confirm password box that i took from the modifypassword? template.

this is the content of ext.php
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(

);

// pre-cache templates used by all actions
$globaltemplates = array(
'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/functions_user.php');
// ################################################## #####################
// ######################## START MAIN SCRIPT ############################
// ################################################## #####################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
$vbulletin->input->clean_array_gpc('p', array(
'currentpassword' => TYPE_STR,
'currentpassword_md5' => TYPE_STR,
));

if ($userdata->hash_password($userdata->verify_md5($vbulletin->GPC['currentpassword_md5']) ? $vbulletin->GPC['currentpassword_md5'] : $vbulletin->GPC['currentpassword'], $vbulletin->userinfo['salt']) != $vbulletin->userinfo['password'])
{
eval(standard_error(fetch_error('badpassword', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'])));
}

}
else if ($_GET['do'] == 'confirmpassword')
{
// add consistency with previous behavior
exec_header_redirect('index.php');
}
?>

right now im just playing around with it, trying to make it actually confirm the password, i stole some code from profile.php and have removed some of it.

so whats it suppose to do?
well when the user confirms there password, i want it to redirect the user to one page. if the user gets the password wrong redirect them to another (possibly log them out also....for security reasons?... MAYBE)

oh and the content of my ext template:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header

$navbar

<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>
<script type="text/javascript">
function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)
{
var junk_output;
md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]);
// do various checks
if (newpassword.value != '')
{
md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]);
}
if (newpasswordconfirm.value != '')
{
md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]);
}
}
</script>

<form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updatepassword" />
<input type="hidden" name="currentpassword_md5" />
<input type="hidden" name="newpassword_md5" />
<input type="hidden" name="newpasswordconfirm_md5" />

<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
<div style="margin-top:$stylevar[cellpadding]px">
<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
</div>
</form>

$footer
</body>
</html>

as of right now im not getting any responce with this other than when you submit the input it adds the DO to the url "?do=confirmpassword" been messing about for a while now and cant seem to get it to do much more than that

kh99
02-25-2015, 11:39 AM
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?

Dr.CustUmz
02-25-2015, 11:56 AM
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?

when i say confirm password, i mean confirm the current password. as in a way to verify its you. like if you go to usercp and edit email / password the first box is current password. thats the only part im wanting to check.

and yes i include global, i guess its not really an external page its still a vb powered page. i used https://vborg.vbsupport.ru/showthread.php?t=62164 for that part.

so if i enter the correct current password, i get redirected to one page, else i get redirected to another.

I've been up and down profile.php, im pretty sure i have all i need i just cant seem to edit it correctly =/

and yes this will go along with the thing i posted last night but shhhh ;) lol

kh99
02-25-2015, 12:03 PM
I think I understand what you want to do, but I'm not sure I follow the way you're trying to do this. I think what you'd want to do is look at how the regular login works, not the place where the password is changed. You want to make sure, for instance, that you're using the strike system or something similar, or else your new page will bypass that security and allow unlimited guesses.

Dr.CustUmz
02-25-2015, 12:09 PM
but this wont be a login.

k im logged on to vBulletin.org, i leave (run to the store or something) while leaving vb.org open. any member of my household may it be a little brother, sister with a grudge, w/e see's I'm logged into my favorite forum and decides to go post happy with a bunch of nonsense. Resulting in me getting warnings/infractions/ or even banned. (note* i myself dont have this issue it's just an example lol)

so after 5 mins or so im sent to an idle page where im still logged in... but i have to confirm my password to get off that page.

--------------- Added 1424873477 at 1424873477 ---------------

and the only place in vb where you confirm your current password, is where you set a new one, thats why i went with that for a base.

but i can see where this gets vulnerable... whats to stop me from navigating from ext.php to index.php, no clue how to fix that one lol, one step at a time

--------------- Added 1424873798 at 1424873798 ---------------

you know what... this idea is kind of stupid when i think about it, it'd be much better to force logout the user than to just have them re enter their password.

im going to go back to getting the avatar even when their logged out. and i did put a better example in that thread

kh99
02-25-2015, 12:24 PM
Oh, I see, I was wrong. "enter your present password". Yeah, that's a reasonable place to look. But it's different than the "confirm password" that's on the same page.

kh99
02-25-2015, 12:34 PM
In profile.php, it's the section that starts with:
// ############################### start update password ###############################


Anyway, if you have a password the user entered, say in $password for example (in profile.php it's in $vbulletin->GPC['currentpassword']), then you'd do something like:

if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
{
//password OK
}
else
{
// password bad
}

But to complicate things, the vb code has javascript which does an md5 on the password so that it's not sent in clear text, except that the code has to work if someone has javascript disabled, so the code is a little complicated because it allows for either case. I don't know if you want to bother with that or not.

Regarding the strike system, I don't think you have to worry about that if you're only allowing your page to be executed by users who are already logged in.

Dr.CustUmz
02-25-2015, 12:43 PM
so i tried passing that into the POST with no success

ext.php:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(

);

// pre-cache templates used by all actions
$globaltemplates = array(
'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
// ################################################## #####################
// ######################## START MAIN SCRIPT ############################
// ################################################## #####################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
{
exec_header_redirect('yes.php');
}
else
{
exec_header_redirect('no.php');
}
}
?>

ext template (is same as OP)

kh99
02-25-2015, 12:47 PM
Well, I only used $password as an example to make it clear what the code is doing. You need to get the value that's being submitted from your form and use that. You can use the vbulletin input cleaning system if you want. What's the name on the form <input> that has the password?

Dr.CustUmz
02-25-2015, 01:00 PM
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />

--------------- Added 1424876530 at 1424876530 ---------------

its all in the OP

kh99
02-25-2015, 01:11 PM
OK, then for the password check part you'd want something like:
if ($_POST['do'] == 'confirmpassword')
{
$vbulletin->input->clean_array_gpc('p', array(
'currentpassword' => TYPE_STR
));
if (md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
{
exec_header_redirect('yes.php');
}
else
{
exec_header_redirect('no.php');
}
}


I haven't studied the overall approach so I can't say this is going to work, but the password checking part should be close to correct.

BTW, I used clean_array_gpc above even though it's cleaning only one input (there is a function to do a single input) because I figure you might have other fields to check. If not, it doesn't really hurt anything.

Dr.CustUmz
02-25-2015, 01:29 PM
ive made some changes to the template:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header
$navbar
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>

<form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5)">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="currentpassword_md5" />
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
<div style="margin-top:$stylevar[cellpadding]px">
<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
</div>
</form>

$footer
</body>
</html>

im not sure if that original script was of any significance (i removed it):
<script type="text/javascript">
function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)
{
var junk_output;
md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]);
// do various checks
if (newpassword.value != '')
{
md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]);
}
if (newpasswordconfirm.value != '')
{
md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]);
}
}
</script>

and i cleaned up the ext.php:
<?php
error_reporting(E_ALL & ~E_NOTICE);
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext');
$globaltemplates = array('ext');
require_once('./global.php');
$navbits[$parent] = 'Ext Page';
$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');

if ($_POST['do'] == 'confirmpassword'){
$vbulletin->input->clean_array_gpc('p', array(
'currentpassword'=> TYPE_STR
));
if (md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) {
exec_header_redirect('yes.php');
}
else {
exec_header_redirect('no.php');
}
}
?>

the end result is still leaving me puzzled and only redirecting my URL to the POST:
ext.php?do=confirmpassword

no errors in console, nor any i am seeing =/

kh99
02-25-2015, 01:35 PM
Oh, OK, the line that starts eval('print_output... is going to end the script (after outputting the template). You should probably move everything between require_once('./global.php'); and if ($_POST['do'] == 'confirmpassword'){ to the end of the script, since you don't need to output anything if the user gets redirected.

Dr.CustUmz
02-25-2015, 01:44 PM
error_reporting(E_ALL & ~E_NOTICE);
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext');
$globaltemplates = array('ext');
require_once('./global.php');


if ($_POST['do'] == 'confirmpassword'){
$vbulletin->input->clean_array_gpc('p', array(
'currentpassword'=> TYPE_STR
));
if (md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) {
exec_header_redirect('yes.php');
}
else {
exec_header_redirect('no.php');
}
}

$navbits[$parent] = 'Ext Page';
$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');

made no difference =/

kh99
02-25-2015, 01:47 PM
Hmm...ok, I think you either need to make 'do' a hidden input field, or else change the 'if' in your script to check $_GET['do'] instead of POST.

Dr.CustUmz
02-25-2015, 01:57 PM
AND THE _GET won it lol, i only didnt even bother trying that cause _GET is depricated code, I was trying 10000000 different things along with your suggestions along the way, but i guess since this is all older code it makes since that worked =)

just when i was going to tell you to click the 2nd URL in my sig too lol, shows you my screen ;)

--------------- Added 1424879932 at 1424879932 ---------------

but now that it works, i cant help but realize how vulnerable it is. Like i said before whats to stop me from just navigating to another directory =/

--------------- Added 1424880091 at 1424880091 ---------------

also, thank you kevin again. you've helped me out quite a bit lately and i truly appreciate it

kh99
02-25-2015, 02:09 PM
AND THE _GET won it lol, i only didnt even bother trying that cause _GET is depricated code, I was trying 10000000 different things along with your suggestions along the way, but i guess since this is all older code it makes since that worked =)

Is it deprecated? I don't keep up on that stuff, but after I read your post I googled it and didn't find anything about that. I did find some mention of having all those globals deprecated in php 6. In any case, like I mentioned above you could use <input type="hidden" name="do" value="confirmpassword"> in your form, then go back to checking $_POST['do'].

but now that it works, i cant help but realize how vulnerable it is. Like i said before whats to stop me from just navigating to another directory =/


I was wondering about that. You'd need something to check on every page if they are 'idle'. Maybe you could save that in the database somewhere (like add a column to the session table) and put some code on one of the global hooks to check it. But I've only thought about it for like 30 seconds, so I'm not sure.

Dr.CustUmz
02-25-2015, 02:17 PM
http://php.net/manual/en/reserved.variables.get.php i read that wrong (my bad) lol

and wouldnt local storage or a cookie work for keeping them on that page (redirect to that page no matter what) untill the password was confirmed?

or would it have to be sql based?

--------------- Added 1424881325 at 1424881325 ---------------

and i have an idle timer i created for this already, would it be possible to modify table (0,1 maybe) using this timer
idleTime = 0;
$(document).ready(function () {
startIdle();
var idleInterval = setInterval(timerIncrement, 1000);
$(document).bind( "mousemove keypress", function () {
idleTime = 0;
});
});

the timer would set the table to 1 and entering the password back to 0?

--------------- Added 1424881481 at 1424881481 ---------------

i think im on to something with this http://www.9lessons.info/2011/03/live-table-edit-with-jquery-and-ajax.html

kh99
02-25-2015, 02:26 PM
http://php.net/manual/en/reserved.variables.get.php i read that wrong (my bad) lol

Oh, yeah, I can see how you could make that mistake.


and wouldnt local storage or a cookie work for keeping them on that page (redirect to that page no matter what) untill the password was confirmed?

or would it have to be sql based?

You could use a cookie, but people can disable cookies, or delete or fake the value of cookies, so it depends on how secure you need it to be.

and i have an idle timer i created for this already, would it be possible to modify table (0,1 maybe) using this timer
idleTime = 0;
$(document).ready(function () {
startIdle();
var idleInterval = setInterval(timerIncrement, 1000);
$(document).bind( "mousemove keypress", function () {
idleTime = 0;
});
});

the timer would set the table to 1 and entering the password back to 0?


You'd have to connect to the server when the timer ran out, to a script that did whatever you needed to do to put them in idle mode (unless you go the cookie route, in which case I believe you can write one with js). You could just load a new page when the timer ran out, I think that's easy enough to do.

Dr.CustUmz
02-25-2015, 02:35 PM
i think im going to go the sql route, this isnt a product for me personally, just some extra security to add to your forum.

It's a little scary route cause im a beginner in real PHP lol vB template php dont really count, and messing with tables is also new to me, although ive done a little before. but i think i can get most of it, and im sure what i cant figure out i'll get resolved one way or another, got this great community and that one Kevin guy who's pretty awesome =)

Black Snow
02-25-2015, 02:35 PM
Why don't you just log the user out of the forum after X amount of time?

Dr.CustUmz
02-25-2015, 02:43 PM
Why don't you just log the user out of the forum after X amount of time?

right lol, wouldnt that be so much easier! i did think of that, but it comes down to i had the idea... now it just has to be made. More of a personal satisfaction kind of thing, and i think it will in the end make a pretty good product, even though in a sence all it will be doing is logging out the user, not in the typical way but locking down their account untill their password is confirmed.

and its a good learning process, never hurts to new learn new things and no matter what project i take on i always learn something =)

--------------- Added 1424883575 at 1424883575 ---------------

kev you think
ALTER TABLE session ADD idle smallint(5);
would be the way to go with this?

im not sure how to set a default value, it would only need to be 1 (on) 2 (off) right?