Ive always hated the fact that other Admins can delete your account...

Its not that they are untrustworthy, but people could get hold of their password or what have you...

So...

There is an easy way to ensure that they cannot change your password, demote you, or delete you...

Just use this hack below, and then they cant!!!

Just remember to change every occurance of X to your userid...

Also : I have posted 2 screenshots...

Other Related Hacks:

More Admin Security - Protect Templates, Templatesets and Styles!!! (https://vborg.vbsupport.ru/showthread.php?s=&threadid=44764)

Satan

This one was designed so that Nobody, not even yourself, could delete your user...

Just incase anybody gets hold of your password:)

Satan

This is not like my Profile Restricting Hack...

This will not allow them to Update any information about you...

They can still view your profile, but they cannot demote you, or change your password at all...

To do that, they would need to update your information, and this restricts it totally to just you...

Satan

It looks good hellsatan :) only thing i can say is that it won't help if they have your password ;\ cause they can then update your account and change your usergroup... i've been hacked before and they didn't delete any of the admins only moved them to the banned group and then damaged the forum :p

g-force2k2

Precisely...

Im not offering protection against them having your password:)

This simply prevents others from updating or deleting you...i.e. If a hacker gets in to one of the other accounts, you are totally secure...

You can, of course, protect other parts of the CP, like Templates, to just yourself...

Satan

Nice man, But I would have to say a hack like limit admin abilitys would be better. Like if you didnt want them to have access to forum editing but having access to template editing. That might be cool... I might make that Oo (So many hacks to make)

Thats easy...

Ive already done it at our forums:)

I'll post that up if you'd like...

Satan

another way of doing this could be:
forum/admin/config.php
add at the bottom:// user can edit admins
$editadmin='1';you can add as many users you want there...

forum/admin/user.php
find:adminlog(iif($userid!=0,"user id = $userid",""));below this add:unset($editadmin);
find:if ($HTTP_POST_VARS['action']=="doupdate") {
replace it with:if ($HTTP_POST_VARS['action']=="doupdate" && checklogperms($editadmin,1,"<p>You are not allowed to edit this user.</p>")) {let me know what you think.

Hmm...

I'll test that...

If it works, I'll add it to the file (if you dont mind), as an optional extra...

My way still allows them to view your profile, but they cannot delete or modify you...

Your way they can still delete you...

Satan

np. :)
let me know. the code will stop of doing something 'fancy' to your collegues admins if you are not on the config.php list. that includes password or anything else.

Yeh...

One problem...

I did what you said, and my userid is 1...

I get this :

You are not allowed to edit this user.

Satan

it would be cool if you got a e-mail if they tried anything

hmm ur right. i also tried:if ($HTTP_POST_VARS['action']=="doupdate" && checklogperms($editadmin,1,"<p>You are not allowed to edit this user.</p>")) { but it doesnt work. anyone can tell me why? it should work.

Im not exactly sure...

Its kinda weird...

Satan

maybe get rid of the $HTTP_POST_VARS and just make it

if ($action=="doupdate" && checklogperms($editadmin,1,"<p>You are not allowed to edit this user.</p>")) {

how about that?

g-force2k2

I think that would cause a Parse Error...

Satan

Originally posted by hellsatan
I think that would cause a Parse Error...

Satan

how would that cause a parse error ;) ?

Edit: Nakkid if that doesn't work try place the:

unset($editadmin);

above:

require("./global.php");

g-force2k2

it doesnt really matter where you unset the editadmin, as long you do it before the doupdate action. there is something else we all miss. firefly? any hot coder can explain to me? thanks.

update:
is fixed... :)
https://vborg.vbsupport.ru/showthread.php?s=&threadid=40787

<font color="009999">
Hi,
I need help by this Hack, how can I find out my Admin User ID?

THX
</font>

mouse over your user link. it will show as userid=x

GrayFOX - If you setup the vBulletin board (installed it), you will always be userid 1...

Satan

Only thing i can think of is that the adminlog variables are global or something while the editadmin isn't ;\ but you can always approach it by defining the editadmin right in the admin/user.php

g-force2k2

Yeh you could try that...

Maybe I will in just a few secs:)

Satan

I know it works because i believe that is the same way that PPN used to setup the permissions for viewing the private messages hack :p

g-force2k2

i open a new thread related to this issue here:
https://vborg.vbsupport.ru/showthread.php?s=&threadid=40751

Great hack. Thanks.. Just one question... Can they still ban you?

No bonnmac - They cant...That would require Updating your status, and this blocks them from doing so...

And folks : If there was ever a Time I was grateful for my own hack, it is now...

We just got hacked by our rogue webmaster, who tried to delete my account (userid = 1) 11 times...

Satan

Nice timing ;) for you and me. I just today realized I should get something like this, and along come the hack :D

Yeh lol...

I dont know why I didnt have the idea before...;)

Satan

A nice addition, especially since I'm about to can one our admins.

does it strop them from being able to ban u?

w000t GREAT concept buddy!

this one together with .Htaccess+iprestriction on your admin cp ;)
the perfect security available
hehe
thanx alot for this nice one :)

Originally posted by E
does it strop them from being able to ban u?

that was answerred like a few posts back ;)
yes it does

Ya...

It stops you from being Banned, cos they cannot update your account...

Satan

Man that's pretty sexy. I'm defianetly going to install this one.

Lol...

This was quite popular!:eek::p

Never expected that...:)

Satan

Oh yeh - If anyone wants me to send them a script on how to protect other files, just ask;)

Satan

Great Hack! However, if the hacker gets your password... like what happened to me... is there a way to add another admin to be able to edit you?

Sure...

Just find :
if (($userid==X) and ($bbuserinfo[userid]!=X)) {

and change it to :
if (($userid==X) and ($bbuserinfo[userid]!=X and $bbuserinfo[userid]!=Y)) {
Replace X with your userid, and Y with the second Admin account...

Satan

wow men thats cool...

I like this one.

Nevermind Answered my own question.
This is a sweet hack.
Thanks.

No problems;)

Its good to know that other people still use this:) It has been a godsend at 3 forums where I have Administrated...One of them was recently hacked, and only the unprotected Admin account was deleted...Luckily, they werent very vB capable, and I took control back in a matter of minutes...

Satan

how do i add multiple users but not ALL Admins? and i tried just one user and I could still edit it...?

Just copy the same code underneath the previous code, and change the userid's to match who you want to be protected:)

Satan

So sweet :) I was looking for one like this :)

is there a way to keep them from updating or messing with the templates and styles

Well ... a timely backup of your database (Downloaded Locally) will also help with this type of vandalism too ... Don't forget that as well!

Yes there is a way...

I shall post it up later tonight:)

Satan

Originally posted by hellsatan
Yes there is a way...

I shall post it up later tonight:)

Satan

thank you that is one of my worries...

It was one of mine too:)

Satan

heh Lots of worries :)

I am very security conscious:D

Satan

Me too. Especially after having other admins do things that they were obviously not supposed to do.. (like give an ex-clanmember access to all private/public forums) And I've always been worried about someone deleting or changing my account. (Had a seperate group+account named "_" just in case someone decided to do so..) I can delete that now.. Thanks :)

:)

Satan

how can i add other admins to be protected besides myself?

Originally posted by Da_GoTTi
how can i add other admins to be protected besides myself?


add the lines again, only change the id Number, thats what i did.


if (($userid==X) and ($bbuserinfo[userid]!=X)) {
echo "<p>You cannot update this Admin.</p>";
cpfooter();
exit;
}


and


if ($userid==X) {
echo "<p>You cannot delete this Admin.</p>";
cpfooter();
exit;
}


remember to change X to the user Id you want to protect.

when are you going to release the protection for the templates and styles

@a43079 - Right now:)

Gimme a few minutes to write up the instructions:)

Satan

i didn't read the whole thread but is there a way to put 2 admins instead of 1?

How do you mean?

a.) Protect more than one admin...
b.) Allow more than one admin to edit a user...

Satan

protect more than one admin.

Just copy the code again below the first set of code, making sure that you change the ids;)

Satan

More Admin Security - Protect Templates, Templatesets and Styles!!! (https://vborg.vbsupport.ru/showthread.php?s=&threadid=44764)

^ That is the Template & Style Protection hack;)

Satan

Is there a way you can simply stop anyone but me to mess with the forum permissions? (I'm a php coder, but its hard to understand vbulletin sometimes)

Thanks in advance

Yes there is:)

Open admin/forumpermission.php

Under the "require global.php" bit, add:

if ($bbuserinfo[userid]!="x") {
echo"<p>You cannot perform this function!</p>";
exit;
}

Change "x" to your userid:)

Satan

What would make this hack even more secure is if you could make the ip address range of the login user an added *Condition* that disallows the user to remove anyone from the Admin list ... other than the TOP Admin (Who IP Falls inside a Range).

Example:

-------DO NOT COPY THIS LINE-------

if ($userid==X) and ($bbuserinfo[userid]!=X and ($bbuserinfo[ipaddress]!= [IP RANGE OF THE ADMIN]) {
echo "<p>You cannot update this Admin.</p>";
cpfooter();
exit;
}

-------DO NOT COPY THIS LINE-------

Also if you could capture the IP of the logged in user, and make a match of the one that the ADMIN assigned, this would give a lot more security than what's included in this hack.

From what I see and what someone already mentioned ... all they need is you password ... this would stop anyone with your password from making changes.

Your opinions ...

Sounds good;)

The logged in user's IP would be $bbuserinfo[ipaddress];)

How would you do a range?

You can't just put $user[ipaddress] as the IP Range, as you may not have a static Ip:confused:

Satan

Under the user profile, you could enter any IP addy and use that as the number to test against the logged in users IP addy.

Abou the range theory, you can convert the ip address into string, and account for the numbers from the first, and second dot in the ip address.

Your isp usually change the last (dot) group of numbers more often.

Another solution would be to grab the ADMIN (IP's) from the database and check the logged in user's ip against those numbers...

sorta like querying that table from the user table and throwing the numbers into an array and test the logged in users ip against the numbers in that table.

@Rolodex - But you wouldn't be able to edit the user if your IP wasn't right...

But unfortunately, I forgot to mention that if you had tried to login with the Admin's account, it would update the IP anyway;)

Could you show me what you mean in code form?
Abou the range theory, you can convert the ip address into string, and account for the numbers from the first, and second dot in the ip address.

The other solution would be stumped by the same one as my idea:(

Satan

From PHP coding perspective, I can't

But from a logical perspective ... I can.

Say that its a given ... that part of your IP address never changes.

[your IP Address]
24.48.xxx.xxx

Store (hard code) that value into a variable: $admin1_ip = 2448
(The Admin_ip is stored into the php code so that it's out of view from the admin CP, and undetected.)

Now you can use these numbers to match the first part of the logged in user's IP address.

Now Capture the IP address of the logged in user:

[logged in user]
198.56.xxx.xxx

Remove everything after the second dot (198.56) and Strip the dots from the IP address (19856).

$temp = $bbuserinfo[ipaddress] (current logged in admin);

$admin2_ip = $temp

$admin_ip2 = 19856

if (userid=1 AND ($Admin2_ip == $Admin1_ip)){

If there's a match, and the other conditions are true,

--- > DO action.
else
----> The action is dis-allowed.

This method is sorta like one of the hacks I saw on this board that disallowed
anyone from accessing the admin CP ... while a certain file was stored on the
server, but this method still allows the "real admin" to make changes to his/her profile.

Thats one of my hacks;)

And if you have both hacks installed, there is no way they can access the Admin CP without access to the Server;)

(When the file is uploaded, your account cannot access the server;))

^^ Sounds like a good idea;)

How would you strip that data of the dots and restrict it to just the first 2 parts?:confused:

Other than that, it's doable:)

Satan

I don't know how it's done in PHP but I believe that you can take the value stored inside the variable [ip address] and count over before the first dot [doing a string_copy] and take those (3) numbers and store them into a temp variable (temp1).

Next, do the same procedure on the [ipaddress] variable, but this time capture the next set of numbers you want to keep by doing another [string_copy] ... store them into another temp variable (temp2).

Then join the two variables ($temp1 and $temp2) and store them into $admin2_ip ... I can do this in perl but I don't know how it's done in PHP.

Maybe someone here can tell us how to perform this in PHP?

:confused:

Chen? Where are you when we need you!:D

Satan

TECK seems to have a good developer mind himself ... you might want to ask him for his advice on this ...

I shall actually;)

I'll get back to you with either an answer or a different way of doing it;)

Satan

An excellent little hack! It works great and yet I can still update myself no problem (Tested on vB 2.2.9). Well done!

Thanks:)

Glad you liked it:D

Satan

Nice Hack! Its a good idea :)

installed. works flawlessly

l8er
sonic

Im glad!:)

Satan