-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
Password Protected Forums (vB3)
By Shaolyen
email: John@eovie.com
msn: John@eovie.com

TESTED ON A FRESH vB 2.3.0
-\/-\/-\/-\/-\/-\/-\/-\/-\/-\/-\/-

Introduction
-----------------------------------------------------------
This hack is fairly simple in what it does.

If a user tries to access a password protected forum, they will be
prompted for the password. Once entered correctly they'll be able
to browse the forum as normal. It's as simple as that!

There are a few extras in this. When a user enters a password and
it's verified as being correct, a cookie is sent to their PC
containing the password. This will ensure that they don't need to
log in every time they access the protected area, until the cookie
expires.

The cookie timeout time for each protected forum can be set in the
AdminCP. (You can choose anything from 1 minute to 1 year.)

Password protected forums are denoted by the text
"[Password Protected]" tagged on the end of the forum description.
If you don't have a forum description for your password protected
area, "[Password Protected]" will take its place.

Please bear in mind:
? Threads will appear in searches, but the title, author, etc. are
all set to "Restricted". A password is needed to access these threads.
? The password in the cookie IS NOT ENCRYPTED. This is for a
reason, so the password can be viewable in the AdminCP. If
anyone would prefer MD5 encryption in their cookies, let me know.
? In the very near future I will be adding on options to enable
MD5 encryption.
? When you specify "Regular Forum Security" in the AdminCP and
a password has been entered, that password will not be recorded.

Security level, password, and timeout times can be specified when
creating or editing a forum.
(AdminCP > Forums & Moderators > Add | Modify)


Warning
-----------------------------------------------------------
BACKUP YOUR DATABASE AND FORUM FILES BEFORE YOU EVEN THINK ABOUT APPLYING THIS HACK!
-----------------------------------------------------------

Shameless Plug
-----------------------------------------------------------
This hack was written for the fine people at xAviaHosting -
www.xaviahosting.com. Pay them a visit (Or I'm a dead man!)
-----------------------------------------------------------

Shameful Plea
-----------------------------------------------------------
I'm poor as always, I'd be seriously grateful for any donations..!
If you have a few spare pennies in that Paypal account, my address
is "John@eovie.com" - share the wealth! ;)
-----------------------------------------------------------

Screenshots:
-----------------------------------------------------------
Password protected indicator (https://vborg.vbsupport.ru/attachment.php?s=&postid=364734)
Password prompt (https://vborg.vbsupport.ru/attachment.php?s=&postid=364738)
AdminCP Settings (https://vborg.vbsupport.ru/attachment.php?s=&postid=364753)
Search results 1 (https://vborg.vbsupport.ru/attachment.php?s=&postid=364917)
Search results 2 (https://vborg.vbsupport.ru/attachment.php?s=&postid=364918)
-----------------------------------------------------------

Update 1.0 > 1.1
-----------------------------------------------------------
? Search blocking enabled.
Screenshots:
Search results 1 (https://vborg.vbsupport.ru/attachment.php?s=&postid=364917)
Search results 2 (https://vborg.vbsupport.ru/attachment.php?s=&postid=364918)

Available here (https://vborg.vbsupport.ru/attachment.php?s=&postid=364925)
-----------------------------------------------------------

Password protected forum indicator

Nice, I'm going to check this one out :)

Password prompt

Very cool Hack!!
Thank you John. :)

Good job, John.

I'll install this one when I get home today. :)

Just fixed a major glitch, if you've already downloaded the instructions you might want to download them again. ;)

Settings

Originally posted by Shaolyen
Just fixed a major glitch, if you've already downloaded the instructions you might want to download them again. ;)

where's the major glitch located? So I only have to update that part :p

Anyone tested this? I'd like to know how well it works security wise. I used a password hack before that proved easy to bypass.

It checks what you enter directly with the password in the database.

To hack in, you'd need to have access to the database.

Originally posted by Shaolyen
It checks what you enter directly with the password in the database.

To hack in, you'd need to have access to the database.

so what's the major glitch, access to my database is restricted to localhost

Here's a little more info on how this works.

Whenever $forumid (and often $forum[forumid]) has a value, it runs a query which checks to see if security is enabled for that particular forum. (The security field in the "forum" table.)

If security is enabled, it will check to see if a cookie exists for that forum containing the password. If there's no cookie with a correct password, the user will be directed to a page where they can enter the password.

The password they enter is then checked, and if it matches the one in the database a cookie will be deployed. (And the whole process will start again, but this time the user will be forwarded to the forumdisplay page.)

The same applies for the code in showthread.php. :)

The glitch I left in was this line of code (in two places) which gives access to the forum on the second incorrect attempt.

setcookie('cookpass['.$forumid.']', $seccheck[forumpass], 0);

I've deleted it and updated the instructions.

The security is pretty rock solid.

OK, removed those lines,

it works like a dream, thanks Shao :)

but, what is the difference between the security levels?

Regular is normal, just like a regular forum. (Not password protected).

Password protected is password protected.

:)

that's pretty easy :) Thanks for the help :)

WOW this is a nice hack.
/me installs.
If there was a Hack of the Month, I'd definately vote this hack for it!
Well done!
*Tests it and stuff O.o*

Dave.

wow very cool hack ;) ;) ;)

Excellent hack - i hope this one works because a similar hack was released by one of the vbulletin-germany team with a bug that allows people on online.php to view a thread in a password protected forum... might want to see if that bug is present here?

Regards and nice hack!

- miSt

This hack covers threads by applying the same security code in showthread.php and finding the parent forum. So even if someone gets into a private thread, they'll still be prompted for a password.

:)

Wow, very cool hack, I am gonna install this...

Search results example 1

Search results example 2

Nice hack... installed.

Please let us know as soon as you have the change ready that will enable search blocking.

Thanks!!

Added some code to stop people from seeing info about protected threads when searching.

If you're upgrading, use the attached file.

Screenshots are above ^^

Original instructions updated. :)

Well, that was quick! Thanks. :)

Woa very good i'm surely gonna install this one :)

*Licks Install*

Well done John - its looking good :)

- miSt

Work on 2.2.9?

Don't think it's been tested on 2.2.9 yet. :\

Very cool hack. I'll test this out :)

Originally posted by Shaolyen
Don't think it's been tested on 2.2.9 yet. :\ I'll test it for everyone that is interested.

Ok I've tested this hack on 2.3.0 and it seems to work like a charm.
Thanks for the wonderful hack Shaolyen!
:D.

Dave.

Great Hack, I'll install this one. :)

Mark

Nice Hack!

tested and working on 2.2.9

does this also cover the profile view where the last post is also listed and within the who's online?

nice hack...

* squawell installed.... ;)

another question if i set timeout 1 week and after 1 week i forget

set new one.so that will let everyone access or the forum still

use the old password??

Hi

Nice hack but I think I have found a problem.

If I set a forum password and the timeout to say 1 week, then go in and change the password to something else, it doesn't match the cookie and denies access - all is well.

If I then enter the new password it still says access is denied. Seems like the cookie is not being updated with the new password I entered.

Today at 11:26 AM squawell said this in Post #39 (https://vborg.vbsupport.ru/showthread.php?postid=365378#post365378)
nice hack...

* squawell installed.... ;)

another question if i set timeout 1 week and after 1 week i forget

set new one.so that will let everyone access or the forum still

use the old password??



No, the password will stay the same.

The timeout is the amount of time before the user will have to enter the same password again to access the forum.

Today at 10:11 AM Pady said this in Post #38 (https://vborg.vbsupport.ru/showthread.php?postid=365349#post365349)
does this also cover the profile view where the last post is also listed and within the who's online?



In the next update it will.

Today at 12:11 PM DBs said this in Post #40 (https://vborg.vbsupport.ru/showthread.php?postid=365408#post365408)
Hi

Nice hack but I think I have found a problem.

If I set a forum password and the timeout to say 1 week, then go in and change the password to something else, it doesn't match the cookie and denies access - all is well.

If I then enter the new password it still says access is denied. Seems like the cookie is not being updated with the new password I entered.


Find:


if ($_COOKIE[cookpass][$forumid]) {


Above this add:


if ($_POST[forumpass]) {
$_COOKIE[cookpass][$forumid] = $_POST[forumpass];
}


Instructions updated.

Find in which file?

Dave.

Today at 05:00 PM Davey said this in Post #44 (https://vborg.vbsupport.ru/showthread.php?postid=365541#post365541)
Find in which file?

Dave.



forumdisplay.php
showthread.php

Thanks for the fix.

Today at 05:05 PM DBs said this in Post #45 (https://vborg.vbsupport.ru/showthread.php?postid=365544#post365544)



forumdisplay.php
showthread.php

Thanks for the fix.


That's right, both of them. :)

Today at 12:28 AM Shaolyen said this in Post #41 (https://vborg.vbsupport.ru/showthread.php?postid=365521#post365521)



No, the password will stay the same.

The timeout is the amount of time before the user will have to enter the same password again to access the forum.

thankz ur reply!!:D:D

now im understand...... :rambo:

install and work perfectly

but on index forumlist the $forum[description] appear what??

I have put the right code in the root/index.php


if ($forum[security] == 2) {
$forum[description] .= " [<i>Password Protected</i>]";
}



above
eval("\$forumbits .= \"".gettemplate("forumhome_forumbit_level$depth$tempext")."\";");

i'didn't know what i do wrong

My forum description is like this:

Coding projects [Password Protected]


vb2.2.8

That's what is supposed to happen. It shows that the forum is password protected.

yes ok but in your screenshot the forum with the password hack show no description why??
It's because there is no description for the forum or it is the hack that hide description???

https://vborg.vbsupport.ru/attachment.php?s=&postid=364734

There was no description. It doesn't replace it.

Hey guys, I tried to install on 2.30 and I have some problem, maybe you guys can help me out.

1) When Edit my forums, I choose Password Protect Security then I enter the password and the time out but when I click submit, I got this message.
"Password protection enabled, yet no password was submitted.
(Forum access can be gained by leaving the password field blank on entry.)"
However when I look in the database, the forumpass field got the right password.
2) I can't get inside that protective forums when I supply the password. It keeps asking me to enter the password.

thakz

G

Hmm, do you have register_globals turned on or off?

Thanks for releasing this hack. It's opens a fresh can o' worms, though.

---------------------------
Use of password-protected subforums will probably cause resentment among the excluded members, and generate repeated posts/PM from excluded members
demanding to know "Why?", "Why am I not special?", "Why can't I get in?!?"

You might preclude/alleviate this somehat by including in the forum description a CLEAR explanation of WHY the subforum is protected, HOW select members attain
eligibility to participate in it (and WHO to contact with a password request if a member believes he's eligible)...
and you'd probably need to change the forum description field to allow enough room for sufficient descriptive text ~~ the standard field is limited to 250 characters.

To avoid the "in your face, but you can't access it" effect, consider marking any password-protected subforum(s) "inactive" via the AdminCP--}Forums:Edit interface.
This will suppress the title/description display on ForumsHome, will remove the forum(s) from forumjump and from the search selectbox... yet it won't interfere with the
ability of "insiders" to use the "Search this forum" feature (included in the "forumdisplay" template).

---------------------------
Password-protection is "only as good as" the people protecting the password. Bear in mind that it's subject to "social engineering". Ultimately (eventually) you should
EXPECT that someone(s) not "officially" invited will coax a friend (to whom the password is known) into divulging the password.

So, if you decide to employ a pw-protection scheme, you should PLAN (and communicate to included members) in advance:
-- which person(s) has the ability/authority to change the password
-- when/why the password may be changed (how often // for what reason)
-- how the included members will be notified, in the event of a password change
-- who (everyone, or just the leader) is permitted to divulge the password and to invite new "insiders"
-- what penalty will be applied if someone irresponsibly divulges the password to unqualified/uninvited "outsiders"
---------------------------

People understand what they get when they install this hack.

If they wish to "brace themselves" for the potentially huge influx of people asking for access, they can do so. If they can't deal with this, they probably shouldn't be running a forum.

The hack is here to make it technically possible for people to do things with their bulletin boards, the way they deal with the results is up to them.

You might preclude/alleviate this somehat by including in the forum description a CLEAR explanation of WHY the subforum is protected, HOW select members attain
eligibility to participate in it (and WHO to contact with a password request if a member believes he's eligible)...
and you'd probably need to change the forum description field to allow enough room for sufficient descriptive text ~~ the standard field is limited to 250 characters.


I should think that anyone who installs this hack would explain why it's there, in the form of a thread or an announcement.



To avoid the "in your face, but you can't access it" effect, consider marking any password-protected subforum(s) "inactive" via the AdminCP--}Forums:Edit interface.
This will suppress the title/description display on ForumsHome, will remove the forum(s) from forumjump and from the search selectbox... yet it won't interfere with the
ability of "insiders" to use the "Search this forum" feature (included in the "forumdisplay" template).



If a user tries to access the forum, they'll still be prompted for a password. (Which would kind of give the game away)

Password-protection is "only as good as" the people protecting the password. Bear in mind that it's subject to "social engineering". Ultimately (eventually) you should
EXPECT that someone(s) not "officially" invited will coax a friend (to whom the password is known) into divulging the password.


Obviously.


So, if you decide to employ a pw-protection scheme, you should PLAN (and communicate to included members) in advance:
-- which person(s) has the ability/authority to change the password
-- when/why the password may be changed (how often // for what reason)
-- how the included members will be notified, in the event of a password change
-- who (everyone, or just the leader) is permitted to divulge the password and to invite new "insiders"
-- what penalty will be applied if someone irresponsibly divulges the password to unqualified/uninvited "outsiders"


This hack does exactly what it says it does. It password protects forums. If you can't handle having passwords, don't - stick to user access masks. It's not supposed to replace it, it's here as an alternative.

Honestly, people understand what the hack is for and if they need it, they use it. If anyone wants to release a "Enhanced Diplomatic Solutions to Ease Forum Tension in the Event of Password Protected Forum Usage" hack, be my guest.

If anyone wants to release a "Enhanced Diplomatic Solutions to Ease Forum Tension in the Event of Password Protected Forum Usage" hack, be my guest.LOL

Database error in vBulletin 2.3.0:

Invalid SQL: SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid='2'
mysql error: Unknown column 'security' in 'field list'

mysql error number: 1054

Date: Wednesday 19th of March 2003 10:51:28 AM
Script: http://pinuvccio.altervista.org/forumdisplay.php?forumid=2
Referer:



help my

You didn't run the queries at the beginning (the very first thing listed in the instructions.)

error in musql look :(

1. SQL QUERIES

Run these queries:
-----------------------------------------------------------
ALTER TABLE `forum` ADD `security` TINYINT(1) UNSIGNED DEFAULT "1" NOT NULL;
ALTER TABLE `forum` ADD `forumpass` text NOT NULL;
ALTER TABLE `forum` ADD `passtimeout` int(8) UNSIGNED DEFAULT "0" NOT NULL;
-----------------------------------------------------------


Database error in vBulletin Control Panel 2.3.0:

Invalid SQL: UPDATE forum
SET
styleid='1', title='Main Category', description='Main Category Description',
active='1', displayorder='1', parentid='-1', parentlist='1,-1',
allowposting='0', cancontainthreads='0', daysprune='0',
newpostemail='', newthreademail='',
moderatenew='0', allowhtml='0', allowbbcode='0',
allowimages='0', allowsmilies='0', allowicons='0',
styleoverride='0', allowratings='0', countposts='1',
moderateattach='0', security='', forumpass='', passtimeout=''
WHERE forumid='1'
mysql error: Unknown column 'security' in 'field list'

mysql error number: 1054

Date: Wednesday 19th of March 2003 11:47:40 AM
Script: www.???_?????????.da.ru/admin/forum.php
Referer: http://pinuvccio.altervista.org/admin/forum.php?action=edit&forumid=1

There is a major security flaw in this hack that was just discovered. I can tell you an easy way to get in to a password protected forum.

r u gunna tell us how?

If you've found a flaw, why haven't you contacted me about it?

Well I tried to update my forum descriptions and it seems not to update any longer?

Did I miss something?

Hmm, one of my members used another password and he was still able to get into the forum =\

awesome. Finally someone puts a working one up. the other one had so many bugs.

So is this hack stable or what?

What's it's status?

Edit - Nevermind, I forgot to clear my cookies.

Actually, there does seem to be a problem with this. Some people are able to click on a link to a post in the password protected thread, and it asks them for the password. So far, so good. But then, if they click back to the main index and reload it, THEN click on the password protected forum, they get right in.

I haven't been able to duplicate this, but some of my members said they got in without a password and that was one of the ways they did it.

Today at 06:25 AM Crazy Pete said this in Post #69 (https://vborg.vbsupport.ru/showthread.php?postid=381330#post381330)
Actually, there does seem to be a problem with this. Some people are able to click on a link to a post in the password protected thread, and it asks them for the password. So far, so good. But then, if they click back to the main index and reload it, THEN click on the password protected forum, they get right in.

I haven't been able to duplicate this, but some of my members said they got in without a password and that was one of the ways they did it.


I have the same problem and I also managed to duplicate it. I am running 2.2.6 though so I don't know if that's the problem - can any else confrim?

FWIW, I'm running 2.3.0, and have had more reports of people being able to get in without a password today, as well.

I told you guys there was a problem with this in post #61. Did you think I was kidding?

Yesterday at 05:16 AM kushtiUK said this in Post #70 (https://vborg.vbsupport.ru/showthread.php?postid=381363#post381363)
I have the same problem and I also managed to duplicate it. I am running 2.2.6 though so I don't know if that's the problem - can any else confrim?
Confirmed this weeks ago, and I did pm the author of this hack. He complained that I didn't contact him about the problem, and when I did, I received no response.

That's too bad, this would be pretty badass if it weren't for that odd little bug.

Bug ?
Security flaw !

I hope he can still fix it, I have this installed, working and the flaw is confirmed & reproducable on 2.2.9

I hope he can fix it.

We really needed this hack, and after looking at it, I threw it towards Scott and he fixed it in 1 minute, lol.

Here is version 1.2 which at least works on one of the sites I have it installed on. So hopefully it works for you too.

The changes are the forumdisplay and showthread text that you have to replace, the whole chunck. So, to upgrade, just remove it from those 2 files again and put this stuff instead.

Moo

Nice,

/me clicks install

im getting this Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

mysql error: You have an error in your SQL syntax near '' at line 5

mysql error number: 1064

idem
Database error in vBulletin 2.3.0:

Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

mysql error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

mysql error number: 1064

This looks pretty cool, I may have use for this :)

04-23-03 at 06:35 PM xiphoid said this in Post #76 (https://vborg.vbsupport.ru/showthread.php?postid=385990#post385990)
We really needed this hack, and after looking at it, I threw it towards Scott and he fixed it in 1 minute, lol.

Here is version 1.2 which at least works on one of the sites I have it installed on. So hopefully it works for you too.

The changes are the forumdisplay and showthread text that you have to replace, the whole chunck. So, to upgrade, just remove it from those 2 files again and put this stuff instead.

Moo

Ok
A few problems here

I have applied the modifications that were kindly supplied by xiphoid (cheers for those)

Now when I go to view a thread, I am getting :

Database error in vBulletin 2.3.0:

Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

mysql error: You have an error in your SQL syntax near '' at line 3

mysql error number: 1064

Date: Wednesday 07th of May 2003 02:46:23 AM
Script: http://localhost/rnas/rnas/showthread.php?s=&threadid=7
Referer:


Also when modifying a forum to incorporate the protection, Im still getting this :

Password protection enabled, yet no password was submitted.
(Forum access can be gained by leaving the password field blank on entry.)

In this instance, it appears the password is still being applied though.

i have install the hack but dont work 100% beusoe if you test any work 8488 and real password was vb200325 and the user can com in the Protected Forums and can test any t and they can oben how ican fixe it and why dont work 100%

Thankes for helpp it is real cool hack if they work in the my from i need to the hacks very much

Has anyone come up with a complete 100% working version of this hack yet ?

05-03-03 at 09:41 PM marlborosat said this in Post #79 (https://vborg.vbsupport.ru/showthread.php?postid=391031#post391031)
idem
Database error in vBulletin 2.3.0:

Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

mysql error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

mysql error number: 1064


and everyone else getting mysqp errors.
put them in one at a time i was putting them in at the same time and getting the same error. but sucess every time putting 1 in at time

Very very nice hack.

i have 2 problems with this

first is i can't change the password once its set or anyting else for that matter it just won't update those feilds


Password protection enabled, yet no password was submitted.
(Forum access can be gained by leaving the password field blank on entry.)
Record updated!

thats what it says when i try to update for some reason the password var is not being set

and the second it would appear the once a user has a cookie you can access the forum without entering the pass and after the time out period i had mine set for 60 mins i waited 2 days and was able to get access

any ideas for a fix??

Sorry everyone, I've been away for the past couple of months - now I'm back, and I've got a bit of time to fix any issues there are with my current hacks.

Is the modified version that xiphoid posted working fine? If so, should I update the original?

i'd like to click install but i can't get it to work:)

Is the modified version that xiphoid posted working fine? If so, should I update the original?

I'd like to know the answer to that myself, can anyone confirm they have a fully working version ??

Cheers
amp2000

For everyone getting errors similar to the following from xiphoid's update

Database error in vBulletin 2.3.0:

Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

The problem is that $forumid isnt in single quotes, example, instead of


Open up: root/showthread.php

Find:
-----------------------------------------------------------
eval("dooutput(\"".gettemplate("showthread")."\");");
-----------------------------------------------------------

Replace with:
-----------------------------------------------------------
// Showthread Password Protection Code
// Updated by Scott
$forumid = $foruminfo['forumid'];
$seccheck = $DB_site->query_first("
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid = $forumid
");



The above code is wrong, use the code below instead of the above from the readme.
The only difference is '$forumid' now has quotes around it. Hope that helps yas ;)



Open up: root/showthread.php

Find:
-----------------------------------------------------------
eval("dooutput(\"".gettemplate("showthread")."\");");
-----------------------------------------------------------

Replace with:
-----------------------------------------------------------
// Showthread Password Protection Code
// Updated by Scott
$forumid = $foruminfo['forumid'];
$seccheck = $DB_site->query_first("
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid = '$forumid'
");



I have installed this on a 2.3.0 vBulletin & can see no problems (other than the above which is now corrected) with the hack.
But then again I've only installed the hack from xiphoid's 1.2 version so I dont know what the bug was with Shaolyen's 1.1 version.
If someone can tell me how to reproduce the flaw I'll test it out & let yas know if it works. If anyone is reluctant to tell me how to reproduce the flaw will you pleeeez see does it work on the new updated instructions, ie v1.2, I need to know whether this is secure or not before I use it.

This is a great hack Shaolyen, I'll be definitely clicking install if this works, thanks!

05-11-03 at 08:48 PM tomsch said this in Post #86 (https://vborg.vbsupport.ru/showthread.php?postid=393859#post393859)
i have 2 problems with this

first is i can't change the password once its set or anyting else for that matter it just won't update those feilds



Password protection enabled, yet no password was submitted.
(Forum access can be gained by leaving the password field blank on entry.)
Record updated!


thats what it says when i try to update for some reason the password var is not being set




and the second it would appear the once a user has a cookie you can access the forum without entering the pass and after the time out period i had mine set for 60 mins i waited 2 days and was able to get access

any ideas for a fix??


And the exact same here
and if its register_globals on/off
how do i turn them on/off ?

Installed Xiphoid's fix with amp2000's changes and it still doesn't work.

I am still able to enter a bogus password, hit the back button and then refresh and you can get in...

Any clues on how to fix this?

Cheers for the fix amp2000
:)

I have installed the 'fixes' but I can still get in without a password.

If you enter a wrong password you get a second chance to enter one, OK so far, but if you now hit the back button and then the refresh, bingo you are in ...

same prob here. i did notice that no cookie was sent. so i'm guessing a null check might be needed???

anyone have an idea??

:disappointed:

If you enter a wrong password you get a second chance to enter one, OK so far, but if you now hit the back button and then the refresh, bingo you are in ...yep, exactly the same problem I reported way back. Had to uninstall, its worthless as is.

Well that sucks, I was going to install this today :(

gonna test on 2.9..

works

has anyone managed to figure out a solution to the refresh to enter forum problem. I want to install this hack but cant if this problem exists as it wont take users long to find out the bypass :(

Indeed sounds like a nice hack, but no way if they can bypass it.

Thanks very much.
/me hits install

if i click on the "go to last post" link next to the username who last posted, i get into the forum without a password.... my fault?

anyone having the same problem? please, this is kinda urgent :\

03-12-03 at 03:09 PM Shaolyen said this in Post #14 (https://vborg.vbsupport.ru/showthread.php?postid=364774#post364774)
The glitch I left in was this line of code (in two places) which gives access to the forum on the second incorrect attempt.

setcookie('cookpass['.$forumid.']', $seccheck[forumpass], 0);

I've deleted it and updated the instructions.



those lines are actually still in the changes the txt file asks for ... once in showthread and once in forumdisplay ... I removed them and whatever I tried (backbutton etc) I couldnt get in at all without the proper password ;)

and I dont know if those changes did it - but I get the password prompt when clicking last post button on forum index as well

* Frozen Dreams clicks install

I applied this hack and updated it after I heard people were getting in without a password, and it still has the same problem...

One of the guys who is getting in says it hows it setting his cookies... Any ideas?

well, i wouldn't recommend this hack, due to it's major security holes... i've uninstalled it.

Well, this sure doesnt work in 2.3.2 :disappointed: Does anyone know of something clse to this that will work with 2.3.2?

I think it will work with 2.3.0 some what. I'm not switching over to 2.3.2 =/ Only to 3.0.0 and up.

I am sticking with it, only a couple of users have worked out the bypass and the password is given out to members who ask for it (it is a slightly lame adultish forum) and it is really there to stop casual lurkers.

Hopefully 3 will be out soon enough and then it shouldn't be a problem anymore...

Is there anything one could do to modify this hack so that it isn't possible to bypass the password ?

Regards.

ok, i added

maketableheader("Forum Security");
echo "<tr class='".getrowbg()."' valign='top'>\n<td><p>Choose Forum Security</p></td>\n<td><p><select name=\"security\">\n";
echo "<option value=\"1\" SELECTED>Regular Forum Security</option>\n";
echo "<option value=\"2\">Password Protected Security</option>\n";
echo "</select>\n</p></td>\n</tr>\n";
makeinputcode("Forum Password<br><font size=1>If password protection is enabled, you must
choose a password <br>needed to access the forum.</font>","forumpassword");

echo "<tr class='".getrowbg()."' valign='top'>\n<td><p>Password Timeout<br><font size=1>The time until the password times out.
<br>After the this occurs, the user will have to enter the password again to gain access.</font></p></td>\n<td><p><select name=\"passtimeout\">\n";
echo "<option value=\"60\" SELECTED>60 Seconds</option>\n";
echo "<option value=\"600\">10 Minutes</option>\n";
echo "<option value=\"1800\">30 Minutes</option>\n";
echo "<option value=\"3600\">1 Hour</option>\n";
echo "<option value=\"36000\">10 Hours</option>\n";
echo "<option value=\"86400\">1 Day</option>\n";
echo "<option value=\"604800\">1 Week</option>\n";
echo "<option value=\"2419200\">1 Month</option>\n";
echo "<option value=\"29030400\">1 Year</option>\n";
echo "</select>\n</p></td>\n</tr>\n";

after

makechoosercode("Custom style set for this forum","styleset","style",$forum[styleid]);
makeyesnocode("Override users custom styles<BR>(will force this forum's specified colors)","styleoverride",$forum[styleoverride]);

in admin/forum.php in attempts to be able to assign a password to existing forums instead of just having that option of adding a password wen creating forums. i then assign the attributes and the password and the cookie timout, then click save changes. but it dosen't actually save, the password is not applied and i go back into edit and the same forum and the password area is back to its original state can someone please help

I installed this hack and i do not see anything in the admin cp. Any ideas as to what i did wrong?

^^the option to set a password is only avalible when you make a new forum, so when u make a new forum right where u set the name and permissions at the very bottom if u followed the instrucstions right it should be there

I just installed it on 2.3.2 and it works fine. Any forums that I really really need to keep people out of I use access masks for or make the forum hidden. Like someone else said, it works great to just keep out the casual lurkers.

* clicks install

i installed this hack and it worked fine until we tried to add another forum. We're getting an sql error. Here's what we're getting.

Database error in vBulletin Control Panel 2.3.0:

Invalid SQL: INSERT INTO forum
(forumid,styleid,title,description,active,displayo
rder,parentid,
parentlist,allowposting,cancontainthreads,sponsorn
ame,sponsorimg,
sponsorurl,daysprune,newpostemail,newthreademail,
moderatenew,allowhtml,allowbbcode,allowimages,allo
wsmilies,allowicons,
styleoverride,allowratings,countposts,moderateatta
ch,security,forumpass,pastimeout)
VALUES
(NULL,'1','Temporary MOB','','1','4','41',
'','0','1','','',
'','30','','',
'0','0','1','0','
s','1',
'0','1','1','0','1','','60')
mysql error: Unknown column 'pastimeout' in 'field list'

mysql error number: 1054

Any ideas as to how i can fix this so we can add more forums?

Uh did anyone fix the password exploit yet where you can input any password and you can still get in!? :confused:

Seems to be working with no problems on 2.3.3 using the file posted in #76 and the fix posted in #90.. I'm not able to bypass the forum password using the method discussed in this thread, and the forum password updates fine when entering a new one.

Could anyone point me in the right direction to make this (https://vborg.vbsupport.ru/showthread.php?t=28561&page=1&pp=15) mod work with this.? Currently the forum password protection can be bypassed by clicking on the title of the last thread shown on the forum summary.

I would like to use this hack to keep an Asst. Admin from accessing a certain forum on a site I admin. Unfortunately since he has Admin CP access he could read the password. You mentioned in your first post about setting it up so the password have asterisks or another symbol to replace the password so it couldnt be read in the AdminCP.

How do I go about making this happen?

ok can someone help me a little i am kinda new to this and was wondering how to run the queries

got it thank

great hack but when i change the passwd or anything i get this error message in my admin cp. i made sure that all the files match perfectly? please help.

"Password protection enabled, yet no password was submitted.
(Forum access can be gained by leaving the password field blank on entry.) "

Has anyone gotten around to adding md5 encryption to this yet? Also do you think that you could add were the cookie that is set is deleted when the timeframe runs out or when you log out of the forum? Right now if you log out of the forum and reset your cookie the cookie information for cookpass is still there.

Thanks,
Parker

Bump so some one maight see this???

For everyone getting errors similar to the following from xiphoid's update

Database error in vBulletin 2.3.0:

Invalid SQL:
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid =

The problem is that $forumid isnt in single quotes, example, instead of


Open up: root/showthread.php

Find:
-----------------------------------------------------------
eval("dooutput(\"".gettemplate("showthread")."\");");
-----------------------------------------------------------

Replace with:
-----------------------------------------------------------
// Showthread Password Protection Code
// Updated by Scott
$forumid = $foruminfo['forumid'];
$seccheck = $DB_site->query_first("
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid = $forumid
");



The above code is wrong, use the code below instead of the above from the readme.
The only difference is '$forumid' now has quotes around it. Hope that helps yas ;)



Open up: root/showthread.php

Find:
-----------------------------------------------------------
eval("dooutput(\"".gettemplate("showthread")."\");");
-----------------------------------------------------------

Replace with:
-----------------------------------------------------------
// Showthread Password Protection Code
// Updated by Scott
$forumid = $foruminfo['forumid'];
$seccheck = $DB_site->query_first("
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid = '$forumid'
");



I have installed this on a 2.3.0 vBulletin & can see no problems (other than the above which is now corrected) with the hack.
But then again I've only installed the hack from xiphoid's 1.2 version so I dont know what the bug was with Shaolyen's 1.1 version.
If someone can tell me how to reproduce the flaw I'll test it out & let yas know if it works. If anyone is reluctant to tell me how to reproduce the flaw will you pleeeez see does it work on the new updated instructions, ie v1.2, I need to know whether this is secure or not before I use it.

This is a great hack Shaolyen, I'll be definitely clicking install if this works, thanks!

even if it works ;), but any one else who got the thread link he can get in :nervous:


any way it' very simple just replace the lines :

$forumid = $foruminfo['forumid'];
$seccheck = $DB_site->query_first("
SELECT security,forumpass,passtimeout
FROM forum
WHERE forumid = $forumid
");

to :

$forumid = $thread['forumid'];
$seccheck = $DB_site->query_first("SELECT security,forumpass,passtimeout FROM forum WHERE forumid = ".$forumid);

i tested on my forum (version 2.2.5) and it works 100%

v.good hack

Best Regards