View Full Version : Security Password for Admincp Hacks
AnhTuanCool
10-09-2004, 10:00 PM
Security Password for Admincp Hacks
by AnhTuanCool
Quick Stats:
Version 1.0.2
Tested full functionally on vBulletin 3.0.3
Time to install: no more than 2 min
File to edit: 4
Template to edit: None
Query to run: None
What this hack does:
Add an additional Password for ACP which is only known by insiders if intentional or unintentional someone could get your current account and do the bad things to your board, this password is assign to all current administrator and only can be changed by the superadministrator*.
Updated:
Upgrade from v1.0.0
Fixed bug that not allow normal member to login
Install:
I had includes the installation file so that you don't have to move much which is always discourage people with long instruction. Included the installation file, download and upload the two files onto your forumroot/admincp/ directory, run the file acppassword_install.php from your admincp and follow it closely.
Disclaimer:
Of course do not forget to back-up your file before uploading it.
Do NOT stop the installation while it isn't finished yet, this can cause you more trouble.
*Be a superadministrator
If you are the webmaster of your site, then you probably can use FTP or another way - edit the source code, you will need to edit the $superadministrators variable in the includes/config.php file to be a superadministrator or you can add some of trusted people, in order to reset this password.
To allow the administrators to access this page, edit the variable to include the user IDs of those administrators should have access, separating each user ID with a comma, like this:
$superadministrators = '1,25,57';
To allow only a single administrator to access this page, simply add that user's ID with no commas, like this:
$superadministrators = '1';
Note: This hack assigns the security password for all current administrators, so if you set someone to administrator, you will have to reset the password in order to allow him to ACP.
Screenshots:
Attachment
NOTE: INSTALL as your OWN risk. This hack has a serious side-effect on the login function. I'll try to fix it as soon as I can.
BarHopper
10-10-2004, 02:09 PM
Very good, i like this one
Oblivion Knight
10-10-2004, 02:28 PM
So this would be like having a HTACCESS password, but within vBulletin itself?
Could the same be applied to the modcp?
d7me4ever
10-10-2004, 03:54 PM
Thanx
Nice hack
good jop
bay
AnhTuanCool
10-10-2004, 06:59 PM
So this would be like having a HTACCESS password, but within vBulletin itself?
Could the same be applied to the modcp?
This COULD be applied to the modcp, just do the install one time for both ;)
But only in admincp you can reset the password.
Blam Forumz
10-10-2004, 08:17 PM
Could just apply HTACCESS ;)
yukayumi
10-10-2004, 08:20 PM
Could not find the "if (!verify_authentication($username, $password, $md5password, $md5password_utf, true))" in my login.php file
Get stuck here! I wonder if someone has the same problem.
AnhTuanCool
10-10-2004, 08:31 PM
To yakayumi - it IS in there(login.php), did you install another hack that involved this line. Check the attachment out first.
AnhTuanCool
10-10-2004, 08:37 PM
Could just apply HTACCESS ;)
It's hard for some people. :)
PitchouneN64ngc
10-10-2004, 08:50 PM
Yeah, great hack, using same password encoding like vB3 passwords ;)
* PitchouneN64ngc clicks install ^^
yukayumi
10-10-2004, 08:54 PM
Really don't remember if I had made any changes to this file before.It's supposed to be there like in your screenshot but mine is different.Please take a look and tell me what to do.Should I hit the back button and uninstall this script? I'm afraid I won't be able to login my admincp if get stuck in the middle of the installation here.
PitchouneN64ngc
10-10-2004, 08:57 PM
What is your version of vBulletin you using? For vB 3.0.3, all is good :)
AnhTuanCool
10-10-2004, 09:03 PM
To yukayumi -
Replace your lines from 156 to 158 with:
if ($bbuserinfo = $DB_site->query_first("SELECT userid, usergroupid, membergroupids, username, password, cpanelpassword, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . addslashes(htmlspecialchars_uni($username)) . "'"))
{
if (
$bbuserinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $bbuserinfo['salt']), '') AND
$bbuserinfo['password'] != md5($md5password . $bbuserinfo['salt']) AND
$bbuserinfo['password'] != iif($md5password_utf, md5($md5password_utf . $bbuserinfo['salt']), '') OR
$bbuserinfo['cpanelpassword'] != md5(md5($password2))
)
Good luck ;)
yukayumi
10-10-2004, 09:23 PM
Mine is vbb 3.0.1,maybe that's why there's alot of error out there.Could not find the code between those <!-- login fields --> in my adminfunctions.php file.I guess it's not compatible with 3.0.1 though.What should I do?
AnhTuanCool
10-10-2004, 09:30 PM
In adminfunctions.php, SELECT BETWEEN the two <!-- login fields --> and <!-- /login fields --> line, and do the replacement, good luck :)
yukayumi
10-10-2004, 09:51 PM
Could you please take a look at my functions_login.php file? It's 3.0.1 and I could not find the code mentioned in your hack.Thanks.
AnhTuanCool
10-10-2004, 09:57 PM
Cross out that modification for functions_login.php and do the first two support that I gave (if you didn't) cause there is no verify_authenticate function ;).
yukayumi
10-10-2004, 10:43 PM
Work like charm,AnhTuanCool.Thanks alot.This hack is great!
Floris
10-11-2004, 07:38 AM
Personally I think this is useless because there is also .htaccess which is better.
The biggest threats are xss where they don't even need to know the passwords. This would be a handy additional security layer for windows servers where .htaccess isn't working. And every additional security layer is better then not having it. So thank you for your hack and sharing it.
Carter876
10-11-2004, 07:47 AM
I'm on Linux server and I prefer to use .Htaccess but this hack is good for Windows server :)
Regards
thanks for sharing with the community... I may use it :)
AnhTuanCool
10-11-2004, 02:28 PM
I found a bug that prevent normal member to login, but it's fixed now. If you didn't install this hack then see the zip file, if you did and wish to upgrade to fix this bug, see the txt file.
This update re-allows normal members to login but administrators who have the password need to use the cookies from ACP to login to the board so if you are an administrator you will need to login to your ACP first (you will have noticed that the login in ACP appears twice) then return to your board. I'll try to fix for the admins soon. ^_^
I found a bug that prevent normal member to login, but it's fixed now. If you didn't install this hack then see the zip file, if you did and wish to upgrade to fix this bug, see the txt file.
This update re-allows normal members to login but administrators who have the password need to use the cookies from ACP to login to the board so if you are an administrator you will need to login to your ACP first (you will have noticed that the login in ACP appears twice) then return to your board. I'll try to fix for the admins soon. ^_^
Nothing....
Still cannot log in.
I need to uninstall this NOW..>How do I do it. Cause I'm getting overwhelmed with emails....
AnhTuanCool
10-11-2004, 07:01 PM
K, use the install script (acppassword_install.php), choose for Click Here to Uninstall to remove phrase and field, then enter acppassword_install.php?do=editfiles and redo all the modification for the source code...
k4is3r
10-26-2004, 01:03 PM
when you fix the administration login?
outlaw621
10-26-2004, 09:27 PM
I am installing this on 3.0.3 and I have a small problem. After I get everyting installed, the admincp works as expected with the security key. The problem is it is also adding the security key requirement to the modcp. I only want it for admincp logons. I do not want the mods to have the security key. How do I fix this?
Wapture
10-27-2004, 04:46 AM
Ok, problem...
The password works great for the admincp, but when a mod trys to login to modcp they are also shown a box saying "security password" I gave the mods the password but it is coming back as if it is wrong.
Sorry, but now i don't remember security password. Can you help me?
shadiguy1
11-05-2004, 12:47 PM
i did the install for some reason tho if u enter just the administrators passowrd it still allows you to loigin twithout the 2nd password what could have i done wrong?
parajsa
11-05-2004, 08:51 PM
I am installing this on 3.0.3 and I have a small problem. After I get everyting installed, the admincp works as expected with the security key. The problem is it is also adding the security key requirement to the modcp. I only want it for admincp logons. I do not want the mods to have the security key. How do I fix this?
The same problem, is there any way to make this prob disappears?
Thank u in advanced,
parajsa
11-10-2004, 08:59 PM
The same problem, is there any way to make this prob disappears?
Thank u in advanced,
Greetings,
I found out the way that the Supermoderators, dont have to know the security password, and can enter their Control Panel without any problem, just do the followin:
In the login.php
Replace this code:
$password2 = iif($logintype = 'cplogin', &$vb_login_password2, '');
with this one:
$password2 = iif($logintype === 'cplogin' OR $logintype === 'modcplogin', &$vb_login_password2, '');
It works perfectly on my bord :)
Eagle Creek
12-04-2004, 10:58 PM
<a href="https://vborg.vbsupport.ru/attachment.php?attachmentid=21131" target="_blank">https://vborg.vbsupport.ru/attac...chmentid=21131</a>
Wherefore I have to add a usergroup ID? I have three usergroups who can access my ACP (Admins, Smods, Owners of the site).
What do I have to fill in there?
Jacko
12-10-2004, 10:35 PM
eek, script is full of bugs etc... instructions dont work in 3.0.3 and it messed up my includes files..
i un-installed untill it is finally released as 3.0.3 (good idea just needs fixing, and i suppose its just one bit of extra security.!)
basskiller
12-11-2004, 02:16 AM
Why not just go through password protect directories. Then you can add a different username then your normal along with a seperate password. That way each member has two different usernames and passords for such directories as admincp/modcp or any other directory that need extra protection
jad65
12-17-2004, 03:08 PM
Quick Stats:
Version 1.0.2
Tested full functionally on vBulletin 3.0.3
Time to install: no more than 2 min
File to edit: 4 which files i have to edit, and whare is the instruction ?
Template to edit: None
Query to run: None
Thanks
PitchouneN64ngc
12-17-2004, 03:22 PM
./login.php (3 changes)
./includes/adminfunctions.php (1 change)
./includes/functions_login.php (3 changes)
./admincp/index.php (1 change)
These files are specified in the install script.
jad65
12-17-2004, 05:40 PM
Thanks for reply
but i cant see any instruction,
what php change i have to do ?
can u see attached image, there is only 2 files to upload
Thanks for help
skinwalker
12-19-2004, 04:01 PM
https://vborg.vbsupport.ru/attachment.php?attachmentid=21131
Wherefore I have to add a usergroup ID? I have three usergroups who can access my ACP (Admins, Smods, Owners of the site).
What do I have to fill in there?
I have the same question..How to assign multiple user groups access?
Eagle Creek
02-01-2005, 08:04 PM
Thanks for reply
but i cant see any instruction,
what php change i have to do ?
can u see attached image, there is only 2 files to upload
Thanks for help
Just run the installerer. It will give you further instructions :),
Gary King
07-20-2005, 03:54 PM
Anyone know if this script is good for 3.0.7?
SmartGnome
07-22-2005, 07:04 AM
Have clickt install and will start testing on board now.
tnx for sharing
derekivey
07-25-2005, 03:58 AM
Looks cool, can't wait till the final non beta release comes :)
EDIT: Just tried it, it wouldn't let me login.
SmartGnome
07-27-2005, 08:46 PM
Sorry, my admins regulary cann't log in and have to wait the standard 15 minutes before login again. Eben myself as a super administrator have that problem.
I uninstall the hack till it's out the beta stage.
BTW:
The idea behind the hack ist top. Should be a standard option in the vb3.5 version
Tnx again
Smarty
iTaLiAnBoY165
08-06-2005, 11:05 PM
Dont use dreamweaver wit this code it will mess it up
T_Montana
10-16-2005, 03:12 PM
this seems to have bugs anybody ever come out with a bug free version?
parajsa
10-30-2005, 06:10 PM
any chance to have this hack modified for the version 3.5 gold?
MathewC
02-23-2007, 06:13 PM
could this be added to 3.6 ?
TheSh@rk
05-14-2007, 04:55 AM
Very nice!
I think I'll use it...
Thanks alot =]
vBulletin® v3.8.12 by vBS, Copyright ©2000-2024, vBulletin Solutions Inc.