vb.org Archive
Page 2 of 16 1 2 3412 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Graveyard (https://vborg.vbsupport.ru/forumdisplay.php?f=224)
-   -   Administrative and Maintenance Tools - vB3.5 Email notification if someone attempts to access your Admin or Mod CP (https://vborg.vbsupport.ru/showthread.php?t=96921)

Boofo 09-26-2005 04:19 PM
Quote:
Originally Posted by Darkwaltz4
hmm, this is an interesting hack, but i assume it sends to the same email for every failed attempt

this could reveal to that email the password of one of the mods, who just accidentally mispelled their USERNAME on the login panel.

i dunno, but mods might not enjoy this, and this might be an idea: if a submitted username matches an existing username, then the email of that username is the one who recieves the email :) that way the user in question knows they were the one targeted. (and perhaps the 'main' email getting the truly perhaps random attempt notices)

edit: hmm, although that wouldnt fix the whole mispelled name + correct password thing hmm...

truly a touchy subject :-p

edit: furthermore, this cant check if a login attempt worked, but wasnt that user (fully understandable), so this could actually serve to further give out your password :-/
I explained the passsord reason in the first post. If the main Admin of your board cannot be trusted with the information if you make a mistake, then you really shouldn't be a Mod there anyway, right? ;)

I think the main Admin should get an email if someone attempts to log in no matter what account is trying to be used. Your idea of sending an email to the username tried is an intersting idea, but only as long as it would be staff personel that had access to whatever CP was trying to be accessed.

How could it further give out your password if they make a successful login? You wouldn't get an email and no information would be sent. If they make a successful login, they would already know your passord. Duh? ;)

Darkwaltz4 09-26-2005 04:26 PM
well of course, but anywhere where passwords are lying around in plaintext are troublesome if something is compromised (its happened to my email once). and also the untrustworthy admin thing :-p

well, yeah sorry i implied the 'and must be a mod/admin thing as well' :-p

im saying it could further give it out if its coupled with the whole compromised thing above. youd think this would be some sort of safeguard against logins who arent you, whereas its undetectable and yet posts your password in plaintext somewhere :-p hence the possibility of being negative on the whole.

im just helping to examine some vulnerabilities which can (and for me, have) arise

Boofo 09-26-2005 04:34 PM
The plain text password is not stored anywhere. It is only sent in the email. So there is no way for anyone to get it, because it isn't there. ;)

Darkwaltz4 09-26-2005 04:45 PM
yes it is stored somewhere; in the email message, as plaintext :-p thats what i keep talking about. if this message is left in the email client, and the email account is compromised, then the hacker has a host of email messages containing login failures at their disposal, and can probably deduce correct passwords from common mistakes with logins (like mispelled name + correct password)

if they did this quietly, then they could use them to log into the CPs, and nobody would detect that - correct login :-p

Boofo 09-26-2005 04:50 PM
Well, I don't feel that way about it so if someone doesn't want to have the password in the email, they can comment the password line out in the code. Simple as that. Easy fix.

Delphiprogrammi 09-26-2005 06:44 PM
i was waiting for this ...

Boofo 09-26-2005 06:58 PM
The wait is over! ;)

Marco van Herwaarden 09-26-2005 07:19 PM
/me moves Boofo up on his ignore list, oops he already was on top.
/me will from now on stay away from each board that is touched by Boofo

Boofo 09-26-2005 07:29 PM
I wish I had known that was all it took a long time ago. ;)

Delphiprogrammi 09-26-2005 07:40 PM
hi,

I don't receive the warning email ... vbulletins mails function is working fine (i know for sure since i tested it => maintenance =>diagnostics =>email test) and no PHP errors are displayed anywhere so i goto my admincp and i enter wrong login and password but nope .. vbversion i'm using (look at the left side) :D


All times are GMT. The time now is 11:09 AM.
Page 2 of 16 1 2 3412 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01063 seconds
  • Memory Usage 1,740KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete