vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Beta Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=34)
-   -   Security Password for Admincp Hacks (https://vborg.vbsupport.ru/showthread.php?t=70412)

AnhTuanCool 10-09-2004 10:00 PM
Security Password for Admincp Hacks
 
Security Password for Admincp Hacks
by AnhTuanCool

Quick Stats:
Version 1.0.2
Tested full functionally on vBulletin 3.0.3
Time to install: no more than 2 min
File to edit: 4
Template to edit: None
Query to run: None

What this hack does:
Add an additional Password for ACP which is only known by insiders if intentional or unintentional someone could get your current account and do the bad things to your board, this password is assign to all current administrator and only can be changed by the superadministrator*.

Updated:
Upgrade from v1.0.0
Fixed bug that not allow normal member to login

Install:
I had includes the installation file so that you don't have to move much which is always discourage people with long instruction. Included the installation file, download and upload the two files onto your forumroot/admincp/ directory, run the file acppassword_install.php from your admincp and follow it closely.

Disclaimer:
Of course do not forget to back-up your file before uploading it.
Do NOT stop the installation while it isn't finished yet, this can cause you more trouble.

*Be a superadministrator
If you are the webmaster of your site, then you probably can use FTP or another way - edit the source code, you will need to edit the $superadministrators variable in the includes/config.php file to be a superadministrator or you can add some of trusted people, in order to reset this password.

To allow the administrators to access this page, edit the variable to include the user IDs of those administrators should have access, separating each user ID with a comma, like this:

$superadministrators = '1,25,57';

To allow only a single administrator to access this page, simply add that user's ID with no commas, like this:

$superadministrators = '1';

Note: This hack assigns the security password for all current administrators, so if you set someone to administrator, you will have to reset the password in order to allow him to ACP.

Screenshots:
Attachment

NOTE: INSTALL as your OWN risk. This hack has a serious side-effect on the login function. I'll try to fix it as soon as I can.

BarHopper 10-10-2004 02:09 PM
Very good, i like this one

Oblivion Knight 10-10-2004 02:28 PM
So this would be like having a HTACCESS password, but within vBulletin itself?

Could the same be applied to the modcp?

d7me4ever 10-10-2004 03:54 PM
Thanx

Nice hack

good jop

bay

AnhTuanCool 10-10-2004 06:59 PM
Quote:
Originally Posted by Oblivion Knight
So this would be like having a HTACCESS password, but within vBulletin itself?

Could the same be applied to the modcp?
This COULD be applied to the modcp, just do the install one time for both ;)

But only in admincp you can reset the password.

Blam Forumz 10-10-2004 08:17 PM
Could just apply HTACCESS ;)

yukayumi 10-10-2004 08:20 PM
Could not find the "if (!verify_authentication($username, $password, $md5password, $md5password_utf, true))" in my login.php file

Get stuck here! I wonder if someone has the same problem.

AnhTuanCool 10-10-2004 08:31 PM
To yakayumi - it IS in there(login.php), did you install another hack that involved this line. Check the attachment out first.

AnhTuanCool 10-10-2004 08:37 PM
Quote:
Originally Posted by Blam Forumz
Could just apply HTACCESS ;)
It's hard for some people. :)

PitchouneN64ngc 10-10-2004 08:50 PM
Yeah, great hack, using same password encoding like vB3 passwords ;)

* PitchouneN64ngc clicks install ^^

yukayumi 10-10-2004 08:54 PM
Really don't remember if I had made any changes to this file before.It's supposed to be there like in your screenshot but mine is different.Please take a look and tell me what to do.Should I hit the back button and uninstall this script? I'm afraid I won't be able to login my admincp if get stuck in the middle of the installation here.

PitchouneN64ngc 10-10-2004 08:57 PM
What is your version of vBulletin you using? For vB 3.0.3, all is good :)

AnhTuanCool 10-10-2004 09:03 PM
To yukayumi -

Replace your lines from 156 to 158 with:

PHP Code:
    if ($bbuserinfo $DB_site->query_first("SELECT userid, usergroupid, membergroupids, username, password, cpanelpassword, salt FROM " TABLE_PREFIX "user WHERE username = '" addslashes(htmlspecialchars_uni($username)) . "'"))
    {
        if (
            $bbuserinfo['password'] != iif($password AND !$md5passwordmd5(md5($password) . $bbuserinfo['salt']), '') AND
            $bbuserinfo['password'] != md5($md5password $bbuserinfo['salt']) AND
            $bbuserinfo['password'] != iif($md5password_utfmd5($md5password_utf $bbuserinfo['salt']), '') OR
            $bbuserinfo['cpanelpassword'] != md5(md5($password2))
        ) 
Good luck ;)

yukayumi 10-10-2004 09:23 PM
Mine is vbb 3.0.1,maybe that's why there's alot of error out there.Could not find the code between those <!-- login fields --> in my adminfunctions.php file.I guess it's not compatible with 3.0.1 though.What should I do?

AnhTuanCool 10-10-2004 09:30 PM
In adminfunctions.php, SELECT BETWEEN the two <!-- login fields --> and <!-- /login fields --> line, and do the replacement, good luck :)

yukayumi 10-10-2004 09:51 PM
Could you please take a look at my functions_login.php file? It's 3.0.1 and I could not find the code mentioned in your hack.Thanks.

AnhTuanCool 10-10-2004 09:57 PM
Cross out that modification for functions_login.php and do the first two support that I gave (if you didn't) cause there is no verify_authenticate function ;).

yukayumi 10-10-2004 10:43 PM
Work like charm,AnhTuanCool.Thanks alot.This hack is great!

Floris 10-11-2004 07:38 AM
Personally I think this is useless because there is also .htaccess which is better.
The biggest threats are xss where they don't even need to know the passwords. This would be a handy additional security layer for windows servers where .htaccess isn't working. And every additional security layer is better then not having it. So thank you for your hack and sharing it.

Carter876 10-11-2004 07:47 AM
I'm on Linux server and I prefer to use .Htaccess but this hack is good for Windows server :)

Regards

Polo 10-11-2004 01:07 PM
thanks for sharing with the community... I may use it :)

AnhTuanCool 10-11-2004 02:28 PM
I found a bug that prevent normal member to login, but it's fixed now. If you didn't install this hack then see the zip file, if you did and wish to upgrade to fix this bug, see the txt file.

This update re-allows normal members to login but administrators who have the password need to use the cookies from ACP to login to the board so if you are an administrator you will need to login to your ACP first (you will have noticed that the login in ACP appears twice) then return to your board. I'll try to fix for the admins soon. ^_^

jugo 10-11-2004 06:48 PM
Quote:
Originally Posted by AnhTuanCOol
I found a bug that prevent normal member to login, but it's fixed now. If you didn't install this hack then see the zip file, if you did and wish to upgrade to fix this bug, see the txt file.

This update re-allows normal members to login but administrators who have the password need to use the cookies from ACP to login to the board so if you are an administrator you will need to login to your ACP first (you will have noticed that the login in ACP appears twice) then return to your board. I'll try to fix for the admins soon. ^_^
Nothing....

Still cannot log in.

I need to uninstall this NOW..>How do I do it. Cause I'm getting overwhelmed with emails....

AnhTuanCool 10-11-2004 07:01 PM
K, use the install script (acppassword_install.php), choose for Click Here to Uninstall to remove phrase and field, then enter acppassword_install.php?do=editfiles and redo all the modification for the source code...

k4is3r 10-26-2004 01:03 PM
when you fix the administration login?

outlaw621 10-26-2004 09:27 PM
I am installing this on 3.0.3 and I have a small problem. After I get everyting installed, the admincp works as expected with the security key. The problem is it is also adding the security key requirement to the modcp. I only want it for admincp logons. I do not want the mods to have the security key. How do I fix this?

Wapture 10-27-2004 04:46 AM
Ok, problem...

The password works great for the admincp, but when a mod trys to login to modcp they are also shown a box saying "security password" I gave the mods the password but it is coming back as if it is wrong.

LPTV 10-27-2004 08:02 AM
Sorry, but now i don't remember security password. Can you help me?

shadiguy1 11-05-2004 12:47 PM
i did the install for some reason tho if u enter just the administrators passowrd it still allows you to loigin twithout the 2nd password what could have i done wrong?

parajsa 11-05-2004 08:51 PM
Quote:
Originally Posted by outlaw621
I am installing this on 3.0.3 and I have a small problem. After I get everyting installed, the admincp works as expected with the security key. The problem is it is also adding the security key requirement to the modcp. I only want it for admincp logons. I do not want the mods to have the security key. How do I fix this?

The same problem, is there any way to make this prob disappears?

Thank u in advanced,

parajsa 11-10-2004 08:59 PM
Quote:
Originally Posted by parajsa
The same problem, is there any way to make this prob disappears?

Thank u in advanced,
Greetings,
I found out the way that the Supermoderators, dont have to know the security password, and can enter their Control Panel without any problem, just do the followin:

In the login.php
Replace this code:
Code:
$password2 = iif($logintype = 'cplogin', &$vb_login_password2, '');
with this one:

Code:
$password2 = iif($logintype === 'cplogin' OR $logintype === 'modcplogin', &$vb_login_password2, '');
It works perfectly on my bord :)

Eagle Creek 12-04-2004 10:58 PM
<a href="https://vborg.vbsupport.ru/attachment.php?attachmentid=21131" target="_blank">https://vborg.vbsupport.ru/attac...chmentid=21131</a>

Wherefore I have to add a usergroup ID? I have three usergroups who can access my ACP (Admins, Smods, Owners of the site).

What do I have to fill in there?

Jacko 12-10-2004 10:35 PM
eek, script is full of bugs etc... instructions dont work in 3.0.3 and it messed up my includes files..

i un-installed untill it is finally released as 3.0.3 (good idea just needs fixing, and i suppose its just one bit of extra security.!)

basskiller 12-11-2004 02:16 AM
Why not just go through password protect directories. Then you can add a different username then your normal along with a seperate password. That way each member has two different usernames and passords for such directories as admincp/modcp or any other directory that need extra protection

jad65 12-17-2004 03:08 PM
Quick Stats:
Version 1.0.2
Tested full functionally on vBulletin 3.0.3
Time to install: no more than 2 min
File to edit: 4 which files i have to edit, and whare is the instruction ?
Template to edit: None
Query to run: None


Thanks

PitchouneN64ngc 12-17-2004 03:22 PM
./login.php (3 changes)
./includes/adminfunctions.php (1 change)
./includes/functions_login.php (3 changes)
./admincp/index.php (1 change)

These files are specified in the install script.

jad65 12-17-2004 05:40 PM
Thanks for reply

but i cant see any instruction,

what php change i have to do ?

can u see attached image, there is only 2 files to upload

Thanks for help

skinwalker 12-19-2004 04:01 PM
Quote:
Originally Posted by Eagle Creek
https://vborg.vbsupport.ru/attachmen...chmentid=21131

Wherefore I have to add a usergroup ID? I have three usergroups who can access my ACP (Admins, Smods, Owners of the site).

What do I have to fill in there?
I have the same question..How to assign multiple user groups access?

Eagle Creek 02-01-2005 08:04 PM
Quote:
Originally Posted by jad65
Thanks for reply

but i cant see any instruction,

what php change i have to do ?

can u see attached image, there is only 2 files to upload

Thanks for help
Just run the installerer. It will give you further instructions :),

Gary King 07-20-2005 03:54 PM
Anyone know if this script is good for 3.0.7?


All times are GMT. The time now is 04:43 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02377 seconds
  • Memory Usage 1,827KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_php_printable
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (40)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete