vb.org Archive
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Confirm password on non vb pages (https://vborg.vbsupport.ru/showthread.php?t=317513)

Dr.CustUmz 02-25-2015 11:34 AM
Confirm password on non vb pages
 
The ideas sound, just need help making it happen.

So ive created an external page and on this page as of now all i have is a confirm password box that i took from the modifypassword? template.

this is the content of ext.php
Code:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(
   
);

// pre-cache templates used by all actions
$globaltemplates = array(
    'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/functions_user.php');
// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
        $vbulletin->input->clean_array_gpc('p', array(
                'currentpassword'        => TYPE_STR,
                'currentpassword_md5'    => TYPE_STR,
        ));
       
        if ($userdata->hash_password($userdata->verify_md5($vbulletin->GPC['currentpassword_md5']) ? $vbulletin->GPC['currentpassword_md5'] : $vbulletin->GPC['currentpassword'], $vbulletin->userinfo['salt']) != $vbulletin->userinfo['password'])
                {
                        eval(standard_error(fetch_error('badpassword', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'])));
                }
       
}
else if ($_GET['do'] == 'confirmpassword')
{
        // add consistency with previous behavior
        exec_header_redirect('index.php');
}
?>
right now im just playing around with it, trying to make it actually confirm the password, i stole some code from profile.php and have removed some of it.

so whats it suppose to do?
well when the user confirms there password, i want it to redirect the user to one page. if the user gets the password wrong redirect them to another (possibly log them out also....for security reasons?... MAYBE)

oh and the content of my ext template:
Code:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header

$navbar

<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>
<script type="text/javascript">
function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)
{
        var junk_output;
        md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]);
        // do various checks
        if (newpassword.value != '')
        {
                md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]);
        }
        if (newpasswordconfirm.value != '')
        {
                md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]);
        }
}
</script>

<form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updatepassword" />
<input type="hidden" name="currentpassword_md5" />
<input type="hidden" name="newpassword_md5" />
<input type="hidden" name="newpasswordconfirm_md5" />

                        <input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
                <div style="margin-top:$stylevar[cellpadding]px">
                        <input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
                        <input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
                </div>
</form>

$footer
</body>
</html>
as of right now im not getting any responce with this other than when you submit the input it adds the DO to the url "?do=confirmpassword" been messing about for a while now and cant seem to get it to do much more than that

kh99 02-25-2015 11:39 AM
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?

Dr.CustUmz 02-25-2015 11:56 AM
Quote:
Originally Posted by kh99 (Post 2538681)
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?
when i say confirm password, i mean confirm the current password. as in a way to verify its you. like if you go to usercp and edit email / password the first box is current password. thats the only part im wanting to check.

and yes i include global, i guess its not really an external page its still a vb powered page. i used https://vborg.vbsupport.ru/showthread.php?t=62164 for that part.

so if i enter the correct current password, i get redirected to one page, else i get redirected to another.

I've been up and down profile.php, im pretty sure i have all i need i just cant seem to edit it correctly =/

and yes this will go along with the thing i posted last night but shhhh ;) lol

kh99 02-25-2015 12:03 PM
I think I understand what you want to do, but I'm not sure I follow the way you're trying to do this. I think what you'd want to do is look at how the regular login works, not the place where the password is changed. You want to make sure, for instance, that you're using the strike system or something similar, or else your new page will bypass that security and allow unlimited guesses.

Dr.CustUmz 02-25-2015 12:09 PM
but this wont be a login.

k im logged on to vBulletin.org, i leave (run to the store or something) while leaving vb.org open. any member of my household may it be a little brother, sister with a grudge, w/e see's I'm logged into my favorite forum and decides to go post happy with a bunch of nonsense. Resulting in me getting warnings/infractions/ or even banned. (note* i myself dont have this issue it's just an example lol)

so after 5 mins or so im sent to an idle page where im still logged in... but i have to confirm my password to get off that page.

--------------- Added [DATE]1424873477[/DATE] at [TIME]1424873477[/TIME] ---------------

and the only place in vb where you confirm your current password, is where you set a new one, thats why i went with that for a base.

but i can see where this gets vulnerable... whats to stop me from navigating from ext.php to index.php, no clue how to fix that one lol, one step at a time

--------------- Added [DATE]1424873798[/DATE] at [TIME]1424873798[/TIME] ---------------

you know what... this idea is kind of stupid when i think about it, it'd be much better to force logout the user than to just have them re enter their password.

im going to go back to getting the avatar even when their logged out. and i did put a better example in that thread

kh99 02-25-2015 12:24 PM
Oh, I see, I was wrong. "enter your present password". Yeah, that's a reasonable place to look. But it's different than the "confirm password" that's on the same page.

kh99 02-25-2015 12:34 PM
In profile.php, it's the section that starts with:
Code:
// ############################### start update password ###############################
Anyway, if you have a password the user entered, say in $password for example (in profile.php it's in $vbulletin->GPC['currentpassword']), then you'd do something like:

Code:
if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
{
  //password OK
}
else
{
  // password bad
}
But to complicate things, the vb code has javascript which does an md5 on the password so that it's not sent in clear text, except that the code has to work if someone has javascript disabled, so the code is a little complicated because it allows for either case. I don't know if you want to bother with that or not.

Regarding the strike system, I don't think you have to worry about that if you're only allowing your page to be executed by users who are already logged in.

Dr.CustUmz 02-25-2015 12:43 PM
so i tried passing that into the POST with no success

ext.php:
Code:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(
   
);

// pre-cache templates used by all actions
$globaltemplates = array(
    'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
        if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
        {
          exec_header_redirect('yes.php');
        }
        else
        {
          exec_header_redirect('no.php');
        }
}
?>
ext template (is same as OP)

kh99 02-25-2015 12:47 PM
Well, I only used $password as an example to make it clear what the code is doing. You need to get the value that's being submitted from your form and use that. You can use the vbulletin input cleaning system if you want. What's the name on the form <input> that has the password?

Dr.CustUmz 02-25-2015 01:00 PM
Code:
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
--------------- Added [DATE]1424876530[/DATE] at [TIME]1424876530[/TIME] ---------------

its all in the OP


All times are GMT. The time now is 02:15 PM.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01929 seconds
  • Memory Usage 1,780KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete