vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Requests/Questions (Unpaid) (https://vborg.vbsupport.ru/forumdisplay.php?f=112)
-   -   Need to find the security leak! Hack request concept inside. (https://vborg.vbsupport.ru/showthread.php?t=57873)

magnus 10-14-2003 01:57 AM

Need to find the security leak! Hack request concept inside.
 
Would it be possible to lock an account to an IP? For example, each user has an "IP Pool" that is allowed to access their account. For example, if I tried to login from a friend's house using my l/p, it would deny the access. However, from a legit IP, I could add my friend's IP to the IP Pool, thus allowing me access from his home.

Unfortunately, I've had to resort to such drastic ideas/measures to try to find the leak in my moderating team. Plus, I think it could help deter future issues.

Is this possible? Is anyone willing to undertake this task? There has to be a few security nuts out there who would get use out of this as well. :)

JulianD 10-14-2003 03:24 AM

That would require some sort of hack. Though it's a very neat idea for boards with a very high concept of security.

Zzed 10-14-2003 07:21 AM

A few of my moderators had gotten their passwords compromised and the person who did it broadcasted the contents of our moderator forum on other boards.

I incorporated a few additional security levels on top of the existing ones, and one of them was this particular "trusted host" hack for accessing the private forums.

Unfortunately for personal reasons I have not published this hack. :(

Logician 10-14-2003 08:38 AM

Here you go:

1- First create a new user profile field in your admincp, make it admin viewable/editable only, note its ID.

2- Create a new template (in all template sets) with this name: "error_unallowedip". Its content is:
"Your IP is not in the allowed IP pool for this user!"

edit functions.php, find:

PHP Code:

global $enablebanning,$banip,$webmasteremail,$session

Replace it as:
PHP Code:

global $enablebanning,$banip,$webmasteremail,$session,$bbuserinfo

find:
PHP Code:

    $addresses=explode(" "preg_replace("/[[:space:]]+/"" "$banip) );
    while (list(
$key,$val)=each($addresses)) {
      if (
strstr(" ".$ipaddress," ".trim($val))!="") {
        eval(
"standarderror(\"".gettemplate("error_banip")."\");");
      }
    }
  } 

AFTER THAT add:
PHP Code:

$banip2 trim($bbuserinfo['fieldX']);
    if (
$banip2 and $bbuserinfo['userid']>0)
    {
        
$ipaddress=getenv("REMOTE_ADDR");
        
$addresses2=explode(" "preg_replace("/[[:space:]]+/"" "$banip2) );
            while (list(
$key,$val)=each($addresses2)) 
            {
            if (
trim($val) AND substr($ipaddress,0,strlen(trim($val)))==trim($val)) {$IPallowed=1;}
            }
        if (
$IPallowed==0) {eval("standarderror(\"".gettemplate("error_unallowedip")."\");");}
    } 

(Replace X with your userprofilefield ID!)

Now you can enter allowed IPs for any member to the userprofile field in their edit user page in your admin cp. Seperate IPs with space and you can use partial IP's too. If you enter IPs to this field for a user, user will be disallowed access if his IP does not match to any IPs in that pool. If you leave that field blank or if user is guest, he won't be affected by this hack.

Enjoy. ;)

magnus 10-14-2003 11:23 AM

Logician, thank you! I appreciate your work, I'll get to adding this right away. :)

magnus 10-14-2003 12:15 PM

Quick question, are IP's separated by a comma or space? Do I use * for a wildcard, or just leave it empty? (ie. "205.245.74.*" or "205.245.74." )

I've implemented it, and it works great. Before I start adding IP's permanently, I just want to be sure. :)

Logician 10-14-2003 12:22 PM

works just like default IP ban section in vb settings. So seperate by space and use blank for wildcard.

Eg.
128.0.0.1
128.0.0.
128.0.
128.

etc.

magnus 10-14-2003 12:39 PM

Excellent, thank you again. It works flawlessly. :)

magnus 10-14-2003 06:23 PM

Logician, a good point was raised today. Would this be easily implemented to a single forumid (or even forum category) rather than the whole board?

Personally, I think denying access completely is the best bet. But some of my more trusted mods have expressed a desire to lock only the Admin section as opposed to everything for convenience sake.

Logician 10-14-2003 08:16 PM

yeah that can be done but I'd say stick with this version. If you remove the hack from the entire board and apply to certain sections that you either need to hack many sections (thread view, print view, forum display, mod cp, admin cp, mod commands ie postings.php etc) or miss a few sections that are not covered by the hack which would defy the purpose of the hack.


All times are GMT. The time now is 08:31 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01391 seconds
  • Memory Usage 1,742KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete