Security simulator: If I were ... ? (on forumhome)

[Jawelin]

Hi. I would mind to create some simple security tester.
Already asked a similar question, but nobody.... :ermm:

Well. Simply, I would see my FORUMHOME only (I mean index.php it's enough...) from any user's perspective, to check if one or another could see something or not, and how he does see it.

I tough an Admin could use some particular parameter (&userid=xxx ... ) on index.php to see the forumhome as he were that user.
Of course, not touching links which would create many problems... simply give a look around.
This way I shouldn't logout and login each time with dummy user accounts to test usergroups, permission masks, and so on... that could be not too precise...

I could, for example, store my $bbuserinfo account in a temp var right after the

PHP Code:

require('./global.php'); 


, then switch it to another user's config ....
Last, right after the main template evaluation, I could restore it to it's original (mine...) values.

Anybody does think that should be possible ?
Exactly, how ?

Thank you very much for your time following my unpredictable ideas....

Bye

[Jawelin]

Nobody ?
Neither someone could tell me it's impossible ?
Thanks

[Logician]

Not tested but should work:

in global.php find:

// ###################### Start sessions #######################

before that add:

if (($bbuserinfo[usergroupid]==6) AND $l_usergroupid)
{$bbuserinfo[usergroupid]=$l_usergroupid;}

Now to wear someone else's (usergroup) shoes, simply add "&$l_usergroupid=x" after your URL to imitate another usergroup.

This is not tested and I didnt think about the consequences of the code carefully, so I'm not responsible what it does.. If you plan to apply it, you'd better check the code, consequences, bugs and security concerns extensively..

Eg.

NEVER apply a code like this:
if ($l_user)
{$bbuserinfo[userid]=$l_user;}

Although this may do exactly what you wanted, anybody (who knows you applied such a hack) can get admin privilages by just adding &$l_user=1 line in their address bar.

This is why I told this code should be examined and tested extensively before being applied!

Here is an other alternative (more secure) for you:
Configure vbulletin to send notifications about new registered members and add line "Password= $password" in your notification email template. Now with every registered member, you'll get an email with their passwords in it and you can login with their usernames&passwords if that is what you wanted.

Regards,
Logician

[Admin]

You must stick that code after [minicode]require('./admin/sessions.php');[/minicode] or it will not work ($bbuserinfo is only set in that file).

[Jawelin]

FoA, thanks a lot to both of you.

@ Logician: actually the encrypted password is not my problem. Till now, I created different dummy users to do this job, but a real perspective should be better. This' exactly the reason I had this idea...
Besides, it will be enough to me to simply give a look at the forumhome. I mean, I could use an identical new index_xxx.php with the userid swap at the begin of that file....
Also, I though to the require() stuff and - as said - would make such a switch right after that import only in index*.php, not all the board (at session level, for instance...)

@FireFly: do you think if I put in new index.php something like:

PHP Code:

$oldbbuserinfo=$bbuserinfo;
$bbuserinfo= .... // and repeat sessions.php stuff... 


could I manage to obtain something good ?

Thanks again

[Admin]

You mustn't change the $bbuserinfo array before requiring sessions.php - it just won't work. After you require that file you can do anything you want. Nothing is cached in sessions.php IIRC so it should work as expected.

[Jawelin]

Yes. Probably i haven't explained well.
Simply, I copied my index.php in a new index2.php ...
And

PHP Code:

// added

$org_bbuserinfo=$bbuserinfo;
$bbuserinfo=$DB_site->query_first("SELECT user.*,userfield.* FROM user LEFT JOIN userfield 
                                 ON userfield.userid=user.userid WHERE user.username='$fakeusername'");

//right AFTER 

require('./global.php'); 


And it works, of course only on forumhome, as first link I click, I come back myself.... :rambo:

Now I could add many security tricks, like for example checking if the original 'me' it's an Admin, if the simulated user isn't, and so on...

Btw, it works exactly like I imagined it.... :smoke:
Thanks again.

Just a php question: could I copy an entire array simple with the '=' operator ? :ermm: (not influencing, here, but just fmi...)

Bye

[Admin]

Yup, [minicode]$newArray = $Array;[/minicode] works.

[Jawelin]

Yes. It works...
Tried and make an hack...
Shall we move ? Ehehehehhh!

---> index.php
Right after:

PHP Code:

require('./global.php'); 


add :

PHP Code:

//HACK: If i were ..., on forumhome ?
if ($bbuserinfo[userid]==1 and isset($fakeusername)) {
    $org_bbuserinfo=$bbuserinfo;
    $bbuserinfo=$DB_site->query_first("SELECT user.*,userfield.*
                                        FROM user LEFT JOIN userfield 
                                        ON userfield.userid=user.userid
                                        WHERE user.username='$fakeusername'
                                      ");
    if (!$bbuserinfo) {
        $bbuserinfo=$org_bbuserinfo;
    }
}
//HACK: If i were ..., on forumhome ? 


[replace '1' with your userid, for security reasons...]

Bye and thanks for supporting my strange ideas...

[Jawelin]

Appetite comes eating

What about putting it at the end of global.php ???
I'm afraid I could obtain some undesired side effect like updating the last-infos of that user, or similar...

Your opinion ?
Thnx