Trap Banned Members: They cant logout.

Hey there,

This is a very tiny (and very easy to install) hack but I like to use it and found it useful:

I have a certain user group for trouble users in my board which I disabled all access to my board and this group can not even search or display the board itself or anything, so they are lower than guests. So I need to trap them in their username so that they wouldnt log out and "gain" guest access. This tiny hack exactly does this. You can use it with "banned users" or any user group you need to trap. Here we go:

Edit member.php and find
-- cut ---
// ############################### start logout ###############################
if ($action=="logout") {
include("./global.php");
-- cut ---

AFTER THAT add:
-- cut --
// Banned users cant logout hack
if ($bbuserinfo[usergroupid]==XX) {show_nopermission(); exit;}
// Banned users cant logout hack
-- cut --

Replace XX with any usergroup id. (Banned by Moderators group is 12 in my board). If you put your mouse icon on "Edit" in http://www.url.com/yourboardadmin/us...tion=modify&s= , you can learn the usergroupid of any groups. If you need to trap more than 1 usergroups use this line:

if ($bbuserinfo[usergroupid]==XX OR $bbuserinfo[usergroupid]==YY) {show_nopermission(); exit;}

After applying the hack, trapped users will get "You dont have access" page if they try to logout from anywhere. Of course these members can still clear the cookies by deleting them manually, but you'll stop 95% of members who dont know the trick anyway!

Enjoy!

Logician //=^))

[GsxrTony]

Ok this is the first hack I tried to install. I was testing it with one of my mods, I changed his status to my banned profile. but when he tried to log out he just got an internal server error message. Now granted I am very new to this. I just edited the file in notepad, and then FTP'd the new member.php file in place of the old one, is there something I should be doing different.

[WizyWyg]

Easily defeatable:

use a different browser (opera, netscape) and one can still "see the board"

And the notion that the average person doens't know about cookies is long outdated. Due to media, they do know about cookies and have programs that can manage them. Easy to delete cookies that are causing problems or heartaches, or prevents you from accessing a board.

My new computer came with a cookie manager program installed, so its kinda pointless these days.

not saying that this isn't a good hack, I just think it outlived its useage.

[Admin]

Quote:

Originally posted by WizyWyg
My new computer came with a cookie manager program installed, so its kinda pointless these days.

lol, Cookie manager? People these days are just too lazy to delete / plant them themselves.

[voogru]

Why not instead of a show_nopermission use a fake 404 error that way they think the site is down? another idea could be to make a certain usergroup just see 404 errors, just like the ban. the nthey think the site is down or something

[Jawelin]

Just a 'parallel' question about VB cookies...
If an user has set on his browser a cookie like, for instance:

• bbuserid=1234
• bbpassword=.... md5 hash ....

and that userid doesn't exist any more on that board, what does it happen when he tries to login VB ?
I mean, if I don't leave someone to logout from the board and his user is deleted some reason, all cookies will be lost as soon he tries to log again ... Is it true ?
Actually, he is first recognized as user 1234, then after the SELECT $bbuserinfo is empty and user is prompted to register (or set as guest) ... This time he looses all cookies, doesn't he ?

Thanks a lot

[Admin]

If your cookies are wrong a guest session (anonymous) will be created and the cookies will be deleted.

[Jawelin]

Quote:

Originally posted by FireFly
If your cookies are wrong a guest session (anonymous) will be created and the cookies will be deleted.

Thanks. Perfectly clear.

[Logician]

Quote:

Originally posted by GsxrTony
Ok this is the first hack I tried to install. I was testing it with one of my mods, I changed his status to my banned profile. but when he tried to log out he just got an internal server error message. Now granted I am very new to this. I just edited the file in notepad, and then FTP'd the new member.php file in place of the old one, is there something I should be doing different.

@GsxrTony: your problem is VERY LIKELY because of one of these reasons:

1- You FTP'd the file as "bin" instead of ascii. FTP programs have two mods, choose to upload as a ASCII file not, BIN.

2- After uploading the file, CHMOD it to 755.

Regards,

[Logician]

Quote:

Originally posted by voogru
Why not instead of a show_nopermission use a fake 404 error that way they think the site is down? another idea could be to make a certain usergroup just see 404 errors, just like the ban. the nthey think the site is down or something

This hack already exits (ie HELLBAN and its twins) and yes I found it (them) very useful too.

[Logician]

Quote:

Originally posted by WizyWyg
Easily defeatable:

not saying that this isn't a good hack, I just think it outlived its useage.

I think you guys are missing something:

It's not this hack which introduced the cookie security system for banned users, it's the default vbulletin system.

I've written that in my first message either: yes it's not 100% secure and people who know about vbulletin system or internet technologies can get around but I think we cant blame vbulletin either, because effective or not, it's the only security system for users who have dynamic ip.

So you may found this system ineffective but this has nothing to do with the hack itself, it's just the system vbulletin has. The hack only strengthens this system just a little bit, at least for ones who dont know how to pass it.

My 0.2 cents..

Regards,
Logician