Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 2.x > vBulletin 2.x Full Releases
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Secret Word Hack Details »»
Secret Word Hack
Version: 1.00, by Parker Clack Parker Clack is offline
Developer Last Online: Nov 2013 Show Printable Version Email this Page

Version: 2.2.x Rating:
Released: 06-17-2002 Last Update: Never Installs: 8
 
No support by the author.

When members sign up to the board they will often times change email addresses but then they don't update their profile to reflect this email change. They then lose their password and the script cannot send them one because the email address doesn't work anymore. This script allows your members to have the option of adding a secret word that will allow them to put in a new email address. They can then go ahead and have the script email them the password reset and they can get back onto the board without you having to look up their account. Now if they forget their password and their secret word well...

Make back ups of all the script and template files that you are about to make as there are several.

My thanks go to Chen (aka Firefly) for assistance with the coding needed to get this to work right.

Note: This file as been updated on 6.25.2001.

After working with this on several sign ups I have found that the section that I added to the user.php file will over write the secret code if you moderate your board or change any member information from the admin control panel. This updated file contains the changes to the user.php file and the rest of the file changes. If you have already installed this hack you only need to make the changes to the user.php as written. Nothing else has changed. If this is your first time installing it go with the layout as in the hack.

Parker

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #12  
Old 06-20-2002, 12:52 PM
Parker Clack Parker Clack is offline
 
Join Date: Oct 2001
Posts: 351
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Justin:

If you look over the code it checks to see if you have a userid from a cookie and then compares that to the database and the secret words.

or

if ($bbuserinfo['userid'] == 0 or $permissions['canmodifyprofile'] == 0) {
show_nopermission();

So if the bbuserid is 0 (which it will be if they aren't logged in) then they get the "your aren't logged in " error message.

Then the part that Chen wrote for me:

if ($user) {
$DB_site->query("
UPDATE user SET email = '".addslashes(htmlspecialchars($email))."'
WHERE userid = $bbuserinfo[userid]
");
eval('standarderror("'.gettemplate('redirect_email updated').'");');
} else {
eval('standarderror("'.gettemplate('error_infoinva lid').'");');
}
}

If the bbuserid and the secret word don't match they get the "error_infoinvalid" template error message.

Parker
Reply With Quote
  #13  
Old 06-21-2002, 05:29 PM
JJR512's Avatar
JJR512 JJR512 is offline
 
Join Date: Oct 2001
Location: Glen Burnie, MD, USA
Posts: 710
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

OK, I understand now.

So it seems that this feature working depends on there being a cookie on the person's computer. Some people may be using the board without cookies, or they may be trying to get in from some other computer. I can see that second thing happening a lot, actually; someone goes to a public computer or a friend's computer, some other computer that isn't their own, and if they have their own browser set to remember passwords, they might not even remember their own password, because they never have to use it.

So I think it may be a good idea if this didn't rely on cookies.

To that end, perhaps on the form where it asks for your secret word and new email address, perhaps it could also ask for your username. Then the system would check if the username and secret word match, and go from there.
Reply With Quote
  #14  
Old 06-21-2002, 09:34 PM
Parker Clack Parker Clack is offline
 
Join Date: Oct 2001
Posts: 351
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I will look into adding a Username check. I am also thinking of adding a check for things like "mother's maiden name", "name of family dog" that sort of stuff. I just haven't had the time to write that yet.

Parker
Reply With Quote
  #15  
Old 06-23-2002, 05:37 PM
Bro_Joey_Gowdy's Avatar
Bro_Joey_Gowdy Bro_Joey_Gowdy is offline
 
Join Date: May 2002
Location: Hickory Flat MS 38633
Posts: 364
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nice Hack
Reply With Quote
  #16  
Old 06-23-2002, 11:17 PM
JJR512's Avatar
JJR512 JJR512 is offline
 
Join Date: Oct 2001
Location: Glen Burnie, MD, USA
Posts: 710
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If using a system like "mother's maiden name" or other secret question/secret answer systems like you've suggested, I'd like to suggest that the answer be stored in the user's profile in encrypted form, like passwords.
Reply With Quote
  #17  
Old 06-24-2002, 12:51 AM
Parker Clack Parker Clack is offline
 
Join Date: Oct 2001
Posts: 351
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Justin:

Changing the script as written look in member.php for

$user = $DB_site->query_first("
SELECT email,userid,secret FROM user
WHERE secret='".addslashes($secret)."' AND userid = $bbuserinfo[userid]
");

and change to

$user = $DB_site->query_first("
SELECT email,userid,secret FROM user
WHERE secret='".addslashes(md5($secret))."' AND userid = $bbuserinfo[userid]
");

in register.php change

'".addslashes($secret)."',

change to

'".addslashes(md5($secret))."',

and admin/user.php

'".addslashes($secret)."',

change to

'".addslashes(md5($secret))."',

Look for

$pwinclude="";
if ($apassword!="") {
$pwdinclude=",password='".addslashes(md5($apasswor d))."'";
}

and below this add:

$secretinclude="";
if ($secret!="") {
$secretinclude=",secret='".addslashes(md5($secret) )."'";
}

then below this change

'".addslashes($secret)."',

to

$secretinclude,

and change

makeinputcode("Secret Word","secret",$user[secret],0);

to

makeinputcode("Secret Word<br>Leave blank unless you want to change it","secret");

Parker
Reply With Quote
  #18  
Old 06-24-2002, 03:31 AM
JJR512's Avatar
JJR512 JJR512 is offline
 
Join Date: Oct 2001
Location: Glen Burnie, MD, USA
Posts: 710
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

While Parker was writing and posting his reply to my suggestion, I was figuring out how to do it on my own, and while I was at it, I also incorporated my other idea, which is to ask you for your username rather than relying on a possibly non-existant cookie. I also incorporated Velocd's idea of using a question/answer system rather than a secret word by itself. The way I have done it is that the user specifies both the question and the answer. I had originally thought to use a list of questions in a drop-down menu box that the user could select, but that would have been more complicated coding than I felt like doing right now, and my way gives the user more freedom. There's no inherent advantage or disadvantage do doing it either way, from a practical standpoint.

I have attached a text file that is basically Parker's original instructions with my modifications. If you have already installed his original version, you will need to have your users enter a secret question and specify a new secret answer (existing secret words are not imported, as they are not encrypted and thus unusable, and I suppose I could have written into the script something to encrypt the old secret words, but since the user has to go to the profile to put in a secret question anyway, then they can just go ahead and put in the answer themselves without me having to figure out how to write that extra bit of code!).
Reply With Quote
  #19  
Old 06-24-2002, 04:05 AM
Paul Paul is offline
 
Join Date: Jan 2002
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Justin,

Your changes are excellent. Thanks to Parker for another great and useful solution! I will be installing this shortly. I'm surprised it's actually not in vB by default.

Paul
Reply With Quote
  #20  
Old 06-24-2002, 04:26 AM
Parker Clack Parker Clack is offline
 
Join Date: Oct 2001
Posts: 351
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Taking Justin's suggestion for encrypting the secret word in my original version of this script I have written a second version with the file changes needed.

I appreciate Justin's work into this and for his version. This gives you the ultimate choice of deciding which one that you would prefer to have on your site.

This version works the same as the original it just encrypts all the secret words in the database.

Note: This file has been updated as of 6/25/2002

After working with this on several sign ups I have found that the section that I added to the user.php file will over write the secret code if you moderate your board or change any member information from the admin control panel. I have made the necessary changes to the admin/user.php file as needed. Just download the script and make the changes in the user.php section. If you have not installed this hack just follow the outline in the hack.

Parker
Reply With Quote
  #21  
Old 06-24-2002, 06:31 AM
Paul Paul is offline
 
Join Date: Jan 2002
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

A more "secure" and user-friendly approach to this hack would be the following:

1. Requiring predefined questions which become part of the authentication procedure (entering in a username and seeing a question isn't a good idea from a security standpoint).

2. Converting the answer to lowercase before processing the md5 hash. ("What is my favorite flavor of ice cream?" A: "Strawberry" is not the same as "strawberry")

3. Creating an md5 hash of the secret answer prevents the administrator from making a visual determination to see if "Main Street" and "Main St." are actually both the correct answer. If the user cannot remember their password, chances are they won't recall the exact spelling and punctuation used in their answer.

Any thoughts?

Paul

Edit: These comments apply to Justin's version of the hack.

I'm assuming the easiest way to do this would be a strtolower() around any processing of secret_a and creating another table with the various questions and an id number (reducing the overall size of the database) (i.e. "What is the name of the town you were born in?" = "2")

secret_q would then have a value of "2"

I'll try doing this myself tomorrow, but I have a limited knowledge of the workings of vb
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:57 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04844 seconds
  • Memory Usage 2,305KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete