The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
Confirm password on non vb pages
The ideas sound, just need help making it happen.
So ive created an external page and on this page as of now all i have is a confirm password box that i took from the modifypassword? template. this is the content of ext.php Code:
<?php // ####################### SET PHP ENVIRONMENT ########################### error_reporting(E_ALL & ~E_NOTICE); // #################### DEFINE IMPORTANT CONSTANTS ####################### define('NO_REGISTER_GLOBALS', 1); define('THIS_SCRIPT', 'ext'); // change this depending on your filename // ################### PRE-CACHE TEMPLATES AND DATA ###################### // get special phrase groups $phrasegroups = array( ); // get special data templates from the datastore $specialtemplates = array( ); // pre-cache templates used by all actions $globaltemplates = array( 'ext', ); // pre-cache templates used by specific actions $actiontemplates = array( ); // ######################### REQUIRE BACK-END ############################ require_once('./global.php'); require_once(DIR . '/includes/functions_user.php'); // ####################################################################### // ######################## START MAIN SCRIPT ############################ // ####################################################################### $navbits = array(); $navbits[$parent] = 'Ext Page'; $navbits = construct_navbits($navbits); eval('$navbar = "' . fetch_template('navbar') . '";'); eval('print_output("' . fetch_template('ext') . '");'); if ($_POST['do'] == 'confirmpassword') { $vbulletin->input->clean_array_gpc('p', array( 'currentpassword' => TYPE_STR, 'currentpassword_md5' => TYPE_STR, )); if ($userdata->hash_password($userdata->verify_md5($vbulletin->GPC['currentpassword_md5']) ? $vbulletin->GPC['currentpassword_md5'] : $vbulletin->GPC['currentpassword'], $vbulletin->userinfo['salt']) != $vbulletin->userinfo['password']) { eval(standard_error(fetch_error('badpassword', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl']))); } } else if ($_GET['do'] == 'confirmpassword') { // add consistency with previous behavior exec_header_redirect('index.php'); } ?> so whats it suppose to do? well when the user confirms there password, i want it to redirect the user to one page. if the user gets the password wrong redirect them to another (possibly log them out also....for security reasons?... MAYBE) oh and the content of my ext template: Code:
$stylevar[htmldoctype] <html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]"> <head> <title>$vboptions[bbtitle]</title> $headinclude </head> <body> $header $navbar <script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script> <script type="text/javascript"> function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5) { var junk_output; md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]); // do various checks if (newpassword.value != '') { md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]); } if (newpasswordconfirm.value != '') { md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]); } } </script> <form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)"> <input type="hidden" name="s" value="$session[sessionhash]" /> <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> <input type="hidden" name="do" value="updatepassword" /> <input type="hidden" name="currentpassword_md5" /> <input type="hidden" name="newpassword_md5" /> <input type="hidden" name="newpasswordconfirm_md5" /> <input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" /> <div style="margin-top:$stylevar[cellpadding]px"> <input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" /> <input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" /> </div> </form> $footer </body> </html> |
#2
|
|||
|
|||
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?
What do you mean by "external", are you including global.php in your script? |
#3
|
||||
|
||||
Quote:
and yes i include global, i guess its not really an external page its still a vb powered page. i used https://vborg.vbsupport.ru/showthread.php?t=62164 for that part. so if i enter the correct current password, i get redirected to one page, else i get redirected to another. I've been up and down profile.php, im pretty sure i have all i need i just cant seem to edit it correctly =/ and yes this will go along with the thing i posted last night but shhhh lol |
#4
|
|||
|
|||
I think I understand what you want to do, but I'm not sure I follow the way you're trying to do this. I think what you'd want to do is look at how the regular login works, not the place where the password is changed. You want to make sure, for instance, that you're using the strike system or something similar, or else your new page will bypass that security and allow unlimited guesses.
|
#5
|
||||
|
||||
but this wont be a login.
k im logged on to vBulletin.org, i leave (run to the store or something) while leaving vb.org open. any member of my household may it be a little brother, sister with a grudge, w/e see's I'm logged into my favorite forum and decides to go post happy with a bunch of nonsense. Resulting in me getting warnings/infractions/ or even banned. (note* i myself dont have this issue it's just an example lol) so after 5 mins or so im sent to an idle page where im still logged in... but i have to confirm my password to get off that page. --------------- Added [DATE]1424873477[/DATE] at [TIME]1424873477[/TIME] --------------- and the only place in vb where you confirm your current password, is where you set a new one, thats why i went with that for a base. but i can see where this gets vulnerable... whats to stop me from navigating from ext.php to index.php, no clue how to fix that one lol, one step at a time --------------- Added [DATE]1424873798[/DATE] at [TIME]1424873798[/TIME] --------------- you know what... this idea is kind of stupid when i think about it, it'd be much better to force logout the user than to just have them re enter their password. im going to go back to getting the avatar even when their logged out. and i did put a better example in that thread |
#6
|
|||
|
|||
Oh, I see, I was wrong. "enter your present password". Yeah, that's a reasonable place to look. But it's different than the "confirm password" that's on the same page.
|
#7
|
|||
|
|||
In profile.php, it's the section that starts with:
Code:
// ############################### start update password ############################### Code:
if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) { //password OK } else { // password bad } Regarding the strike system, I don't think you have to worry about that if you're only allowing your page to be executed by users who are already logged in. |
#8
|
||||
|
||||
so i tried passing that into the POST with no success
ext.php: Code:
<?php // ####################### SET PHP ENVIRONMENT ########################### error_reporting(E_ALL & ~E_NOTICE); // #################### DEFINE IMPORTANT CONSTANTS ####################### define('NO_REGISTER_GLOBALS', 1); define('THIS_SCRIPT', 'ext'); // change this depending on your filename // ################### PRE-CACHE TEMPLATES AND DATA ###################### // get special phrase groups $phrasegroups = array( ); // get special data templates from the datastore $specialtemplates = array( ); // pre-cache templates used by all actions $globaltemplates = array( 'ext', ); // pre-cache templates used by specific actions $actiontemplates = array( ); // ######################### REQUIRE BACK-END ############################ require_once('./global.php'); // ####################################################################### // ######################## START MAIN SCRIPT ############################ // ####################################################################### $navbits = array(); $navbits[$parent] = 'Ext Page'; $navbits = construct_navbits($navbits); eval('$navbar = "' . fetch_template('navbar') . '";'); eval('print_output("' . fetch_template('ext') . '");'); if ($_POST['do'] == 'confirmpassword') { if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) { exec_header_redirect('yes.php'); } else { exec_header_redirect('no.php'); } } ?> |
#9
|
|||
|
|||
Well, I only used $password as an example to make it clear what the code is doing. You need to get the value that's being submitted from your form and use that. You can use the vbulletin input cleaning system if you want. What's the name on the form <input> that has the password?
|
#10
|
||||
|
||||
Code:
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" /> its all in the OP |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|