Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 02-25-2015, 11:34 AM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Confirm password on non vb pages

The ideas sound, just need help making it happen.

So ive created an external page and on this page as of now all i have is a confirm password box that i took from the modifypassword? template.

this is the content of ext.php
Code:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(
    
);

// pre-cache templates used by all actions
$globaltemplates = array(
    'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/functions_user.php');
// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
	$vbulletin->input->clean_array_gpc('p', array(
		'currentpassword'        => TYPE_STR,
		'currentpassword_md5'    => TYPE_STR,
	));
	
	if ($userdata->hash_password($userdata->verify_md5($vbulletin->GPC['currentpassword_md5']) ? $vbulletin->GPC['currentpassword_md5'] : $vbulletin->GPC['currentpassword'], $vbulletin->userinfo['salt']) != $vbulletin->userinfo['password'])
		{
			eval(standard_error(fetch_error('badpassword', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'])));
		}
	
}
else if ($_GET['do'] == 'confirmpassword')
{
	// add consistency with previous behavior
	exec_header_redirect('index.php');
}
?>
right now im just playing around with it, trying to make it actually confirm the password, i stole some code from profile.php and have removed some of it.

so whats it suppose to do?
well when the user confirms there password, i want it to redirect the user to one page. if the user gets the password wrong redirect them to another (possibly log them out also....for security reasons?... MAYBE)

oh and the content of my ext template:
Code:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header

$navbar

<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>
<script type="text/javascript">
function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)
{
	var junk_output;
	md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]);
	// do various checks
	if (newpassword.value != '')
	{
		md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]);
	}
	if (newpasswordconfirm.value != '')
	{
		md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]);
	}
}
</script>

<form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updatepassword" />
<input type="hidden" name="currentpassword_md5" />
<input type="hidden" name="newpassword_md5" />
<input type="hidden" name="newpasswordconfirm_md5" />

			<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
		<div style="margin-top:$stylevar[cellpadding]px">
			<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
			<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
		</div>
</form>

$footer
</body>
</html>
as of right now im not getting any responce with this other than when you submit the input it adds the DO to the url "?do=confirmpassword" been messing about for a while now and cant seem to get it to do much more than that
Reply With Quote
  #2  
Old 02-25-2015, 11:39 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?
Reply With Quote
  #3  
Old 02-25-2015, 11:56 AM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kh99 View Post
Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?
when i say confirm password, i mean confirm the current password. as in a way to verify its you. like if you go to usercp and edit email / password the first box is current password. thats the only part im wanting to check.

and yes i include global, i guess its not really an external page its still a vb powered page. i used https://vborg.vbsupport.ru/showthread.php?t=62164 for that part.

so if i enter the correct current password, i get redirected to one page, else i get redirected to another.

I've been up and down profile.php, im pretty sure i have all i need i just cant seem to edit it correctly =/

and yes this will go along with the thing i posted last night but shhhh lol
Reply With Quote
  #4  
Old 02-25-2015, 12:03 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think I understand what you want to do, but I'm not sure I follow the way you're trying to do this. I think what you'd want to do is look at how the regular login works, not the place where the password is changed. You want to make sure, for instance, that you're using the strike system or something similar, or else your new page will bypass that security and allow unlimited guesses.
Reply With Quote
  #5  
Old 02-25-2015, 12:09 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

but this wont be a login.

k im logged on to vBulletin.org, i leave (run to the store or something) while leaving vb.org open. any member of my household may it be a little brother, sister with a grudge, w/e see's I'm logged into my favorite forum and decides to go post happy with a bunch of nonsense. Resulting in me getting warnings/infractions/ or even banned. (note* i myself dont have this issue it's just an example lol)

so after 5 mins or so im sent to an idle page where im still logged in... but i have to confirm my password to get off that page.

--------------- Added [DATE]1424873477[/DATE] at [TIME]1424873477[/TIME] ---------------

and the only place in vb where you confirm your current password, is where you set a new one, thats why i went with that for a base.

but i can see where this gets vulnerable... whats to stop me from navigating from ext.php to index.php, no clue how to fix that one lol, one step at a time

--------------- Added [DATE]1424873798[/DATE] at [TIME]1424873798[/TIME] ---------------

you know what... this idea is kind of stupid when i think about it, it'd be much better to force logout the user than to just have them re enter their password.

im going to go back to getting the avatar even when their logged out. and i did put a better example in that thread
Reply With Quote
  #6  
Old 02-25-2015, 12:24 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh, I see, I was wrong. "enter your present password". Yeah, that's a reasonable place to look. But it's different than the "confirm password" that's on the same page.
Reply With Quote
  #7  
Old 02-25-2015, 12:34 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In profile.php, it's the section that starts with:
Code:
// ############################### start update password ###############################
Anyway, if you have a password the user entered, say in $password for example (in profile.php it's in $vbulletin->GPC['currentpassword']), then you'd do something like:

Code:
if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
{
   //password OK
}
else
{
   // password bad
}
But to complicate things, the vb code has javascript which does an md5 on the password so that it's not sent in clear text, except that the code has to work if someone has javascript disabled, so the code is a little complicated because it allows for either case. I don't know if you want to bother with that or not.

Regarding the strike system, I don't think you have to worry about that if you're only allowing your page to be executed by users who are already logged in.
Reply With Quote
  #8  
Old 02-25-2015, 12:43 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

so i tried passing that into the POST with no success

ext.php:
Code:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(
    
);

// pre-cache templates used by all actions
$globaltemplates = array(
    'ext',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$navbits = array();
$navbits[$parent] = 'Ext Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');


if ($_POST['do'] == 'confirmpassword')
{
	if (md5(md5($password).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
	{
	   exec_header_redirect('yes.php');
	}
	else
	{
	   exec_header_redirect('no.php');
	}
}
?>
ext template (is same as OP)
Reply With Quote
  #9  
Old 02-25-2015, 12:47 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, I only used $password as an example to make it clear what the code is doing. You need to get the value that's being submitted from your form and use that. You can use the vbulletin input cleaning system if you want. What's the name on the form <input> that has the password?
Reply With Quote
  #10  
Old 02-25-2015, 01:00 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Code:
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
--------------- Added [DATE]1424876530[/DATE] at [TIME]1424876530[/TIME] ---------------

its all in the OP
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:28 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04442 seconds
  • Memory Usage 2,272KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete