any demo please ! thanks !
Announcement
Collapse
No announcement yet.
[Release v2.0.3] PasswordHack
Collapse
X
-
Is it just me or is this the most un-secure password protect set-up around?
Please don't think me rude.......I installed this and there are holes everywhere.
First of all I have vbportal installed. Understandably....this was not written to accomidate that but aside fro those holes in the vb forum itself there is the link at the top of the main forum page "Active Posts" (or something like that).........then there is the little button by the membername in the table on the main forum page for "last post" (or something).....then there is the search feature.......do a search on the membername you see as the last poster in the forum nad with the results you are in......plus...once someone gets in.....if they never log out.....you can't get them out.....they will be able to waltz right in without any logins or anything.....and let's not forget about clicking on the membername of the last poster on the front of that forum and in his profile there is the link to a post inside and you are in again.
Is there any updates to this hack that will close all these holes?
I really want this to work because I don't want to make the forum private...it is too much work to add all the names
Thanks in advance....drivesLast edited by Flack Jacket; Wed 24 Oct '01, 12:06am.
Comment
-
Originally posted by drives_fast
then is it a cookie thing that allows me to get in that forum from all these links everywhere?
I cleared all cookies, temp internet files, everything but all I have to do is login to my board and go to that forum and I am in.
The only time I can't get in is if I am not logged into the board
unsubscribe a password protected board.
Comment
-
is there any way to get those that have already gotten in through a hole out?
is it possible to code in that the cookie not be set for access to the protected forum?
in other words.....make it so everyone with the password have to put it in every time they visit that forum?
I have some that got in.......I need to be able to get them out
Comment
-
Well....after further investigation....there are definately holes in this.
I registered a name and then tried to access the protected forum......could not get in.....good.
I removed all instances of "view new posts" or anything similar
went to the search feature.....typed in a name of someone that posted in the protected forum.....boom...there are the links and yes.....you can click them and get in. (mind you that I never entered a password to access the protected forum before trying these things)
backed out of that and went to that members profile and clicked on the last post (in the protected forum) and boom.....in again
So I say....there are holes in this.
I tried these thing on your board (afterburner) and they did not work......maybe some tweaks you did to yours that aren't documented in the installation file?
I really want this to work but need some help to make it either not search and list threads in protected forums from every angle or something......
anybody....please?Last edited by Flack Jacket; Wed 24 Oct '01, 5:33pm.
Comment
-
did you modified the showtopic.php correctly ? I have the same code in the description of the hack than in my board.
PHP Code:download the showthread.php and make a backup of this file
look for this code (ca 205):
if (!$thread['visible']) {
$idname="thread";
eval("standarderror(\"".gettemplate("error_invalidid")."\");");
exit;
}
$forum=getforuminfo($thread['forumid']);
add below this code:
// Password-Hack-by Afterburner-Start
if ($forum['password']) {
$boardid="userspezial$thread[forumid]";
if ($bbuserinfo[$boardid] != 1) {
eval("standarderror(\"".gettemplate('fehler_password_showtopic')."\");");
exit;
}
}
// Password-Hack-by Afterburner-End
upload the showthread.php.
Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment