Announcement

**Kengan** · Fri 31 Aug '01, 4:01pm

any demo please ! thanks !

**Clueless** · Fri 31 Aug '01, 4:18pm

there's a demo on the first Post

and that's what i can't see

**Afterburner** · Sun 2 Sep '01, 3:06am

go to your control panel
click on modify (Forums and Moderators)
choose a board and insert a password, up to now this board is password protected

**Flack Jacket** · Wed 24 Oct '01, 12:01am

Is it just me or is this the most un-secure password protect set-up around?

Please don't think me rude.......I installed this and there are holes everywhere.

First of all I have vbportal installed. Understandably....this was not written to accomidate that but aside fro those holes in the vb forum itself there is the link at the top of the main forum page "Active Posts" (or something like that).........then there is the little button by the membername in the table on the main forum page for "last post" (or something).....then there is the search feature.......do a search on the membername you see as the last poster in the forum nad with the results you are in......plus...once someone gets in.....if they never log out.....you can't get them out.....they will be able to waltz right in without any logins or anything.....and let's not forget about clicking on the membername of the last poster on the front of that forum and in his profile there is the link to a post inside and you are in again.

Is there any updates to this hack that will close all these holes?

I really want this to work because I don't want to make the forum private...it is too much work to add all the names

Thanks in advance....drives

**Afterburner** · Wed 24 Oct '01, 3:47am

You can see the titel of the postings but you can´t access the boards wich are protected. This is only a "see the topic title hole"

**Flack Jacket** · Wed 24 Oct '01, 5:09am

then is it a cookie thing that allows me to get in that forum from all these links everywhere?

I cleared all cookies, temp internet files, everything but all I have to do is login to my board and go to that forum and I am in.

The only time I can't get in is if I am not logged into the board

**Afterburner** · Wed 24 Oct '01, 5:14am

Originally posted by drives_fast
then is it a cookie thing that allows me to get in that forum from all these links everywhere?

I cleared all cookies, temp internet files, everything but all I have to do is login to my board and go to that forum and I am in.

The only time I can't get in is if I am not logged into the board

yes this is right, if you insert the correct password you are able to access the board every time, this settings are in your profile in the database, see in the instruction file from the hack there you can find my suggestions for the next version:
unsubscribe a password protected board.

**Flack Jacket** · Wed 24 Oct '01, 5:27am

is there any way to get those that have already gotten in through a hole out?

is it possible to code in that the cookie not be set for access to the protected forum?

in other words.....make it so everyone with the password have to put it in every time they visit that forum?

I have some that got in.......I need to be able to get them out

**Flack Jacket** · Wed 24 Oct '01, 5:24pm

Well....after further investigation....there are definately holes in this.

I registered a name and then tried to access the protected forum......could not get in.....good.

I removed all instances of "view new posts" or anything similar

went to the search feature.....typed in a name of someone that posted in the protected forum.....boom...there are the links and yes.....you can click them and get in. (mind you that I never entered a password to access the protected forum before trying these things)

backed out of that and went to that members profile and clicked on the last post (in the protected forum) and boom.....in again

So I say....there are holes in this.

I tried these thing on your board (afterburner) and they did not work......maybe some tweaks you did to yours that aren't documented in the installation file?

I really want this to work but need some help to make it either not search and list threads in protected forums from every angle or something......

anybody....please?

**Afterburner** · Thu 25 Oct '01, 12:22am

did you modified the showtopic.php correctly ? I have the same code in the description of the hack than in my board.

PHP Code:


download the showthread.php and make a backup of this file



look for this code (ca 205):



if (!$thread['visible']) {

  $idname="thread";

  eval("standarderror(\"".gettemplate("error_invalidid")."\");");

  exit;

}



$forum=getforuminfo($thread['forumid']);



add below this code:



// Password-Hack-by Afterburner-Start 

if ($forum['password']) {

$boardid="userspezial$thread[forumid]";

if ($bbuserinfo[$boardid] != 1) { 

eval("standarderror(\"".gettemplate('fehler_password_showtopic')."\");"); 

exit; 

} 

}

// Password-Hack-by Afterburner-End



upload the showthread.php.

**Flack Jacket** · Thu 25 Oct '01, 5:10am

yes...I have that in there exactly as you shoed it

do you think it could be this:....."userspezial$thread" instead of spelled "userspecial$thread" that is causing the problem?

My board is in english

**Afterburner** · Thu 25 Oct '01, 8:13am

userspezial$thread is the correct version
with z not with c

Announcement

[Release v2.0.3] PasswordHack

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment