Welcome, Guest. Please Login or Register.
November 28, 2024, 08:33:20 AM
Home Help Search Log in Register
News: SMF is the next generation in forum software, almost completely re-written from the ground up, make sure you don't fall for cheap imitations that suffer from feature bloat!

YaBB SE Community  |  Development  |  Completed mods  |  [Beta 1.5.2] Password Change 1.0 « previous next »
Pages: [1] 2 Reply Ignore Print
Author Topic: [Beta 1.5.2] Password Change 1.0  (Read 18003 times)
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
[Beta 1.5.2] Password Change 1.0
« on: May 04, 2003, 12:56:34 PM »
Reply with quote

I wrote this as a result of this thread:
http://www.yabbse.org/community/index.php?thread=22402

This mod adds an additional step to the "forgot password" password change process.  This means you won't get your password changed by some prankster.

http://unknown.network32.net
Mod File: http://unknown.network32.net/security/enhancedsecurity.zip

-[Unknown]
« Last Edit: July 27, 2003, 09:37:46 AM by [Unknown] » Logged
Peter Duggan
Llama Chameleon
Global Moderator
YaBB God
*****
Posts: 1793


You come and go...

WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #1 on: May 04, 2003, 01:43:52 PM »
Reply with quote

Yes, it works!

I had to apply it manually (had some permission problem with Packer.php and the YaBBpak Center that could be my own fault), and discovered that two of the <search for> instructions didn't match my Reminder.php exactly because of extra blank lines in the .mod.yp file.

It's not immediately obvious when it returns you to the Login screen that another email with a new password has been sent, and I haven't tested it yet with a secret question because I've never used one (just about to), but it definitely works on at least one of my installations.

<edit>Tested successfully with secret question too!</edit>
« Last Edit: May 04, 2003, 01:47:02 PM by Peter Duggan » Logged

Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #2 on: May 07, 2003, 05:40:41 PM »
Reply with quote

I have this error :

QuoteFatal error: Call to undefined function: md5_hmac() in /home/sites/salesplaza.nl/www/forum/Reminder.php on line 160

It has a problem with the md5_hmac ??

What to do next ?
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
Shoeb Omar
Disciple of Joe
YaBB God
*****
Posts: 1420


The shrub demands war. I don't. The world doesn't.

ICQ - 69234983clickopedia@hotmail.com WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #3 on: May 07, 2003, 06:17:24 PM »
Reply with quote

What is the "additional step"?
Logged

"If we all practice an eye for an eye, pretty soon the whole world will be blind" - Gandhi

We need to start listening to advocates of peace in oder to advance society. We have not grown from the prehistoric barbarians we once were.  Will society ever mature?
Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #4 on: May 07, 2003, 06:26:31 PM »
Reply with quote

There is a few times an entry like this :

<replace>
   sendmail($email, $txt['passchange_for'] . $mbname . ' : ' . $name,
      $txt['passchange_email'] .
      $scripturl . '?action=reminder;what=step2;hash=' . md5_hmac($member_name, $row['memberIP']) . ';user=' . $member_name . ';searchtype=usearch', $webmaster_email);
   $messagetext = "<b>$txt[192]: $user</b><br /><br /><a href=\"$scripturl?action=login;u=$member_name\">$txt[34]</a>";
</replace>


This md5_hmac is hocuspocus to my board I guess ;) ?
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
Shoeb Omar
Disciple of Joe
YaBB God
*****
Posts: 1420


The shrub demands war. I don't. The world doesn't.

ICQ - 69234983clickopedia@hotmail.com WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #5 on: May 07, 2003, 06:32:36 PM »
Reply with quote

Ithought that md5_hmac was a function in Load.php?
Logged

"If we all practice an eye for an eye, pretty soon the whole world will be blind" - Gandhi

We need to start listening to advocates of peace in oder to advance society. We have not grown from the prehistoric barbarians we once were.  Will society ever mature?
Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #6 on: May 07, 2003, 06:33:42 PM »
Reply with quote

I have to look for that then.... :-[
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #7 on: May 07, 2003, 07:21:14 PM »
Reply with quote

The function is there in load.php :

// MD5 Encryption

function md5_hmac($data, $key)

{

   if (strlen($key) > 64)

      $key = pack('H*', md5($key));

   $key  = str_pad($key, 64, chr(0x00));



   $k_ipad = $key ^ str_repeat(chr(0x36), 64);

   $k_opad = $key ^ str_repeat(chr(0x5c), 64);



   return md5($k_opad . pack('H*', md5($k_ipad . $data)));

}



/* Load the users settings into the array settings.  This array has

      been kept as close to the settings array in Y1G as possible*/


But I do get this error.

How come ??
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #8 on: May 07, 2003, 08:26:05 PM »
Reply with quote

Make sure all your files have been updated to the newest versions.  You should be calling Reminder.php like index.php?action=reminder.

The extra step is an extra confirmation email.

-[Unknown]
Logged
Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #9 on: May 07, 2003, 09:40:12 PM »
Reply with quote

Thanx.

Well, there you have it, I don't have the newest version for all my files.  I have too much mods to upgrade at the moment ;)

Is there something I could do or should I forget about this mod :( ?
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #10 on: May 07, 2003, 09:57:22 PM »
Reply with quote

Copy the md5_hmac function in... and it *should* work.

-[Unknown]
Logged
Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #11 on: May 07, 2003, 10:09:31 PM »
Reply with quote

Well, I've put it in, and it worked.





but.....




When I receive the second email with the new password, the new password isn't accepted.

Does it have to do with the method of encrypting the password ?  I tried 3 times, but all the passwords aren't accepted..........So I've put my old Reminder.php back for the time being.  I would really like to have this mod, it's much saver........
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
Peter Duggan
Llama Chameleon
Global Moderator
YaBB God
*****
Posts: 1793


You come and go...

WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #12 on: May 07, 2003, 10:47:30 PM »
Reply with quote

Quote from: Webby on May 07, 2003, 10:09:31 PM
When I receive the second email with the new password, the new password isn't accepted.

FWIW, I've had this mod running on two boards since Sunday and everything works for me. I've tested it several times on each and never had any problems.
Logged

Webby
Beta Tester
YaBB God
*****
Posts: 829


Some mistakes are too funny to make only once.

ICQ - 9814812webby@salesplaza.nl WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #13 on: May 08, 2003, 06:55:24 AM »
Reply with quote

Well, I have to admit, I'm running a previous version (1.5.1Rcxx), but I'm trying to get this working.

If it is not possible, please say so, I will leave it alone then.
Logged

Webby of salesplaza.nl
The YaBBSE buttongenerator : Click HERE !
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:[Beta 1.5.2] Password Change 1.0
« Reply #14 on: May 08, 2003, 07:22:53 AM »
Reply with quote

Quote from: Webby on May 08, 2003, 06:55:24 AM
Well, I have to admit, I'm running a previous version (1.5.1Rcxx), but I'm trying to get this working.

If it is not possible, please say so, I will leave it alone then.

I'd have to rewrite it for 1.5.1RC1 or below...

-[Unknown]
Logged
Pages: [1] 2 Reply Ignore Print 
YaBB SE Community  |  Development  |  Completed mods  |  [Beta 1.5.2] Password Change 1.0 « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.068 seconds with 20 queries.