| Author |
Message |
Tank863
New Member
Joined: May 29, 2003
Posts: 16
|
 Posted:
Thu May 27, 2004 8:32 pm |
|
This was uncovered by NSN Sentinelâ„¢ when applied to the test sites.
In Your Account's index.php file you will find 4 placements of:
Code:
getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {
|
What if you are using NSN's Your Account Version: 3.2.0 Alpha.. does this apply and where would I need to fix it? |
| |
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Thu May 27, 2004 9:27 pm |
|
Have to check with Bob M on that one I've not seen it mentioned at all though. You could test by creating a new user and if it succeeds your probably ok with that one. |
| |
|
|
|
|
peace
Worker
Joined: Mar 11, 2004
Posts: 209
|
| Posted:
Fri May 28, 2004 6:06 am |
|
hello
i have questions plz
i download it and wanna know if it contains this fix or should i do it manually .
will it work well with ;i use 7.3 ( it has union tab or hack what else) and have Raven's HA
thx |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri May 28, 2004 7:17 am |
|
| peace wrote: | hello
i have questions plz
i download it and wanna know if it contains this fix or should i do it manually .
will it work well with ;i use 7.3 ( it has union tab or hack what else) and have Raven's HA
thx |
It contains the fix in the sense that it includes instructions on how to fix it. Union Tap and my original hack alert are not needed although it won't hurt to leave the code in. If you leave the code in you should place Sentinel first. |
| |
|
|
|
|
peace
|
| Posted:
Fri May 28, 2004 2:01 pm |
|
ty for anaswer raven  |
| |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Fri May 28, 2004 2:28 pm |
|
Not all NSNYA's have the patch applied so you will need to check teh edituser, edithome, editcomm, and chngtheme routines to see if your copy has the patch. |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
 
|
|
peace
|
| Posted:
Fri May 28, 2004 2:43 pm |
|
hello Bob
i dont have NSNYA  coz i see u havent one yet for 7.3 so i m waitin if Raven have time to update his no mail hack for 7.3 im havin problems with activation mails SOMETIMES 
p.s wooohoooo welcome to Admin Team  |
| |
|
|
|
|
BobMarion
|
| Posted:
Fri May 28, 2004 2:54 pm |
|
Hint, PHP-Nuke 7.3 is the same as 7.2 as 7.1 as far as NSNYA goes  Plus I should have said that was in reply to tank's question up top |
| |
|
|
|
|
peace
|
| Posted:
Fri May 28, 2004 3:14 pm |
|
thx for reply & hints Bob
sorry Tank for messing your topic
Bob Raven put in progress 'Raven's Auto Registration for 7.3' for me tho coz he know my problem so if i use your NSNYA ill feel sad and guilty
regards |
| |
|
|
|
|
BobMarion
|
| Posted:
Fri May 28, 2004 3:29 pm |
|
Not a problem I completely understand. |
| |
|
|
|
|
Tank863
|
| Posted:
Sat May 29, 2004 8:28 am |
|
Bob,
Thanks for answering my many posts all over the place.. (sorry about that) I posted them, not knowing you are everywhere 
Anyway.. to update this thread. I did have to apply the fixes to the following: edituser, edithome, editcomm, and chngtheme
again.. thanks ... |
| |
|
|
|
|
MickP
Hangin' Around
Joined: Sep 17, 2003
Posts: 31
Location: Australia
|
| Posted:
Sat May 29, 2004 4:16 pm |
|
I have a funny one here, i have a few users, that since applying the YA fix, cannot get to the "change info"; Change Home; Change Comms and Change Theme sections, it boots them straight back to YA page, as it would if not correct user by the else main($user) line.
It is only for a few tho, I can access mine fine, not a problem, but if I log in as one of those having the problem, I cannot get to those functions either, so doesnt appear to be a cookie related issue.
Any ideas? |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sat May 29, 2004 7:16 pm |
|
|
|
|
|
MickP
|
| Posted:
Sun May 30, 2004 1:59 am |
|
Yes, thats the one, it has only started since changing those lines. I am running a modified 6.5/7.2 version (i started at 6.5, but have been manually making changes since, due to my pages being customised for the site) |
| |
|
|
|
|
Raven
|
| Posted:
Sun May 30, 2004 7:35 am |
|
| MickP wrote: | I have a funny one here, i have a few users, that since applying the YA fix, cannot get to the "change info"; Change Home; Change Comms and Change Theme sections, it boots them straight back to YA page, as it would if not correct user by the else main($user) line.
It is only for a few tho, I can access mine fine, not a problem, but if I log in as one of those having the problem, I cannot get to those functions either, so doesnt appear to be a cookie related issue.
Any ideas? |
Mick, I had the exact same problem (6.9). That's when we discovered the security holes in YA. Once I made those fixes all was well. But, you say you made those changes so I am perplexed about your situation. What I would suggest is that you take just one of the functions in YA, like Change Theme and debug it. Put a statement likein various places in the change theme function to find out where the function is dying. When you isolate that point, that should reveal the problem. |
| |
|
|
|
|
MickP
|
| Posted:
Sun May 30, 2004 7:18 pm |
|
Ok, this is where it fails, tho do not know why,
Code:function chgtheme() {
global $user, $userinfo, $Default_Theme, $cookie, $module_name;
cookiedecode($user);
getusrinfo($user);
if (($userinfo[username] == $cookie[1]) AND ($userinfo[user_password] == $cookie[2])) {
die('here');
|
with die on the line above, it shows the "here" on a blank page, on the line shown, it just returns you to the YA main page.
Ps. If i revert code back to Code: getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {
|
it all works fine again. |
| |
|
|
|
|
Raven
|
| Posted:
Sun May 30, 2004 9:34 pm |
|
MickP, you're not using the latest code (it was updated). See the news item on the front page. |
| |
|
|
|
|
MickP
|
| Posted:
Sun May 30, 2004 10:52 pm |
|
yep, just changed to the new code, it now reads
Code:function chgtheme() {
global $user, $userinfo, $Default_Theme, $cookie, $module_name;
cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo['username'] == $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {
include ("header.php");
OpenTable();
|
my account works fine still, one of the ones that is/was having problems, I have just checked, and it has made no difference. it still dies in the same position as above. |
| |
|
|
|
|
BobMarion
|
| Posted:
Mon May 31, 2004 12:22 am |
|
I tried visiting your site but I got a DNS error Will try again tomorrow after all these storms pass. |
| |
|
|
|
|
MickP
|
| Posted:
Mon May 31, 2004 12:31 am |
|
Thanks, Not sure why you got a DNS error, all is fine here.
If you need log in details of one of the members that is having problems with it to try, let me know and I will PM them to you. |
| |
|
|
|
|
scubamaxx
New Member
Joined: Aug 18, 2002
Posts: 11
Location: Vienna, Austria
|
| Posted:
Mon May 31, 2004 3:35 pm |
|
| MickP wrote: |
Code:function chgtheme() {
global $user, $userinfo, $Default_Theme, $cookie, $module_name;
cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo['username'] == $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {
include ("header.php");
OpenTable();
|
|
on my system it only works when i give a != and == in case of == == ?!?!? 
Code:function chgtheme() {
global $user, $userinfo, $Default_Theme, $cookie, $module_name;
cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo['username'] != $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {
include ("header.php");
OpenTable();
|
|
| |
|
 |
|
sixonetonoffun
|
| Posted:
Mon May 31, 2004 4:06 pm |
|
For your sanity I'm experiencing the same thing with PHPNuke7.3 on Win2k/Apache1.3.29/PHP4.3.4/MySQL4.1.1a
As long as the line is (for all 4 functions)
if ((is_user($user)) AND ($userinfo['username'] != $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {
everything seems fine. The thing thats really bugging me is I can't seem to figure out why! Not = and compare values are two totally different things. Why it should work one way for some and not for others throws me here. This doesn't matter if Sentinel is active or not the results the same. |
| |
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Mon May 31, 2004 4:08 pm |
|
To anyone having problems with this code email me your index for the Your_Account module and your site url to chatserv@nukeresources.com |
| |
|
|
|
|
MickP
|
| Posted:
Mon May 31, 2004 4:42 pm |
|
Hi All, I have found the problem with this, if someone could arrive at the solution 
If I signed up as MICK, but log on as Mick, it will not allow me into those 4 areas, if I log in as MICK, all is fine. This goes for any members on my site, if what is in the database does not match (casewise as well as characters) what you sign in as, this will happen. |
| |
|
|
|
|
MickP
|
| Posted:
Mon May 31, 2004 4:46 pm |
|
Just tested here on this site and the same occurs, would something like Code: $username = strtolower($username);
|
work in there somewhere? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
