phpBB.de

Verfasst: **14.10.2002 11:34**

Ich habe folgenden Hack heruntergeladen:

######################################################## 
## Mod Title:   Protect useraccount mod 
## Mod Version: 0.9.3
## Author:       Niels Chr. Rød Denmark < ncr@db9.dk > http://mods.db9.dk
## 
## This mod is for phpBB2 ver 2.0.2
##
## Description:  This mod will prevent hacking on users password, the mod works like this
##	if a user submit a valid password, then nothing changed, 
##	if a user submit a wrong password X times, on a users account
## 	then the specifyed username can not login for a specific time (e.g. 30 min)
##	this prevents that a fake user tryes several times to login on another users account.
##	Note: that the blocked time, should not be set to long, so the "real" user can still log-in
##
## 
## 
## Installation Level:  Easy 
## Installation Time:   2-5 Minutes 
## Files To Edit:      4 
##   language/lang_english/lang_main.php 
##   login.php
##   includes/functions_validate.php
##   includes/usercp_register.php
##   admin/admin_board.php
##   templates/subsilver/admin/board_config.tpl
##  Include files:	0
##
##	History:
##		0.9.0. - initial BETA, basic fetures 
##		0.9.1. - corrected some typo, i the initial 0.9.0 how-to
##		0.9.2. - now included a admin interface, so value are configurable
##		0.9.3. - now include complex password rules, admin interface not yet completted
##		0.9.4. - fixed a "left over" in the admin_board.php
##
############################################################## 
## This MOD is released under the GPL License. 
## Intellectual Property is retained by the MOD Author(s) listed above 
############################################################## 
## For Security Purposes, Please Check: http://www.phpbb.com/mods/downloads/ for the 
## latest version of this MOD. Downloading this MOD from other sites could cause malicious code 
## to enter into your phpBB Forum. As such, phpBB will not offer support for MOD's not offered 
## in our MOD-Database, located at: http://www.phpbb.com/mods/downloads/ 
############################################################## 
## Authors Notes: 
## 
## Instead of runing the SQL commands your self, I have also included a db_update.php file
## if you are loged in as ADMIN, you can run this file, witch will do the neasessary changes to the DB
## the file will by it self put prefix on your tables, else 
## if you are using a prefix to you DB tabels then you have to add this to 
## the [ADD SQL] commands, e.g. "phpbb_users" instead of just "users" - ONLY 
## in the initial [ADD SQL] commands, not in the php code ! 
##
## 
################################################################# 
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD 
## and the Database
################################################################# 


# 
#-----[ ADD SQL ]------------------------------------------ 
# 
ALTER TABLE `users` ADD `user_badlogin` SMALLINT(5) NOT NULL


# 
#-----[ ADD SQL ]------------------------------------------ 
# 
ALTER TABLE `users` ADD `user_blocktime` INT(11) NOT NULL


# 
#-----[ ADD SQL ]------------------------------------------ 
# 
INSERT INTO config (config_name, config_value) VALUES ("block_time", "15")

# 
#-----[ ADD SQL ]------------------------------------------ 
# 
INSERT INTO config (config_name, config_value) VALUES ("max_login_error", "3")

# 
#-----[ ADD SQL ]------------------------------------------ 
# 
INSERT INTO config (config_name, config_value) VALUES ("min_password_len", "6")

# 
#-----[ ADD SQL ]------------------------------------------ 
# 
INSERT INTO config (config_name, config_value) VALUES ("force_complex_password", "1")

# 
#-----[ ADD SQL ]------------------------------------------ 
# 
INSERT INTO config (config_name, config_value) VALUES ("password_not_login", "1")


####################################################################

# 
#-----[ OPEN ]------------------------------------------ 
# 
language/lang_english/lang_main.php

# 
#-----[ FIND ]------------------------------------------ 
# 
#  AT THE BOTTOM OF THE PAGE 
// 
// That's all Folks! 
// -------------------------------------------------

# 
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
//add on for protect useraccount mod
$lang['Error_login_tomutch']='You have specified an locked username, please try again latter';
$lang['Password_not_complex'] ='The specifyed password, does not confirm this sites complexity rules, you should verify that: the password';
$lang['Password_to_short'] = 'is atleast %d long';
$lang['Password_mixed'] = 'have both nubers and letter';
$lang['Password_not_same'] = 'are not the same as your username';

# 
#-----[ OPEN ]------------------------------------------ 
# 
index.php

# 
#-----[ FIND ]------------------------------------------ 
# 

$sql = "SELECT user_id, username,
FROM " . USERS_TABLE . "

# 
#-----[ IN-LINE, FIND ]------------------------------------------ 
# 
, user_level

# 
#-----[ IN-LINE, AFTER ADD ]------------------------------------------ 
# 
, user_badlogin, user_blocktime

# 
#-----[ FIND ]------------------------------------------ 
# 
if( md5($password) == $row['user_password'] && $row['user_active'] )


# 
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
if ($row['user_badlogin']<$board_config['max_login_error'] || $row['user_blocktime']<time() )
{

# 
#-----[ FIND ]------------------------------------------ 
# 
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' .  sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');

# 
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
//block the user for 30 min
$blocktime = ($row['user_badlogin']>=$board_config['max_login_error'])? ", user_blocktime='" . (time()+($board_config['block_time']*60)) . "'":"";
$sql = "UPDATE " . USERS_TABLE . " SET user_badlogin=user_badlogin+1 $blocktime
	WHERE username = '" . str_replace("\'", "''", $username) . "'";
if ( !($result = $db->sql_query($sql)) )
{
	message_die(GENERAL_ERROR, 'Error updating bad login data', '', __LINE__, __FILE__, $sql);
}

# 
#-----[ FIND ]------------------------------------------ 
# 
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' .  sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');

message_die(GENERAL_MESSAGE, $message);
}

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 
} else
{
	$sql = "UPDATE " . USERS_TABLE . " SET user_badlogin=user_badlogin+1
		WHERE username = '" . str_replace("\'", "''", $username) . "'";
	$message = (($lang['Error_login_tomutch'])?$lang['Error_login_tomutch']:$lang['Error_login']) . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' .  sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
	message_die(GENERAL_MESSAGE, $message);
}

# 
#-----[ OPEN ]------------------------------------------ 
# 
include/functions_validate.php
# 
#-----[ FIND ]------------------------------------------ 
# 
?>

# 
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
function validate_complex_password ($username, $password)
{
	global $board_config, $lang;
	$ret = false;
	//verify minimum length
	if ( strlen($password) < $board_config['min_password_len'] )
	{
		$ret= true;
		$msg_explain .= ($board_config['min_password_len']) ? sprintf ($lang['Password_to_short'],$board_config['min_password_len']) : '';
	}
	// verify password not the same as login
	if ($board_config['password_not_login'] && $username == $password )
	{	
		$ret = true;
		$msg_explain .= ($msg_explain) ? ', ' : '';
		$msg_explain .= ($board_config['password_not_login']) ? $lang['Password_not_same'] : '';

	}
	// verify password holds both alfa and numeric
	if ( $board_config['force_complex_password'] )
	{	
		if ( ! (preg_match("/[a-zA-Z\.]/",$password) && preg_match("/[0-9\.]/",$password))) 
		{
			$ret = true;
			$msg_explain .= ($msg_explain) ? ', ' : '';
			$msg_explain .= ($board_config['force_complex_password']) ? $lang['Password_mixed'] : '';
		}
	}
	$msg_explain = ($msg_explain) ? $lang['Password_not_complex'].$msg_explain : '';
	return array('error' => $ret, 'error_msg' => $msg_explain);
}


# 
#-----[ OPEN ]------------------------------------------ 
# 
includes/usercp_register.php

# 
#-----[ FIND ]------------------------------------------ 
# 
if ( !empty($new_password) && !empty($password_confirm) )
{

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 
// validate that the password is complex
$result = validate_complex_password ($username, $new_password);
if ( $result['error'] )
{
	$error = TRUE;
	$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $result['error_msg'];

}

# 
#-----[ OPEN ]------------------------------------------ 
# 
#    (make sure to edit this file for every language your admin uses). 
language/lang_english/lang_admin.php

# 
#-----[ FIND ]------------------------------------------ 
# 
// That's all Folks! 
// -------------------------------------------------

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 

//Added Protect useraccount mod 
$lang['Max_login_error'] = 'Block user on wrong login'; 
$lang['Max_login_error_explain'] = 'If a user submit a wrong password, more than this, then the users account is blocked for a time'; 
$lang['Block_time'] = 'Block account time'; 
$lang['Block_time_explain'] = 'Number of minuttes, the users account are blocked, if the submit a wrong password more time than specifyed in "Block user on wrong login"'; 
$lang['Min_password'] = 'Minimum password length'; 
$lang['Min_pasword_explain'] = 'if a password is shorter that this value, then it is not accepted'; 
$lang['Min_password'] = 'Minimum password length'; 
$lang['Min_pasword_explain'] = 'if a password is shorter that this value, then it is not accepted';
$lang['Complex_password'] = 'Force complex password'; 
$lang['Min_pasword_explain'] = 'Password must consist of both afla and numeric values';
$lang['Password_not_login'] = 'password != login'; 
$lang['Min_pasword_explain'] = 'Password must be different than username';


# 
#-----[ OPEN ]------------------------------------------ 
# 
admin/admin_board.php


# 
#-----[ FIND ]------------------------------------------ 
# 
"L_ENABLE_PRUNE" => $lang['Enable_prune'], 

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 
'L_BLOCK_TIME' => $lang['Block_time'], 
'L_BLOCK_TIME_EXPLAIN' => $lang['Block_time_explain'], 
'L_MAX_LOGIN_ERROR' => $lang['Max_login_error'], 
'L_MAX_LOGIN_ERROR_EXPLAIN' => $lang['Max_login_error_explain'], 

# 
#-----[ FIND ]------------------------------------------ 
# 
"PRUNE_NO" => $prune_no, 

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 
'BLOCK_TIME' => $new['block_time'], 
'MAX_LOGIN_ERROR' => $new['max_login_error'], 

# 
#-----[ OPEN ]------------------------------------------ 
# 
#  (make sure to edit this file for every theme your admin uses). 
templates/subSilver/admin/board_config_body.tpl

# 
#-----[ FIND ]------------------------------------------ 
# 
	<td class="row2"><input type="radio" name="allow_namechange" value="1" {NAMECHANGE_YES} /> {L_YES}&nbsp;&nbsp;<input type="radio" name="allow_namechange" value="0" {NAMECHANGE_NO} /> {L_NO}</td>
</tr>

# 
#-----[ AFTER, ADD ]------------------------------------------ 
# 
<tr> 
   <td class="row1">{L_MAX_LOGIN_ERROR}<br /><span class="gensmall">{L_MAX_LOGIN_ERROR_EXPLAIN}</span></td> 
   <td class="row2"><input type="text" size="4" maxlength="4" name="max_login_error" value="{MAX_LOGIN_ERROR}" /></td> 
</tr> 
<tr> 
   <td class="row1">{L_BLOCK_TIME}<br /><span class="gensmall">{L_BLOCK_TIME_EXPLAIN}</span></td> 
   <td class="row2"><input type="text" size="4" maxlength="4" name="block_time" value="{BLOCK_TIME}" /></td> 
</tr> 

# 
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------ 
# 
# EoM

Aber schon hier finde ich die Zeile nicht:#

Code: Alles auswählen

# 
#-----[ FIND ]------------------------------------------ 
# 
if( md5($password) == $row['user_password'] && $row['user_active'] )


# 
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
if ($row['user_badlogin']<$board_config['max_login_error'] || $row['user_blocktime']<time() )
{

Ist dass eine Falsche Zeile ? Ich habe sie in meinem Code nicht.
Kann mir jemand helfen ?

Verfasst: **14.10.2002 11:39**

..anstatt index.php, versuch´s ma mit login.php.

Verfasst: **14.10.2002 11:52**

ok... danke Acid, hat geklappt.

Leider funzt dieser Mod nicht auf Local....

naja, muss ich halt auf Tripod ausprobieren.

Verfasst: **15.10.2002 11:26**

hmmm.... ich habe jetzt aber noch eine Frage. Ich möchte gerne, dass der Hack so funzt, dass wenn ein User z.B. 3mal sich falsch einloggt für 60min. gesperrt ist. OK, soweit so gut.

Doch möchte ich nun dass der ganze quatsch mit der (bei der Registrierung) Passwort-Kontrolle raus ist. Also dass nicht geprüft wird, ob der User in seinem Passwort Zahlen und Buchstaben benutzt hat.

//add on for protect useraccount mod
$lang['Error_login_tomutch']='You have specified an locked username, please try again latter';
$lang['Password_not_complex'] ='The specifyed password, does not confirm this sites complexity rules, you should verify that: the password';
$lang['Password_to_short'] = 'is atleast %d long';
$lang['Password_mixed'] = 'have both nubers and letter';
$lang['Password_not_same'] = 'are not the same as your username';

dass gehört glaub ich dazu, aber was muss ich noch raus tun ?

Vielen Dank.

Verfasst: **06.08.2004 11:48**

Also ich habe ein Problem mit dem Mod, habe zwar alles (manuell) so geändert wie beschrieben aber funktionieren tut nix.
In der Konfiguration und bei den Usern habe ich sämtliche Optionen aber irgendwie läuft es nicht.

DB-Update habe ich gemacht... Sind evtl. andere typische Fehler bekannt oder so?

Datein habe ich auch alle hochgeladen (bis auf die Sounds).

z.B.: die option "Force user to change password on next logon ?" kann ich aktivieren nur wird der User nicht aufgefordert das pw zu ändern.
oder...
"Days between users are forced to change password" diese Option wird auch nicht ausgeführt...

Hat da irgendjemand ne Ahnung?

Verfasst: **06.08.2004 18:02**

da muss ein einbaufehler vorliegen... bei mir läuft der mod seit einer ganzen weile und nach den ersten 100 tagen bin ich auch erfolgreich zum passwort-wechsel aufgefordert worden...

Verfasst: **10.08.2004 14:27**

Code: Alles auswählen

Warning: main(./extension.inc) [function.main]: failed to create stream: No such file or directory in /www/htdocs/xxx/protect_user_account_db_update.php on line 20

Warning: main() [function.main]: Failed opening './extension.inc' for inclusion (include_path='.:..') in /www/htdocs/xxx/protect_user_account_db_update.php on line 20

Warning: main(./common.) [function.main]: failed to create stream: No such file or directory in /www/htdocs/xxx/protect_user_account_db_update.php on line 21

Warning: main() [function.main]: Failed opening './common.' for inclusion (include_path='.:..') in /www/htdocs/xxx/protect_user_account_db_update.php on line 21

Warning: main(./includes/functions_selects.) [function.main]: failed to create stream: No such file or directory in /www/htdocs/xxx/protect_user_account_db_update.php on line 22

Warning: main() [function.main]: Failed opening './includes/functions_selects.' for inclusion (include_path='.:..') in /www/htdocs/xxx/protect_user_account_db_update.php on line 22

Fatal error: Call to undefined function: session_pagestart() in /www/htdocs/xxx/protect_user_account_db_update.php on line 54

Kann mir einer sagen wo da der Fehler liegt?
Habe jetzt nochmal alles überprüft und wollte das DB-Update machen.

Verfasst: **10.08.2004 18:42**

du musst die datei in deinem phpbb root verzeichnis ausführen

achja nochwas: wenn ihr ein problem mit einem hack habt und ihr findet ein 2 jahre altes thema dazu, dann solltet ihr trotzdem ein neues aufmachen.