Support Forums - All Posts - XOOPS Web Application System

31

Re: How to force the users of ours site to use safe passwords?

2006/9/23 16:29
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Quote:

irmtfan wrote:
idea is great also set time limit for passwords is another feature to force user to change passwords regularly.

IMHO its not a good idea at all.
because anyone can block any account just by 3 faild login.
Or maybe create a script to block all accounts in the XOOPS site? i think its a kind of DOS attack.

Yes, irmtfan, thinking about you say, i agree with you. If this is implemented anyone can block account of anyone, includding admin account. Really this has that to be thought better before being implemented. So about the time limit for passwords i like this.

TheRplima

32

Re: How to force the users of ours site to use safe passwords?

2006/9/20 20:37
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

@hervet: Yes, this is a great idea. Although to run away a little to the target from hack. But I go to give one analyzed in this and perhaps make another one hack.

TheRplima

33

Re: How to force the users of ours site to use safe passwords?

2006/9/20 12:57
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Thanks all for coments.

@bluenova: i have posted there, see the link

TheRplima

34

How to force the users of ours site to use safe passwords?

2006/9/20 4:41
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

First of all, I would like to ask for excuses me for my very poor English. I am strengtheing itself to be able to share with you some of my works.

Security is primordial nowadays. And as everything in the Internet that has a minimum of security demands the use of passwords, is necessary that uses safe passwords to keep its security and the security of the information of the site.

It is known that the majority of the users uses the same password for the majority of the sites that registers and that in the great majority these passwords are not very safe, therefore is short passwords, that remember some thing of the user, at last, this is a risk for you, its site and its users.

But, how to force the users of its site to use safe passwords?

It is simple, installs a quality passwords meter in your site and only allows registers that they reach definitive level of security defined for you.

In the last days some XOOPS sites in Brasil had been hacked and know, at least what it consists, that this invasion was made possible because the invader discovered the password of some user who possessed a weak password.

Was thinking about this that I developed this hack and I hope that with this I can help them to make more difficult the life of this type of person who invades sites to cause the chaos, it at least a little.

Well, go to start.

The first step is make backup of the files that you go edit to install the hack.
The files are:

- include/registerform.php
- edituser.php
- language/your_language/user.php
- modules/system/language/your_language/admin/preferences.php

Made backup, click here and download the necessary files.

Open the files include/registerform.php and edituser.php text editor and only substitutes the code of creation of password field for this:

Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my sitehttp://www.xoops.net.br/register.php
##################################################################################################
include_once XOOPS_ROOT_PATH."/include/passwordquality.php";
##################################################################################################
# End of Hack
##################################################################################################

Original password form field creation code in include/registerform.php:
Quote:

$reg_form->addElement(new XoopsFormPassword(_US_PASSWORD, "pass", 10, 32, $myts->htmlSpecialChars($pass)), true);

Original password form field creation code in edituser.php:
Quote:

$pwd_text = new XoopsFormPassword('', 'password', 10, 32);

Made this, the next step is to include the used texts in hack in the definitions of language of xoops.
Opens the file language/your_language/user.php and in the end of the file, before ?> includes the stretch below:
Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my sitehttp://www.xoops.net.br/register.php
##################################################################################################
define('_US_REGFORM_NOJAVASCRIPT', 'To register in this site the Javascript of your browser must be enable. Enable it and try again!');
define('_US_REGFORM_WARNING', 'To register in this sitee you will be use a safe password. Try to create your passwords using a mix of letters (case sensitive), numbers and symbols.');
##################################################################################################
# End of Hack
##################################################################################################

Open now modules/system/language/your_language/admin/preferences.php and in the end of the file, before ?> includes the stretch below:
Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my sitehttp://www.xoops.net.br/register.php
##################################################################################################
define("_MD_AM_PASSLEVEL","Minimun password security");
define("_MD_AM_PASSLEVEL_DESC","Define which the minimum level of security for the passwords of the users.");
define("_MD_AM_PASSLEVEL1","Unsafe");
define("_MD_AM_PASSLEVEL2","Weak");
define("_MD_AM_PASSLEVEL3","Fair");
define("_MD_AM_PASSLEVEL4","Strong");
define("_MD_AM_PASSLEVEL5","Safe");
define("_MD_AM_PASSLEVEL6","Not rated");
##################################################################################################
# End of Hack
##################################################################################################

Soon, the alterations are made, copy the files passwordquality.php, passwordquality.js and percent_bar.js for inside of the folder include of its site.

We now go effectively to install hack in xoops. Copy the file Securitypasshack_install.php for the root of its site. Make a login as admin and access XOOPS_URL/securitypasshack_install.php.

It is very fast and if everything ok you will receive a success message and will be redirected for the main page of its site.

Erase the file Securitypasshack_install.php to prevent problems.

The installation is complete, it goes now in System Admin=>Preferences=>Users Config and sees if the length of the password and the level of security are in accordance with its necessities and are felt safer!

I hope that they have liked.

Here the link of original post in my site (Portuguese).

TheRplima

35

Re: Two or more admins possible?

2006/9/18 2:14
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Hi RImark,

To create a new administrator for the site it is enough to add the user to the group webmaster, thus will have the same options that original admin.

About emails for the administrator, they will be sent to the address registered in system admin/preferences.

If you want that all the adminstrators receive these emails must make a email redirect on the panel of your server.

Holpe its help you

TheRplima

36

Re: Upload locations

2006/9/18 2:06
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Sorry, I forgot to speak about ranks. The idea is the same of the smile. Only open the file module/system/admin/userrank/main.php and make the changes in the upload code as you made with smiles.

Quote:

$uploader = new XoopsMediaUploader(XOOPS_UPLOAD_PATH.'/ranks', array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png'), 100000, 120, 120);

Quote:

$rank_image = 'ranks/'.$uploader->getSavedFileName();

TheRplima

37

Re: Upload locations

2006/9/18 1:55
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Hi X-Ception,

Really this is very simple. First make a backup of the file module/system/admin/smilies/main.php

Open the file and look at line 64 or search for
case "SmilesAdd":

In the upload code, change the line:
Quote:

$uploader = new XoopsMediaUploader(XOOPS_UPLOAD_PATH, array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png'), 100000, 120, 120);

for:
Quote:

$uploader = new XoopsMediaUploader(XOOPS_UPLOAD_PATH.'/smile', array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png'), 100000, 120, 120);

and the line:
Quote:

$smile_url = $uploader->getSavedFileName();

for:
Quote:

$smile_url = 'smile/'.$uploader->getSavedFileName();

Now, on the line 106 (case "SmilesSave":)
Change the upload area again
Quote:

$uploader = new XoopsMediaUploader(XOOPS_UPLOAD_PATH, array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png'), 100000, 120, 120);

for:
Quote:

$uploader = new XoopsMediaUploader(XOOPS_UPLOAD_PATH.'/smile', array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png'), 100000, 120, 120);

and the line:
Quote:

$smile_url = $uploader->getSavedFileName();

for:
Quote:

$smile_url = 'smile/'.$uploader->getSavedFileName();

Save the file. Now, create the folder uploads/smile and change the write permissions. (chmod 777).
Move all smilies files to the new folder and change in the table prefix_smiles the field smile_url. Only add the smile/ before the name of the file for all the smilies.

Done. Now, all new smile will be saved in the new folder and normally shown in your site.

Hope it helps

TheRplima

38

Re: register to a custom group

2006/9/17 0:03
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Hi,

Look this.

Sorry but the link is on my site and translated by google, but certanly can help you.

TheRplima

39

Re: New Members Block

2006/9/12 14:08
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Hi xfranc,

Yes, its possible.

Change the function b_system_newmembers_show in the file XOOPS_ROOT_PATH/modules/system/blocks/system_blocks.php like this.

Quote:

function b_system_newmembers_show($options)
{
$block = array();
$criteria = new CriteriaCompo(new Criteria('level', 0, '>'));
$limit = (!empty($options[0])) ? $options[0] : 10;
$criteria->setOrder('DESC');
$criteria->setOrder('DESC');
$criteria->setSort('user_regdate');
$criteria->setLimit($limit);
$member_handler =& xoops_gethandler('member');
$newmembers = $member_handler->getUsers($criteria);
$count = count($newmembers);
//hacked by rplima
$showGroups = array('1'); //Put in this array the ids of groups you want to show. In the example only menbers of admin group will be shown.
for ($i = 0; $i < $count; $i++) {
$groups =& $member_handler->getGroupsByUser($newmembers[$i]->getVar('uid'));
foreach($showGroups as $group){
if (in_array($group,$groups)){
if ( $options[1] == 1 ) {
$block['users'][$i]['avatar'] = $newmembers[$i]->getVar('user_avatar') != 'blank.gif' ? XOOPS_UPLOAD_URL.'/'.$newmembers[$i]->getVar('user_avatar') : '';
} else {
$block['users'][$i]['avatar'] = '';
}
$block['users'][$i]['id'] = $newmembers[$i]->getVar('uid');
$block['users'][$i]['name'] = $newmembers[$i]->getVar('uname');
$block['users'][$i]['joindate'] = formatTimestamp($newmembers[$i]->getVar('user_regdate'), 's');
}
}
}
//end of hack
return $block;
}

att

Rodrigo

40

Re: News topic Image "title" - How do i add it?

2006/9/12 13:09
rplima2004
Just popping in
Posts: 70
Since: 2004/10/8

Hi,

Change the function below and insert the title. This function is on the file XOOPS_ROOT_PATH/modules/news/class/class.newsstory.php
Quote:

function imglink()
{
$ret = '';
if ($this->topic_imgurl() != '' && file_exists(XOOPS_ROOT_PATH."/modules/news/images/topics/".$this->topic_imgurl())) {
$ret = "<a href='".XOOPS_URL."/modules/news/index.php?storytopic=".$this->topicid()."'><img src='".XOOPS_URL."/modules/news/images/topics/".$this->topic_imgurl()."' alt='".$this->topic_title()."' hspace='10' vspace='10' align='".$this->topicalign()."' /></a>";
}
return $ret;
}

att

Rodrigo

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: How to force the users of ours site to use safe passwords?

Re: How to force the users of ours site to use safe passwords?

Re: How to force the users of ours site to use safe passwords?

How to force the users of ours site to use safe passwords?

Re: Two or more admins possible?

Re: Upload locations

Re: Upload locations

Re: register to a custom group

Re: New Members Block

Re: News topic Image "title" - How do i add it?

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}