Phpnuke verify user name to get file

[BigBoss]

I have a phpnuke website, and I am looking to create an installer that will verify that the person is a member before installing the files.... Its the verify that I have a problem with..... Any kind help on how to query the username and pass before allowing download....?

[Corey]

OK:

1. What have you done so far toward this goal?
2. What results did your effort bring you?
3. Where exactly are you running into trouble?

Once we know those things it'll be a lot easier to help.

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

I have tryed to include the file reference to modules.php?name=Your_Account, and the strings username and user_password, but to no avail..... Here is the code for the user login file, there is a security image, but there are ways aroud that.. The problem is to send a hidden value to the Your_Account page and recieve a reply, I think... But I am NOT a php guru yet... ;-)


<?php

/************************************************** **********************/
/* PHP-NUKE: Web Portal System */
/* =========================== */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************** **********************/

if (eregi("block-Login.php", $_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}

global $admin, $user, $sitekey;

mt_srand ((double)microtime()*1000000);
$maxran = 1000000;
$random_num = mt_rand(0, $maxran);
$datekey = date("F j");
$rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));
$code = substr($rcode, 2, 6);

$content = "<form action=\"modules.php?name=Your_Account\" method=\"post\">";
$content .= "<center><font class=\"content\">"._NICKNAME."
";
$content .= "<input type=\"text\" name=\"username\" size=\"10\" maxlength=\"25\">
";
$content .= ""._PASSWORD."
";
$content .= "<input type=\"password\" name=\"user_password\" size=\"10\" maxlength=\"20\">
";
$content .= "<input type=\"hidden\" name=\"random_num\" value=\"$random_num\">";
$content .= "<input type=\"hidden\" name=\"gfx_check\" value=\"$code\">";
$content .= "<input type=\"hidden\" name=\"op\" value=\"login\">";
$content .= "<input type=\"submit\" value=\""._LOGIN."\"></font></center></form>";
$content .= "<center><font class=\"content\">"._ASREGISTERED."</font></center>";

if (is_admin($admin) AND is_user($user)) {
$content = "<center>"._ADMIN."
[ <a href=\"admin.php?op=logout\">"._LOGOUT."</a> ]</center>";
}

?>

[Corey]

If you are trying to check a username password combo then you need to query your database not your welcome page as far as I know. You may have to create a small script to do this which takes the info you send and compares it with your database.

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

Too hard for me.. Any body can help...? ;;-)

[Corey]

Indigo Rose doesn't reccomend that users process secure info or people's personal info until they understand the ramifications. PHP and MySQL are both very fun and easy to learn, but for users who don't wish to learn yet still wish to process secure info we reccomend hiring someone who has a firm understanding of the issue in order to ensure best results.

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

Well, I fanally managed to get the submit to web function to work, but now I have another problem.... I need to use the php function : $pass = md5($pass);

to create an md5 hash password. About as secure as it gets..... But the input from the installer has to be coded BEFORE being submitted as a variable to the nuke website....

Any help ? How can I get the installer to use that function and recuperate the variable for a submit ?

[Corey]

You can't run PHP client side unless your host machine is running a PHP equipped server or unless you have some sort of command line utility or binary version present on your end user's machine. And unless you have that there's no way to encrypt using PHP "before" sending to the server. PHP is a server side technology, whereas you wish to do client side encryption, so PHP is not really a reccomended application in this case.

Try searching Google to see if you can find a freeware command line utility to encrypt strings using md5. I use one that uses blowfish and it's excellent for example...

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

If I can find that, what would be the code then to send from an internal Setup Factory code "Password = %password%" command, then back again from the encyption prog.....? ;-p

[Corey]

Just use the same submit to web action you've been using, you can assign any name you like to the value...

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

And what about using a visual basic add-on....? I am sorry for all the questions.. ;-p

[Corey]

Sorry, I'm not sure about that personally, maybe someone else knows...

Corey Milner
Creative Director, Indigo Rose Software

[BigBoss]

What about this code...? Its a php script that just takes a value inserted into a window and sends out a hashed pass..... All I added where the lines :
"<%password%>$text</%password%>";
echo"<SUF60>%password%</SUF60>";
echo"<%password%>";
The value $text is the encoded pass....... Will that do the job ?

<?php
// Setup Help script Submit to Web
$version = "1.25";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<title>MD5 Encryption Mod</title>
<meta **********="Content-Type" content="text/html; charset=ISO-8859-1" />
<style type="text/css">
<!--
body { font-family: "arial", "helvetica", sans-serif; font-size: 10pt; }
-->
</style>
</head>
<body>

<?php

// Declare some functions for encryption not included in PHP


// Check to see if form has been submitted yet
if(isset($_POST['submit'])) {

// Yes, so make sure they filled something in
$text = $_POST['text'];



// Looks good, so clean up data
$text = urldecode(stripslashes($text));

// Make copy of original text for later display
$orig_text = $text;
$orig_text = htmlentities($orig_text);
echo("

$orig_text converts to:</p>\n");

// De/Encrypt based on selection in form
switch ($_POST['cryptmethod']) {

case 'md5':
$text = md5($text);
break;

default:
die("

That encryption type is not supported.</p>\n");
} // end switch

// Convert to HTML entities so special chars show up
$text = htmlentities($text);

// Display result to the screen
echo("

$text</p>\n");

} // end if
"<%password%>$text</%password%>";
echo"<SUF60>%password%</SUF60>";
echo"<%password%>";
?>

<!-- begin form -->
<center>
<form action="<?php echo($_SERVER['PHP_SELF']); ?>" method="post">
<textarea name="text" rows="5" cols="50"><?php if (isset($orig_text)) { echo($orig_text); } ?></textarea>

<select name="cryptmethod">

<option value="md5">MD5 Crypt (one way)</option>

</select>

<input type="submit" name="submit" value="OK" />
<input type="reset" value="Clear" />
</form>
</center>
<!-- end form -->


</body>
</html>

[BigBoss]

OK, I seem to be anszwering my own questions, but I created an easier script, to md5.php to create the md5 hash :
<?
$password = md5($password);
echo"<SUF60>"%md5pass%"</SUF60>";
echo"<%md5pass%>$password</%md5pass%>";
echo"<%md5pass%>";
?>

Ok, here is what I have.....

A submit to web function with :
http://%url%/md5.php
Parameters password ="$password"

A modify registry command, that sets the function Value Name " Password, and value data = %md5pass%.......

Then a READ from registry, variable name ="%md5pass%" value name Password......

And thats where it screws up... The value %md5pass% in never added to the registry.... Just the value "false" par default....

Any more help, pretty please ? ;-p

[Corey]

You are attempting to send unencrypted password information using submit to web, this is not advised.

Corey Milner
Creative Director, Indigo Rose Software