UBB.Developers Forums UBB.classic V5 Mod Questions Logon System <-------- someone requested

Ok, since no one is willing to hack it so i did it my self, and now i wanted to share it to you all.


Well, i called this hack script as a Logon System . This Logon System will use the ubb's username/password for another part of the site.


In Action: http://www.vietmart.net/cgi-bin/boards/logon.cgi

Username: test
Password: test


Let get started, create a logon.cgi and copy & paste everything inside the 'code' into it:



look for This is where you put all the protected pages... and put your protected html or pages there. ONLY UBB MEMBER MAY ENTER. hope you all like this hack.

if you found any bugz, please report it to me

can you drop that into a txt file for us slow people...LOL

thanks

Coooool

Nice work, indeed
this even has more potential then just the ubb.......
You just made a general password protection program that needs people to register to the ubb in order to visit certain parts of a site.

cooooooool

------------------
Cougar's here, so have no fear
Webmaster of www.artbeast.de

You beat me to it
But nice job!

this is cool but it needs more features;

Can you add something so that only MODS/ADMINS may enter a pass to gain access

THIS COULD BE PROTECTION FOR CP.HTML!

------------------
All will wither, I await the tryst!

I cut and paste this code directly into a new file called "logon.cgi", I made no changes to it except to change the path to perl. I uploaded it to my server in ascii. It gives me a 500 server error.

------------------
When you sin, you don't fall FROM God's grace, you fall INTO it!!

Mrwebb: i didn't try this out yet, but one of the reasons why it might not work, is because UBB adds extra spaces between the "| |" (see how it comes out?).
So, for example, herethere should be no space between the |'s.

This is the url for the logon system code: http://vietmart.net/logon.txt


i can't edit my post; i got this error: We cannot post this because it appears that you are tring to hack the topic subject. Use your back button to try again.

Oh hey guys, can anyone add-in a logout(kill cookies) hack for this script? I am so lazy that i couldn't sit down to do that I'll give you credit on the logon system script.


- kool

Enjoy!

I have added few codes may be useful. Frankly. This is my first Perl progrmming. So, please edit to make it better.

Find :

sub CheckBioID {
if (($in{'UserName'} eq "") | | ($in{'Password'} eq "")) {

Add this below :

if ($in{'UserName'} eq "") {
$RequireUserNameColor = "";
$ShowUserNameInBox = "";
} else {
$RequireUserNameColor = "";
$ShowUserNameInBox = "value="$in{'UserName'}"";
}
if ($in{'Password'} eq "") {
$RequirePasswordColor = "";
$ShowPasswordInBox = "";
} else {
$RequirePasswordColor = "";
$ShowPassowrdInBox = "value="$in{'Password'}"";
}

Then find :

UserName:

ore that add :
$RequireUserNameColor
er it will like this :
$RequireUserNameColor UserName:

Then find :

Then add :
$ShowUserNameInBox

It should look likt this after:


Do the same for Password.

It's done. I hope you guys like it.

ilya, thanks!! That did the trick.

Rosemyths, there is something I do not understand about your addition:

1st, what is it supposed to do?
2nd, I have billions of references to "Username". Can you re-post your code with more to look for than just "Username:" please?

------------------
When you sin, you don't fall FROM God's grace, you fall INTO it!!

After few test. I have I fixed few bugs from original one.

In Action : http://www.claneoe.net/logon_test/logon.cgi
Download : http://www.claneoe.net/logon_test/logon.txt

• Correct the bug that won't show table color, bgcolor, table width, etc.
• Added redirect function.
• Added ($in{'UserName'}) field so if someone type a right username but wrong password. It only need to enter password again. (Username will show in the box.)
• Added wrong username and password warning.
• Correct Javascript error (Just change the place.)
• Added custom title instead of UBB title. You can use UBB title also. Up to you...
• Added custom UBB require file path so if you place in other dir out of UBB dir. You won't get 500 Internal Server Error.

I think that's all. Sigh, my first time to edit a Perl programming. Use me a lot of time. Please give me comment about my first edit. Take care.

Ok, maybe I am missing somthing here, but as far as I can tell all this script does is password protect the infomation within the script IE... "Put protected files here" So how does this script protect access to a directory or files? Once any member gets in, they could post the location of the files, and not have to be verified again. Also if this member was banned, they still could access it?

Correct the bug that won't show table color, bgcolor, table width, etc.

ok


Added redirect function.

good one.


Added ($in{'UserName'}) field so if someone type a right username but wrong password. It only need to enter password again. (Username will show in the box.)

i thought i have that?


Added wrong username and password warning.

i thought i have this?


Correct Javascript error (Just change the place.)

thanks


Added custom title instead of UBB title. You can use UBB title also. Up to you...

cool


Added custom UBB require file path so if you place in other dir out of UBB dir. You won't get 500 Internal Server Error.

nice one. i like this one.

anyway, very good job!

Anonymous, sorry. Haven't ask for your permission and change your coding.

Anyway, thanks. I think if it can add some level access, like moderator access. That's would be great. Take care all

yes! well, i didn't know that almost everyone needed this script, that's why i didn't really make it so perfect. I'll release another version with more features like email banned, ip banned, allow members or admins and modertors only, logging out etc... ?


if anyone have any other ideas what should be in the next version...just list it here, see if i can do it or not. thanks

mrwebb, I think this logon script only let user to logon but not locked the whole dir. like .htaccess

So, I think if you need to locked the whole dir. You need to get username and password and then encrypt into .htaccess and .htpasswd

I hope that I haven't say anything worng.

Rosemyths, you're right.


hmm, lock the whole dir? i'll try to do that.

This might be asking for a completely different hack, but would it be possible to make this work the opposite way with usernames/passwords also?

Through this the registration process can be deleted if you want only your registered members to have access to the UBB without entering each one manually. The username, password, and info combinations can be pulled from another file rather than (and/or in addition to) only having people sign up to the UBB through the UBB registration process.

Ah, I'm feeling a memberlist like vibration
Somehow I've got a feeling this addon is gonna be pretty big in the end

Very good work guys. I now have 4 different logon.cgi files and each one is setup to forward the yuser to a different category of my ubb. I love it.

Now, the section at the bottom of the cgi file "This is where you put all the protected pages...".

what is this for? Is this even used anymore?

------------------
When you sin, you don't fall FROM God's grace, you fall INTO it!!

That is by default. If you want to redirect, use redirect, if you want that section. Like you can show user to click where they want to. Edit that section.

Take care

This still doesn't protect pages that much, since all it does is if the username is right, redirects you to another page.
So, i tried it on mrwebb's UBB, and after I logon it just takes me to Ultimate.cgi. So, now i can just go straight to Ultimate.cgi.
We should put more protection on this, like check the referer of the page you're trying to protect. Something like this can be used for that:

Where in the login script do we place this ?


code:


if ($ENV{'HTTP_REFERER'} eq /login.cgi/i) {
&proceed;
}
else {
&StandardHTML="You can't access this page. Login first";
}

You would put it in the page you're trying to protect...

LA

Mattlee:
what I'd do, is in login.cgi (or whatever you called it) right after

add
Then at the end of the script after mainHTML }
add this:
Then in the page you're protecting add this:
In that case, when someone tried to access the 'protected' page, the script will check whether the referer is right. If it's not, the user will get an error. I hope that works.

I have to admit I have not used may ssi on my website, I'm not so sure the dang things work on my unix vserver .

I guess I coud check the users guide, duh.

But is there a trick as to where in my html I should put the thing ?
It has to go in between the tags right?

I know , dumb question, but hey ????

Sorry if I chip in with a stupid response but I copied the logon.txt into a notepad file named logon.cgi and it comes back saying the file misbehaved by not returning a complete set of HTTP headers.

"Undefined subroutine &main::ReadParse called at.....line 79."

I don't know much about code so can anyone give me a hint how to fix this? I can run other scripts but not this one. This script will save me if I can ever get it to work.

Thanks

make sure you have the require files:
you might have to check the path to the require files:


does that help?

That did the trick. Thanks for your help.

I think this Code hack ( Logon System is very nice ) but I have a very small comment.

we can avoid this logon but pointing our browsers to the Ultimate.cgi specially if I know the path.

for example if the Ultimate.cgi is placed in cgi-bin http://www.My-Domain.com/cgi-bin/Ultimate.cgi

Simply I can point my brwoser to it and it done I can bypass the Logong system ,

Even if I am a registered user and I know the path I would easily bypass the Logon.

Is that write or I am wrong.

Hey, if you guys want to protect your Ultimate.cgi, why not insert the logon.cgi source code into the Ultimate.cgi so you won't have to link your users to the logon.cgi and redirect them to the Ultimate.cgi!

How is the idea?


I didn't try it yet, but i'll try it later.

Here you go then guys, the script addition you have been asking for. This addition makes it so that you can specify if you want ONLY Administrators to access the area, it also give you the option to allow both Admin and Moderators but nobody else, or it will just do the same as normal and allow all registered users to access it.

In login.cgi FIND:

Below that ADD:

Next in the CheckBioID sub routine FIND:

REPLACE that with:
That's it, now just specify what protection level you want from the user altered field that you first added and your page is made Admin only.
This will work to protect your cpanel.html too, but remember like anything else this protection is not flawless and anybody who REALLY wants to hack your UBB could do.
Hope that helps some people.

I like this idea very much ... I think this would work well on my site because for some strange reason it often doesn't remember who you are when you come to the site so your "Private Messages" says none until you post a message and then the system recognizes that it's YOU ...

Where exactly whould you add this script in the Ultimate.cgi file?

~Kat


------------------
Donna
Cazic-Thule Corner

You wouldn't add this script into Ultimate.cgi, you would add Ultimate.cgi into this script.
Just copy and paste all the code from Ultimate.cgi into the place in login.cgi that says Insert HTML here... and then rename login.cgi as Ultimate.cgi and upload it.

I don't see an Insert HTML here anywhere in the login.cgi script.

Thanks for your timly reply, I just don't get it

~Kat

Sorry Kat, my bad, try putting it in this line (the other line doesn't exist I was just doing it from memory of a rough estimate of what it would say):

This is where you put all the protected pages...

Search for: sub ProcessEdit {
If you can find that then you will see a routine like this (not exactly it's edited but the beginning and the end are the same, not this is the last sub routine in your login.cgi):
Replace the statement I added about HTML crap with the code from Ultimate.cgi

Hope that's explains things better?

NOTE: Kat forget my first post of the two above this one (I realized that it wouldn't work because all the unneccessary html headers and stuff will interfere with the appearence of the Ultimate.cgi, instead use the second one (the one directly above)).