diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2006-03-25 17:21:32 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2006-03-25 17:21:32 +0000 |
| commit | 64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b (patch) | |
| tree | d8311883ddf882ab0b233498e8d44aa0a0c7a220 /phpBB | |
| parent | 1096b13c7e9594b5ef1c610d1d744ae01d8eabfa (diff) | |
| download | forums-64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b.tar forums-64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b.tar.gz forums-64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b.tar.bz2 forums-64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b.tar.xz forums-64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b.zip | |
changed the way re-authentication is handled, basically hardening the process.
- also forbid re-authenticating as another user.
needs further testing.
git-svn-id: file:///svn/phpbb/trunk@5724 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/includes/functions.php | 49 | ||||
| -rw-r--r-- | phpBB/language/en/common.php | 62 | ||||
| -rw-r--r-- | phpBB/styles/subSilver/template/login_body.html | 10 |
3 files changed, 73 insertions, 48 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e49d459254..39068ccbb8 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1368,6 +1368,14 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $user->setup(); } + // Print out error if user tries to authenticate as an administrator without having the privileges... + if ($admin && !$auth->acl_get('a_')) + { + // Not authd + add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); + trigger_error('NO_AUTH_ADMIN'); + } + if (isset($_POST['login'])) { $username = request_var('username', ''); @@ -1376,27 +1384,35 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $viewonline = (!empty($_POST['viewonline'])) ? 0 : 1; $admin = ($admin) ? 1 : 0; + // Check if the supplied username is equal to the one stored within the database if re-authenticating + if ($admin && strtolower($username) != strtolower($user->data['username'])) + { + // We log the attempt to use a different username... + add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); + trigger_error('NO_AUTH_ADMIN_USER_DIFFER'); + } + // If authentication is successful we redirect user to previous page $result = $auth->login($username, $password, $autologin, $viewonline, $admin); - // The result parameter is always an array, holding the relevant informations... - if ($result['status'] == LOGIN_SUCCESS) + // If admin authentication and login, we will log if it was a success or not... + // We also break the operation on the first non-success login - it could be argued that the user already + // knows + if ($admin) { - // If admin authentication - if ($admin) + if ($result['status'] == LOGIN_SUCCESS) { - if ($auth->acl_get('a_')) - { - add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS'); - } - else - { - // Authenticated, but not having admin permissions - add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); - trigger_error('NO_AUTH_ADMIN'); - } + add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS'); + } + else + { + add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); } + } + // The result parameter is always an array, holding the relevant informations... + if ($result['status'] == LOGIN_SUCCESS) + { $redirect = request_var('redirect', "index.$phpEx$SID"); meta_refresh(3, $redirect); @@ -1485,7 +1501,10 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'S_DISPLAY_FULL_LOGIN' => ($s_display) ? true : false, 'S_LOGIN_ACTION' => (!$admin) ? "{$phpbb_root_path}ucp.$phpEx$SID&mode=login" : "index.$phpEx$SID", - 'S_HIDDEN_FIELDS' => $s_hidden_fields) + 'S_HIDDEN_FIELDS' => $s_hidden_fields, + + 'S_ADMIN_AUTH' => $admin, + 'USERNAME' => ($admin) ? $user->data['username'] : '') ); page_header($user->lang['LOGIN']); diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index 3b65324951..0a4be6edb3 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -268,36 +268,38 @@ $lang = array_merge($lang, array( 'MONTH' => 'Month', 'MOVE' => 'Move', - 'NA' => 'N/A', - 'NEWEST_USER' => 'Our newest member <b>%s%s%s</b>', - 'NEW_MESSAGE' => 'New Message', - 'NEW_MESSAGES' => 'New Messages', - 'NEW_PM' => '<b>%d</b> new message', - 'NEW_PMS' => '<b>%d</b> new messages', - 'NEW_POST' => 'New post', - 'NEW_POSTS' => 'New posts', - 'NEXT' => 'Next', - 'NO' => 'No', - 'NONE' => 'None', - 'NOT_WATCHING_FORUM'=> 'You no subscribe to updates on this forum', - 'NOT_WATCHING_TOPIC'=> 'You are no longer subscribed to this topic.', - 'NO_AUTH_OPERATION' => 'You do not have the neccessary permissions to complete this operation.', - 'NO_BIRTHDAYS' => 'No birthdays today', - 'NO_FORUM' => 'The forum you selected does not exist', - 'NO_FORUMS' => 'This board has no forums', - 'NO_GROUP' => 'The requested usergroup does not exist.', - 'NO_MEMBERS' => 'No members found for this search criteria', - 'NO_MESSAGES' => 'No Messages', - 'NO_NEW_MESSAGES' => 'No new messages', - 'NO_NEW_PM' => '<b>0</b> new messages', - 'NO_NEW_POSTS' => 'No new posts', - 'NO_POSTS' => 'No Posts', - 'NO_SUCH_SEARCH_MODULE' => 'The specified search backend doesn\'t exist', - 'NO_TOPIC' => 'The requested topic does not exist.', - 'NO_TOPICS' => 'There are no topics or posts in this forum.', - 'NO_UNREAD_PM' => '<b>0</b> unread messages', - 'NO_USER' => 'The requested user does not exist.', - 'NO_USERS' => 'The requested users do not exist', + 'NA' => 'N/A', + 'NEWEST_USER' => 'Our newest member <b>%s%s%s</b>', + 'NEW_MESSAGE' => 'New Message', + 'NEW_MESSAGES' => 'New Messages', + 'NEW_PM' => '<b>%d</b> new message', + 'NEW_PMS' => '<b>%d</b> new messages', + 'NEW_POST' => 'New post', + 'NEW_POSTS' => 'New posts', + 'NEXT' => 'Next', + 'NO' => 'No', + 'NONE' => 'None', + 'NOT_WATCHING_FORUM' => 'You no subscribe to updates on this forum', + 'NOT_WATCHING_TOPIC' => 'You are no longer subscribed to this topic.', + 'NO_AUTH_ADMIN' => 'You do not have admin permissions and therefore not allowed to access the administration control panel.', + 'NO_AUTH_ADMIN_USER_DIFFER' => 'You are not able to re-authenticate as a different user.', + 'NO_AUTH_OPERATION' => 'You do not have the neccessary permissions to complete this operation.', + 'NO_BIRTHDAYS' => 'No birthdays today', + 'NO_FORUM' => 'The forum you selected does not exist', + 'NO_FORUMS' => 'This board has no forums', + 'NO_GROUP' => 'The requested usergroup does not exist.', + 'NO_MEMBERS' => 'No members found for this search criteria', + 'NO_MESSAGES' => 'No Messages', + 'NO_NEW_MESSAGES' => 'No new messages', + 'NO_NEW_PM' => '<b>0</b> new messages', + 'NO_NEW_POSTS' => 'No new posts', + 'NO_POSTS' => 'No Posts', + 'NO_SUCH_SEARCH_MODULE' => 'The specified search backend doesn\'t exist', + 'NO_TOPIC' => 'The requested topic does not exist.', + 'NO_TOPICS' => 'There are no topics or posts in this forum.', + 'NO_UNREAD_PM' => '<b>0</b> unread messages', + 'NO_USER' => 'The requested user does not exist.', + 'NO_USERS' => 'The requested users do not exist', 'OCCUPATION' => 'Occupation', 'OFFLINE' => 'Offline', diff --git a/phpBB/styles/subSilver/template/login_body.html b/phpBB/styles/subSilver/template/login_body.html index 2fe915ac55..71d56061c5 100644 --- a/phpBB/styles/subSilver/template/login_body.html +++ b/phpBB/styles/subSilver/template/login_body.html @@ -29,11 +29,15 @@ <!-- ENDIF --> <tr> - <td><b class="gensmall">{L_USERNAME}:</b></td> - <td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" /><br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a></td> + <td valign="top"><b class="gensmall">{L_USERNAME}:</b></td> + <td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" /> + <!-- IF not S_ADMIN_AUTH --> + <br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a> + <!-- ENDIF --> + </td> </tr> <tr> - <td><b class="gensmall">{L_PASSWORD}:</b></td> + <td valign="top"><b class="gensmall">{L_PASSWORD}:</b></td> <td> <input class="post" type="password" name="password" size="25" maxlength="100" tabindex="2" /> <!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF --> |