1 Topic by CodeXP (edited by CodeXP 2006-01-08 00:42)

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Topic: Group Change Security MOD

##
##
##        Mod title:  Group Change Security MOD.
##
##      Mod version:  1.2
##   Works on PunBB:  1.2.x (Tested on 1.2.6 -> 10)
##     Release date:  2006-01-08
##           Author:  Öyvind A. Sörensen (oyvind.andre.sorensen@gmail.com)
##
##      Description:  Adds an additional security check when trying to 
##                    add/remove a user to/from the administrator or
##                    moderator groups.
##
##   Affected files:  config.php
##                    profile.php
##
##       Affects DB:  Yes
##                    Adds 3 columns to the users table, and adds a value
##                    to your config table
##
##            Notes:  This mod adds a security check when trying to add/remove
##                    moderators or administrators. It will mail a
##                    random 128 character verification key to the e-mail
##                    adresses specified in the config.php file, after
##                    asking to change groups.
##                    It will only be valid for the time specified in the
##                    configuration file (default: 300 sec.) and only for the
##                    requested usergroup requested (meaning if you wanted to
##                    add a user to the moderator group, the key is *only*
##                    valid for said group. You can't add a user to the admin
##                    group with a key requested for adding/removing a user
##                    to/from the moderator group)
##                    If the key don't get verified within that period, if the
##                    key generated for another user group, or if an invalid 
##                    key gets entered, the user will stay within
##                    his/her current user group.
##
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
##

Download

No demo, as that would kinda defeat the purpose of this mod wink

CodeXP's Website

2 Reply by Smartys (edited by Smartys 2005-08-24 22:19)

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Group Change Security MOD

##   Affected files:  some_script.php
##                    include/foo.php

tongue

Edit: And couldn't you just change the email in admin_options.php, overriding any security benefit this mod has?

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

Just noticed a small error in the install_mod.php file. I've updated the archive with the new file.

CodeXP's Website

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

Smartys wrote:

##   Affected files:  some_script.php
##                    include/foo.php

tongue

Edit: And couldn't you just change the email in admin_options.php, overriding any security benefit this mod has?

Sure you could change the e-mail, but you'd have to get admin access before that could happen.. Something this should help prevent wink

CodeXP's Website

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: Group Change Security MOD

but you need admin access to change the groups, so if you can change the groups you can change the email

FluxBB.
Connorhd.co.uk.

Connorhd's Website

6 Reply by Smartys (edited by Smartys 2005-08-24 22:43)

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Group Change Security MOD

Edit: What Connor said tongue

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

Connorhd wrote:

but you need admin access to change the groups, so if you can change the groups you can change the email

lol

Shit, I kinda forgot about that... I'll have a new release ready tomorrow that'll fix that problem. I'll also add a function that does the same thing if trying to demote an admin..

CodeXP's Website

8 Reply by Rod

  • Rod
  • Senior Member
  • Offline
  • From: Rouen, France
  • Registered: 2004-07-19
  • Posts: 591

Re: Group Change Security MOD

Yes indeed ... my idea is the owner of the forum has a protected email : only the OWNER can see the email. I hope this mod will figure in the 1.3 PunBB smile with this method, it would be very hard (impossible ?) to hack. I think it's the best way.

http://www.sortons.net
http://www.fantasya.net

Rod's Website

9 Reply by Rod

  • Rod
  • Senior Member
  • Offline
  • From: Rouen, France
  • Registered: 2004-07-19
  • Posts: 591

Re: Group Change Security MOD

In fact ...
if user tries to become admin, it will be automated logged, excluded, banned and erased : it prevents from doing tests smile

if user tries to change its email with the owner forum email, he has the same fate.

at least, if the user wants to change the email (a feroce hacker if it has succeedeed !!!)
in profile.php, the form mail disappears : we see directly the email in html ... and if you want to change it, it asks your password (or for better security : a question / answer you have before created ?) In this way, impossible to do something ... my sortons.net@wanadoo.fr is MINE, anyone can access it through the forum, and all rights with this email are impossible to change.

http://www.sortons.net
http://www.fantasya.net

Rod's Website

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

Connorhd wrote:

but you need admin access to change the groups, so if you can change the groups you can change the email

Excuse me if I sound stupid - I am a novice at both PHP and security - but could you just use a hard-coded email, rather than the one specified in the admin panel?

Looking for a certain modification for your forum? Please take a look here before posting.
  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Group Change Security MOD

Yes wink

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

Would CodeXP be kind enough to do this (unless of course he has another plan), or can someone tell me how to implement it myself (sorry if that sentence sounds rude or sarcastic - it's not supposed to). I really want to install this mod.

Looking for a certain modification for your forum? Please take a look here before posting.
  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Group Change Security MOD

In the code, in the pun_mail function, replace $pun_config['o_mailing_list'] with the email address (enclosed in 's)

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

Smartys wrote:

In the code, in the pun_mail function, replace $pun_config['o_mailing_list'] with the email address (enclosed in 's)

Thanks! It worked!

And thanks to CodeXP for the mod!

Looking for a certain modification for your forum? Please take a look here before posting.

15 Reply by CodeXP

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

Sorry for the delay on the update. I'm about to change appartments right now, so I'm left without internet access at home until the end of this week.

I've already improved the plugin so that you will have to verify any demotions as well + hard-coded configuration in config.php

The next version is pretty much done, but I still need to write the documentation, and the updated install_mod.php

CodeXP's Website

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

CodeXP wrote:

Sorry for the delay on the update. I'm about to change appartments right now, so I'm left without internet access at home until the end of this week.

I've already improved the plugin so that you will have to verify any demotions as well + hard-coded configuration in config.php

The next version is pretty much done, but I still need to write the documentation, and the updated install_mod.php

Should we expect the new version anytime soon? If not, that's fine, I can use the current version. Just curious.

Looking for a certain modification for your forum? Please take a look here before posting.

17 Reply by CodeXP

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

pogenwurst wrote:
CodeXP wrote:

Sorry for the delay on the update. I'm about to change appartments right now, so I'm left without internet access at home until the end of this week.

I've already improved the plugin so that you will have to verify any demotions as well + hard-coded configuration in config.php

The next version is pretty much done, but I still need to write the documentation, and the updated install_mod.php

Should we expect the new version anytime soon? If not, that's fine, I can use the current version. Just curious.

Hehe, I kinda forgot about this.. I have already finished it, so I'll see if I can't get it posted soon smile

CodeXP's Website

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

Cool.

Looking for a certain modification for your forum? Please take a look here before posting.

19 Reply by CodeXP (edited by CodeXP 2006-01-08 00:44)

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

Just uploaded a new version, as requested by pogenwurst smile

Get it here: http://www.punres.org/files.php?pid=111

New features:

* Verification key needed to both add a user to the mod/admin groups, and for removing a user from those groups
* Mail address and timeout hard-coded into config.php

CodeXP's Website

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

CodeXP wrote:

Just uploaded a new version, as requested by pogenwurst smile

Hooray! I'll install tomorrow and tell you how it goes.

Thanks!

Looking for a certain modification for your forum? Please take a look here before posting.

21 Reply by CodeXP

  • CodeXP
  • Senior Member
  • Offline
  • From: /dev/null
  • Registered: 2004-07-07
  • Posts: 503

Re: Group Change Security MOD

pogenwurst wrote:
CodeXP wrote:

Just uploaded a new version, as requested by pogenwurst smile

Hooray! I'll install tomorrow and tell you how it goes.

Thanks!

np smile

Keep in mind that the install_mod.php script wasn't written for upgrading, so you'll get errors that some of the data already exists. I'll consider writing an update function, but until then, you could also just run the following query in phpmyadmin or a similar tool:

ALTER TABLE `users` ADD `mod_groupchange_request_group` INT( 10 ) ;

CodeXP's Website

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

I haven't gotten it working yet, but I think I copied and pasted wrong.

There's other work I need to get to right now, so I apologize but I might not be able to tell you if I get it working today. Sorry!

Looking for a certain modification for your forum? Please take a look here before posting.
  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Group Change Security MOD

I've gotten it working, thanks a bunch CodeXP!

I'm especially happy to have protection against demotion.

Looking for a certain modification for your forum? Please take a look here before posting.