zc923, erissiva
It is easy to me to write a script witch will scan your sites with regular expression and get all email addresses....
1 2005-04-10 09:22
Re: Check out this freeware program - recommended for webmasters (8 replies, posted in General discussion)
2 2005-04-10 06:22
Re: Security of Pun's authentification (58 replies, posted in General discussion)
Smartys wrote:
Actually, it will
If my HTTP_X_FORWARDED_FOR (or any part of the auth) changes during the session, I'm logged out
Do you really often do it? I don't think so.... 
If yes, you can remove this option from the function 
3 2005-04-09 20:25
Re: Security of Pun's authentification (58 replies, posted in General discussion)
Smartys wrote:
Erm, you have the Mark Topics as Read mod in there
And some of the data in your AuthHash can change very easily (un-intentionally that is, like by a proxy server which only sometimes sends x_forwarded_for or a privacy nut who changes proxies every 10 seconds)
as you can see....this will not affect on authentification
for example, what will if you change 'HTTP_X_FORWARDED_FOR' ?....
4 2005-04-09 17:06
Re: Security of Pun's authentification (58 replies, posted in General discussion)
So there what we added and modified:
functions.php
////////////////////////////////////////////////////////////////////////////////////////////////////
// Check personal user data
////////////////////////////////////////////////////////////////////////////////////////////////////
function check_info(&$pun_user)
{
session_start();
global $db, $pun_config, $cookie_name, $cookie_seed;
$now = time();
if (isset($_SESSION['user_id']) && $_SESSION['user_id'] > 1 && !empty($_SESSION['info']) && AuthHash() === $_SESSION["info"])
{
$result = $db->query('SELECT u.*, g.*, o.logged, o.idle FROM '.$db->prefix.'users AS u INNER JOIN '.$db->prefix.'groups AS g ON u.group_id=g.g_id LEFT JOIN '.$db->prefix.'online AS o ON o.user_id=u.id WHERE u.id='.intval($_SESSION['user_id'])) or error('Unable to fetch user information', __FILE__, __LINE__, $db->error());
$pun_user = $db->fetch_assoc($result);
// If user authorisation failed
if (!isset($pun_user['id']) || $pun_user['password'] !== $_SESSION['password_hash'])
{
set_default_user();
return;
}
// Set a default language if the user selected language no longer exists
if (!@file_exists(PUN_ROOT.'lang/'.$pun_user['language']))
$pun_user['language'] = $pun_config['o_default_lang'];
// Set a default style if the user selected style no longer exists
if (!@file_exists(PUN_ROOT.'style/'.$pun_user['style'].'.css'))
$pun_user['style'] = $pun_config['o_default_style'];
if (!$pun_user['disp_topics'])
$pun_user['disp_topics'] = $pun_config['o_disp_topics_default'];
if (!$pun_user['disp_posts'])
$pun_user['disp_posts'] = $pun_config['o_disp_posts_default'];
if ($pun_user['save_pass'] == '0')
$expire = 0;
// MOD: MARK TOPICS AS READ - 4 LINES NEW CODE FOLLOW
if ($pun_user['read_topics'])
$pun_user['read_topics'] = unserialize($pun_user['read_topics']);
else
$pun_user['read_topics'] = array();
// Define this if you want this visit to affect the online list and the users last visit data
//if (!defined('PUN_QUIET_VISIT')) echo 'YES';
if (!defined('PUN_QUIET_VISIT'))
{
// Update the online list
if (!$pun_user['logged'])
$db->query('INSERT INTO '.$db->prefix.'online (user_id, ident, logged) VALUES('.$pun_user['id'].', \''.$db->escape($pun_user['username']).'\', '.$now.')') or error('Unable to insert into online list', __FILE__, __LINE__, $db->error());
else
{
// Special case: We've timed out, but no other user has browsed the forums since we timed out
if ($pun_user['logged'] < ($now-$pun_config['o_timeout_visit']))
{
//$db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
// MOD: MARK TOPICS AS READ - 1 LINE MODIFIED CODE FOLLOWS
$db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].', read_topics=NULL WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
$pun_user['last_visit'] = $pun_user['logged'];
}
$idle_sql = ($pun_user['idle'] == '1') ? ', idle=0' : '';
$db->query('UPDATE '.$db->prefix.'online SET logged='.$now.$idle_sql.' WHERE user_id='.$pun_user['id']) or error('Unable to update online list', __FILE__, __LINE__, $db->error());
}
}
$pun_user['is_guest'] = false;
}
else
set_default_user();
}
////////////////////////////////////////////////////////////////////////////////////////////////////
// Return Hash of User's environment
////////////////////////////////////////////////////////////////////////////////////////////////////
function AuthHash()
{
return md5(
$_SERVER["REMOTE_ADDR"].
(string)@$_SERVER["HTTP_USER_AGENT"].
(string)@$_SERVER['HTTP_ACCEPT_ENCODING'].
(string)@$_SERVER['HTTP_ACCEPT_LANGUAGE'].
(string)@$_SERVER['HTTP_X_FORWARDED_FOR']
);
}
////////////////////////////////////////////////////////////////////////////////////////////////////
// Put personal user data into Session
////////////////////////////////////////////////////////////////////////////////////////////////////
function pun_start_session($user_id, $password_hash)
{
session_start();
$_SESSION['user_id']=$user_id;
$_SESSION['password_hash']=$password_hash;
$_SESSION['info']=AuthHash();
}
////////////////////////////////////////////////////////////////////////////////////////////////////
// Destroy The Session
////////////////////////////////////////////////////////////////////////////////////////////////////
function pun_end_session()
{
$_SESSION = array();
session_destroy();
}common.php: 115
//check_cookie($pun_user);
check_info($pun_user);login.php:79
//pun_setcookie($user_id, $form_password_hash, $expire);
pun_start_session($user_id, $form_password_hash);login.php:102
//pun_setcookie(1, random_pass(8), time() + 31536000);
pun_end_session();5 2005-04-08 16:08
Re: Security of Pun's authentification (58 replies, posted in General discussion)
Connorhd wrote:
but surely you still need to use a cookie for when the session expires?
Why? Is it a affirmation or question ?
6 2005-04-08 08:04
Re: Check out this freeware program - recommended for webmasters (8 replies, posted in General discussion)
downliner
In my opinion, the best way to protect website from spam search engines is to use email addresses in images.
7 2005-04-08 03:19
Re: Security of Pun's authentification (58 replies, posted in General discussion)
So we decided to try session method of store personal data.
Soon, as I think, we'll tell you about results.
8 2005-04-07 07:28
Re: Security of Pun's authentification (58 replies, posted in General discussion)
XuMiX bingo!
9 2005-04-06 19:45
Re: Security of Pun's authentification (58 replies, posted in General discussion)
Connorhd , Bwongar.com
What do you think about to make over Pun's authentification on sessions ?
10 2005-04-06 19:25
Re: Security of Pun's authentification (58 replies, posted in General discussion)
What do you think about to make over Pun's authentification on sessions ?
11 2005-04-06 00:42
Re: Безопасность пуновской авторизации (3 replies, posted in Archive)
Dexus
?? ????????...?????????? ?? ??????? "???????????" ??? ???????...? ?????? ?????? ???? ?? ????????
?????? ??? ??????????...????? ?? ????????? ????????? ??????????? ? ???????? ????..??? ?????????? ...???????? ??????????...
12 2005-04-05 18:13
Re: Security of Pun's authentification (58 replies, posted in General discussion)
Connorhd
Simply, we decided to greatly improve it .....so I ask You ....is it really needed to improve it?...what can we improve and how
13 2005-04-05 17:49
Topic: Security of Pun's authentification (58 replies, posted in General discussion)
Hello, everybody!
Pun's authentification based on cookies is safe, isn't it?
May be someone thinking about it? May be someone remake it?
What do you know about ways to "go through" it?
How can i improve this authentification?
14 2005-04-05 17:39
Topic: Безопасность пуновской авторизации (3 replies, posted in Archive)
???? ??????!
???-?????? ??????????? ?? ??????????? ????????? ??????????? ?? ?????? ??????? ?? ????
???????????? ?? ???