Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: MOD Implementation
 Password Security Tweaks/Password Salting MODS
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 3

richfed
Average Member

United States
999 Posts

Posted - 23 March 2008 :  09:20:25  Show Profile  Visit richfed's Homepage
Due to a user's account being compromised recently [the User ID #2 issue reported elsewhere], I have been wanting to tighten up my password procedures. I have tried to implement both the Security Tweaks and Salting MODS.

I am using Snitz 3.4.05 - all security patches installed - and my database resides on a MS-SQL server.

A couple of questions first:
  1. Can the two of them be installed together without problems?
  2. Does the Salting MOD work on a SQL server?


Also, a couple of issues:
  1. I get the following error when I tried to install the Salting MOD:

    Microsoft VBScript compilation error '800a0414'

    Cannot use parentheses when calling a Sub

    /forum/forum/inc_header.asp, line 236

    UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword)
    --------------------------------------------------------------------^


  2. Regarding the Tweaks MOD: I think I have it installed correctly, but is there a way to change the variables?


So, right now, I do have the Security Tweaks MOD installed, but have temporarily given up on the Salting pending any solutions.

Thanks for any assistance!<

Edited by - richfed on 23 March 2008 10:32:55

phy1729
Average Member

USA
589 Posts

Posted - 23 March 2008 :  09:45:42  Show Profile
this says to try
CALL UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword)
<
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 23 March 2008 :  10:32:18  Show Profile  Visit richfed's Homepage
Hey, GREAT! That worked! Thanks!

So, to answer my own questions, it looks like it works on MS-SQL and both MODS can be implemented together.

Still not sure about the variables in the Tweaks MOD ... must I hardcode them in the files?<
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 23 March 2008 :  10:54:49  Show Profile
Have you looked at the admin_config_system.asp page?<
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 23 March 2008 :  11:49:45  Show Profile  Visit richfed's Homepage
But of course ... Sorry for my lameness!! Thank you again!

For anyone else having this difficulty, as far as I can tell, use the code: CALL UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword)

On inc_header, admin_login, and admin_login_short<
Go to Top of Page

leesh695
Junior Member

101 Posts

Posted - 23 March 2008 :  17:44:49  Show Profile
cool i was having that problem i will have to try it when i get home :) Thanks for the info:D<
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 29 March 2008 :  11:07:53  Show Profile  Visit richfed's Homepage
Ok ...

A couple of users reported to me over the past week that they can no longer access their profile for editing purposes. I tested it this morning, and sure enough. One can log in to the forum normally, but if they try to log-in to their profile page, the message received is: Invalid UserName or Password

I checked the changes I made to pop_profile.asp and it looks ok.

Any ideas on this issue?<
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 29 March 2008 :  18:56:07  Show Profile
richfed,

Just thought I would let you know that I have the same issue as well. Muzishun is aware of it and is working on it I'm sure he will get back to us with the fix soon.<

Have a great day!
Terry
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 30 March 2008 :  10:58:41  Show Profile  Visit richfed's Homepage
Thank you for that info, Terry. Glad to know it's not my copy and paste ability!!

I look forward to a resolution.<
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 30 March 2008 :  11:43:50  Show Profile
Your welcome. I do too! <

Have a great day!
Terry
Go to Top of Page

Jezmeister
Senior Member

United Kingdom
1141 Posts

Posted - 30 March 2008 :  13:01:34  Show Profile  Visit Jezmeister's Homepage
I expect muzishun will have a proper fix soon, I've had a quick look at the code and rustled up a possible fix for you, keep in mind I don't have the means to test it so you might want to avoid trying it live and do backup your file first... (i only did it cos i was bored, I'll be honest )

the change is in pop_profile at line 793 on. find the code that looks similar to this and make the changes in red (or just c&p)

		if strAuthType = "db" then
if strDBNTUserName = "" then
strDBNTUserName = Request.Form("Name")
end if
end if

strEncodedPassword = sha256("" & Request.Form("Password") & strPasswordSalt)
strEncodedPassword2 = sha256("" & Request.Form("Password"))


'## Forum_SQL
strSql = "SELECT " & strMemberTablePrefix & "MEMBERS.MEMBER_ID"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_NAME"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_USERNAME"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_EMAIL"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_FIRSTNAME"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_LASTNAME"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_LEVEL"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_TITLE"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_PASSWORD"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_AIM"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_ICQ"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_MSN"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_YAHOO"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_COUNTRY"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_POSTS"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_CITY"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_STATE"
' strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_HIDE_EMAIL"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_RECEIVE_EMAIL"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_DATE"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_PHOTO_URL"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_HOMEPAGE"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_LINK1"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_LINK2"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_AGE"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_DOB"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_MARSTATUS"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_SEX"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_VIEW_SIG"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_SIG_DEFAULT"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_OCCUPATION"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_HOBBIES"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_LNEWS"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_QUOTE"
strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_BIO"
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_SIG"
strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS"
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(strDBNTUserName, "SQLString") & "' "
if strAuthType = "db" then
strSql = strSql & " AND M_PASSWORD = '" & ChkString(strEncodedPassword2,"SQLString") & "'"
end if
<
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 31 March 2008 :  05:36:44  Show Profile
Jez, I have not tried this (hopefully it helps someone) but I know Muzishun tried something similiar. His patch did help me log into my site, edit my own profile as well as others, unfortunately it did not help the few members I have be able to log in, (including my test accounts). We still get an error for login.asp. And there is probably something going on with the register.asp that needs a fix as well...

I hope he has a fix for this soon.<

Have a great day!
Terry
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 31 March 2008 :  08:39:28  Show Profile  Visit muzishun's Homepage
I am indeed working on this right now. Though campinmom's forum is based on the SHN build, I plan to test my changes against a base Snitz and update the whole MOD once I have tracked down all of the issues.

Thanks everybody for your patience and interest. Hopefully I'll have good news soon.<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 06 April 2008 :  11:04:16  Show Profile  Visit richfed's Homepage
Tried that fix, Jezmeister, but it didn't work for me. Thanks for tying.

Is it the "salt" that is causing this?<
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 06 April 2008 :  15:36:24  Show Profile
quote:
originally posted by richfed
Is it the "salt" that is causing this?


Not sure. Have you checked to see if there is an update for that mod at snitzbitz?

Also, did you do any modifications to that file before that mod?

In mine, I found the one thing I did prior, I had made a change so my users could not change certain fields after registration.

I tracked it down and it turned out to be a simple fix in my pop_profile.

My fix was found on line 1059 for my pop_profile.

if rs("M_LEVEL") = 3 then

(I only changed the value from 3 to 4 and it fixed my issue. Not sure if it will for you though).
<

Have a great day!
Terry
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 13 April 2008 :  09:20:36  Show Profile  Visit richfed's Homepage
I don't find that line on my pop_profile ...

I was thinking of removing all the code for these two mods and going back to where I was before, but then it dawned on me that the passwords are now stored with salt and EVERYONE who has logged in since I installed it will be locked out. Myself included. Is this a correct assumption?

Can anyone assist on fixing this problem with no access to pop_profile.asp?<
Go to Top of Page
Page: of 3 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.42 seconds. Powered By: Snitz Forums 2000 Version 3.4.07