Author |
Topic |
richfed
Average Member
United States
999 Posts |
Posted - 23 March 2008 : 09:20:25
|
Due to a user's account being compromised recently [the User ID #2 issue reported elsewhere], I have been wanting to tighten up my password procedures. I have tried to implement both the Security Tweaks and Salting MODS.
I am using Snitz 3.4.05 - all security patches installed - and my database resides on a MS-SQL server.
A couple of questions first:
- Can the two of them be installed together without problems?
- Does the Salting MOD work on a SQL server?
Also, a couple of issues:
- I get the following error when I tried to install the Salting MOD:
Microsoft VBScript compilation error '800a0414'
Cannot use parentheses when calling a Sub
/forum/forum/inc_header.asp, line 236
UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword) --------------------------------------------------------------------^
- Regarding the Tweaks MOD: I think I have it installed correctly, but is there a way to change the variables?
So, right now, I do have the Security Tweaks MOD installed, but have temporarily given up on the Salting pending any solutions.
Thanks for any assistance!< |
Edited by - richfed on 23 March 2008 10:32:55 |
|
phy1729
Average Member
USA
589 Posts |
Posted - 23 March 2008 : 09:45:42
|
this says to try CALL UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword) < |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 23 March 2008 : 10:32:18
|
Hey, GREAT! That worked! Thanks!
So, to answer my own questions, it looks like it works on MS-SQL and both MODS can be implemented together.
Still not sure about the variables in the Tweaks MOD ... must I hardcode them in the files?< |
|
|
phy1729
Average Member
USA
589 Posts |
Posted - 23 March 2008 : 10:54:49
|
Have you looked at the admin_config_system.asp page?< |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 23 March 2008 : 11:49:45
|
But of course ... Sorry for my lameness!! Thank you again!
For anyone else having this difficulty, as far as I can tell, use the code: CALL UpdateSaltedPassword(strDBNTFUserName, MemberID, strEncodedPassword)
On inc_header, admin_login, and admin_login_short< |
|
|
leesh695
Junior Member
101 Posts |
Posted - 23 March 2008 : 17:44:49
|
cool i was having that problem i will have to try it when i get home :) Thanks for the info:D< |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 29 March 2008 : 11:07:53
|
Ok ...
A couple of users reported to me over the past week that they can no longer access their profile for editing purposes. I tested it this morning, and sure enough. One can log in to the forum normally, but if they try to log-in to their profile page, the message received is: Invalid UserName or Password
I checked the changes I made to pop_profile.asp and it looks ok.
Any ideas on this issue?< |
|
|
campinmom03
Junior Member
USA
190 Posts |
Posted - 29 March 2008 : 18:56:07
|
richfed,
Just thought I would let you know that I have the same issue as well. Muzishun is aware of it and is working on it I'm sure he will get back to us with the fix soon.< |
Have a great day! Terry |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 30 March 2008 : 10:58:41
|
Thank you for that info, Terry. Glad to know it's not my copy and paste ability!!
I look forward to a resolution.< |
|
|
campinmom03
Junior Member
USA
190 Posts |
Posted - 30 March 2008 : 11:43:50
|
Your welcome. I do too! < |
Have a great day! Terry |
|
|
Jezmeister
Senior Member
United Kingdom
1141 Posts |
Posted - 30 March 2008 : 13:01:34
|
I expect muzishun will have a proper fix soon, I've had a quick look at the code and rustled up a possible fix for you, keep in mind I don't have the means to test it so you might want to avoid trying it live and do backup your file first... (i only did it cos i was bored, I'll be honest )
the change is in pop_profile at line 793 on. find the code that looks similar to this and make the changes in red (or just c&p)
< |
|
|
campinmom03
Junior Member
USA
190 Posts |
Posted - 31 March 2008 : 05:36:44
|
Jez, I have not tried this (hopefully it helps someone) but I know Muzishun tried something similiar. His patch did help me log into my site, edit my own profile as well as others, unfortunately it did not help the few members I have be able to log in, (including my test accounts). We still get an error for login.asp. And there is probably something going on with the register.asp that needs a fix as well...
I hope he has a fix for this soon.< |
Have a great day! Terry |
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 31 March 2008 : 08:39:28
|
I am indeed working on this right now. Though campinmom's forum is based on the SHN build, I plan to test my changes against a base Snitz and update the whole MOD once I have tracked down all of the issues.
Thanks everybody for your patience and interest. Hopefully I'll have good news soon.< |
Bill Parrott Senior Web Programmer, University of Kansas Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com) Personal Website (www.chimericdream.com) |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 06 April 2008 : 11:04:16
|
Tried that fix, Jezmeister, but it didn't work for me. Thanks for tying.
Is it the "salt" that is causing this?< |
|
|
campinmom03
Junior Member
USA
190 Posts |
Posted - 06 April 2008 : 15:36:24
|
quote: originally posted by richfed Is it the "salt" that is causing this?
Not sure. Have you checked to see if there is an update for that mod at snitzbitz?
Also, did you do any modifications to that file before that mod?
In mine, I found the one thing I did prior, I had made a change so my users could not change certain fields after registration.
I tracked it down and it turned out to be a simple fix in my pop_profile.
My fix was found on line 1059 for my pop_profile.
if rs("M_LEVEL") = 3 then
(I only changed the value from 3 to 4 and it fixed my issue. Not sure if it will for you though). < |
Have a great day! Terry |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 13 April 2008 : 09:20:36
|
I don't find that line on my pop_profile ...
I was thinking of removing all the code for these two mods and going back to where I was before, but then it dawned on me that the passwords are now stored with salt and EVERYONE who has logged in since I installed it will be locked out. Myself included. Is this a correct assumption?
Can anyone assist on fixing this problem with no access to pop_profile.asp?< |
|
|
Topic |
|