Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: MOD Implementation
 Password Security Tweaks/Password Salting MODS
 New Topic  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 3

campinmom03
Junior Member

USA
190 Posts

Posted - 13 April 2008 :  13:59:38  Show Profile
quote:
oringinally posted by richfed: I don't find that line on my pop_profile


On a clean pop_profile find this on line 801:


'## Forum_SQL

Then go down to about line 975 you will see:

if rs("M_LEVEL") = 3 then

Just change the value to 4 and see if that helps with the trouble your having. Test it out. If it doesn't work, change it back to value of 3.


quote:
I was thinking of removing all the code for these two mods and going back to where I was before, but then it dawned on me that the passwords are now stored with salt and EVERYONE who has logged in since I installed it will be locked out. Myself included. Is this a correct assumption?



I'm not sure what will happen if you remove both mods. I don't know what other mods you have.

In my experience with removing mods, I've had no adverse affects from removing them. IMO as long as you are careful with what you are removing you should be fine.

Anyway, if you do decide to go forth with removing both of them. Do yourself a favor and do a back up first. Then only remove one mod at a time. Then test your changes. If all goes well, then you can proceed to taking the other mod of too. Of course, you should test that change too before assuming it was done correctly. (As with any mod you attempt to install or remove). That is what I do. It is work to search the code to take out, or put in, and frustrating to say the least. But well worth the trouble to prevent other problems in the end.

<

Have a great day!
Terry
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 13 April 2008 :  16:16:47  Show Profile  Visit richfed's Homepage
OK - I finally found it [for some reason my search function wasn't locating it] - on line 1221 of a modded page. It didn't work in my case, though. I wasn't expecting it to. The salting thing changes the passwords in the database, but the pop_profile log-in doesn't seem to recognize that. I can log-in fine on the forum everyhere else that I've tried.

*sigh*<
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 13 April 2008 :  17:58:18  Show Profile  Visit muzishun's Homepage
richfed, if you can post a link to a txt copy of your pop_profile.asp or email it to me, I'll take a look and see if I can track down the place where the login is being processed incorrectly.<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 13 April 2008 :  19:58:38  Show Profile
Could this be the problem?

line 1365 of my pop_profile.asp shows this:

strPassword = sha256("" & Request.Form("Password") & strPasswordSalt)


edited to say: I have fixed this.<

Have a great day!
Terry

Edited by - campinmom03 on 14 April 2008 08:50:28
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 14 April 2008 :  06:23:03  Show Profile  Visit richfed's Homepage
Here you go: POP PROFILE THANKS!!!!!!!

Campinmom03, no salting mod changes were to be made to pop_profile, correct? Or am I missing a file in my mod download?<
Go to Top of Page

campinmom03
Junior Member

USA
190 Posts

Posted - 14 April 2008 :  08:56:51  Show Profile
quote:
originally posted by richfed
Campinmom03, no salting mod changes were to be made to pop_profile, correct? Or am I missing a file in my mod download?

I'm looking at both mods. I don't believe you are missing a file.

I had help with these mods originally... and found that on my pop_profile. I just thought maybe if it was causing a problem for me, maybe it was a problem you were having too. I was just trying to help out. Sorry if I caused any confusion. I'm sure Muzishun will help you with yours now that you have a copy of your pop_profile.txt up.<

Have a great day!
Terry
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 14 April 2008 :  15:29:56  Show Profile  Visit muzishun's Homepage
As I thought, you are having the same problem campinmom did. I seem to have forgotten pop_profile.asp in the instructions above. Until I have the chance to go through and update the zip file, here is what you need to do.

Line numbers are based on richfed's pop_profile.asp and may vary depending on the forum.

As always, please backup your file before making these changes. I believe these are all the changes needed, but I am not in a place where I can test it right now. This should be everything, though. Let me know here if you run into any issues with these changes.

Lines 1038-1042 make the code look like this:

' end if

strEncodedPassword = sha256("" & Request.Form("Password") & strPasswordSalt)
strEncodedPassword2 = sha256("" & Request.Form("Password"))

'## Forum_SQL


Lines 1086-1088 make the code look like this:

if strAuthType = "db" then
strSql = strSql & " AND (M_PASSWORD = '" & ChkString(strEncodedPassword,"SQLString") & "' OR M_PASSWORD = '" & ChkString(strEncodedPassword2,"SQLString") & "'")
end if


Lines 1100-1102 make the code look like this:

end if
if rs.BOF or rs.EOF or not(ChkQuoteOk(strDBNTUserName)) or (not(ChkQuoteOk(strEncodedPassword)) and not(ChkQuoteOk(strEncodedPassword2))) then
Response.Write " <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """ color=""" & strHiLiteFontColor & """>Invalid UserName or Password</font></p>" & vbNewLine & _


Lines 1170-1177 make the code look like this:

end if

strEncodedPassword = sha256("" & Request.Form("Pass") & strPasswordSalt)
strEncodedPassword2 = sha256("" & Request.Form("Pass"))
mLev = cLng(chkUser(strDBNTUserName, strEncodedPassword,-1))
mLev2 = cLng(chkUser(strDBNTUserName, strEncodedPassword2,-1))

if (mLev > 0 or mLev2 > 0) then '## is Member
if (mLev = 4 or mLev2 = 4) then
'## Forum_SQL


Lines 1645-1651 make the code look like this:

end if
strEncodedPassword = sha256("" & Request.Form("Pass") & strPasswordSalt)
strEncodedPassword2 = sha256("" & Request.Form("Pass"))
mLev = cLng(chkUser(strDBNTUserName, strEncodedPassword,-1))
mLev2 = cLng(chkUser(strDBNTUserName, strEncodedPassword2,-1))
if (mLev > 0 or mLev2 > 0) then '## is Member
if (mLev = 4 or mLev2 = 4) then '## is Admin

Err_Msg = ""
<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 14 April 2008 :  19:06:33  Show Profile  Visit richfed's Homepage
Getting closer ...

First, I get this error:

Microsoft VBScript compilation error '800a0401' 

Expected end of statement 

/messageboard/pop_profile.asp, line 1086 

strSql = strSql & " AND   (M_PASSWORD = '" & ChkString(strEncodedPassword,"SQLString") & "' OR M_PASSWORD = '" & ChkString(strEncodedPassword2,"SQLString") & "'")
end if


If I take off the parenthesis in red, I reach the pop_profile log in screen.

After inputing my credentials, I get this error:

Microsoft OLE DB Provider for SQL Server error '80040e14' 

Line 1: Incorrect syntax near '8670cfecaa33c7b51ab816263b3c5d85262e36b5aac45113bd2157bbdbe6b1b6'. 

/messageboard/pop_profile.asp, line 1089 


What next?<
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 14 April 2008 :  19:18:57  Show Profile
At the end try & "')" The ) closes a SQL statement not ASP.<
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 14 April 2008 :  19:33:11  Show Profile  Visit richfed's Homepage
And that has done it!!! Success!

Thank you everyone!<
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 15 April 2008 :  01:03:00  Show Profile  Visit muzishun's Homepage
Glad you were able to get it working. <

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 26 April 2008 :  08:57:43  Show Profile  Visit richfed's Homepage
Encountered another problem:

I can no longer delete a member. I get a message that I have no permissions to delete a member. Apparently, the salt is not being recognized during this process?<
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 03 May 2008 :  11:57:23  Show Profile  Visit richfed's Homepage
Here is a link to my pop_delete file: pop_delete.txt

If anyone can figure out what code to add, it would be greatly appreciated. Seems this is the last of my problems with this MOD. Everything else appears to be ok ...<
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 07 May 2008 :  10:45:04  Show Profile  Visit muzishun's Homepage
There are several changes in pop_delete.asp. Here are the ones that I saw for your file:

Around lines 643-646:

      strEncodedPassword = sha256("" & strPassword & strPasswordSalt)
      strEncodedPassword2 = sha256("" & strPassword)
      mLev = cLng(chkUser(strDBNTFUserName, strEncodedPassword,-1)) 
      mLev2 = cLng(chkUser(strDBNTFUserName, strEncodedPassword2,-1))
      if mLev > 0 or mLev2 > 0 then  '## is Member
         if mLev = 4 or mLev2 = 4 then


Next around lines 501-505:

      strEncodedPassword = sha256("" & strPassword & strPasswordSalt)
      strEncodedPassword2 = sha256("" & strPassword)
      mLev = cLng(chkUser(strDBNTFUserName, strEncodedPassword,-1)) 
      mLev2 = cLng(chkUser(strDBNTFUserName, strEncodedPassword2,-1))
      if mLev > 0 or mLev2 > 0 then  '## is Member
         if mLev = 4 or mLev2 = 4 then
            delAr = split(Cat_ID, ",")


Next, around lines 368-372:

      strEncodedPassword = sha256("" & strPassword & strPasswordSalt)
      strEncodedPassword2 = sha256("" & strPassword)
      mLev = cLng(chkUser(strDBNTFUserName, strEncodedPassword,-1)) 
      mLev2 = cLng(chkUser(strDBNTFUserName, strEncodedPassword2,-1))
      if mLev > 0 or mLev2 > 0 then  '## is Member
         if mLev = 4 or mLev2 = 4 then
            delAr = split(Forum_ID, ",")


Next, around lines 248-252:

      strEncodedPassword = sha256("" & strPassword & strPasswordSalt)
      strEncodedPassword2 = sha256("" & strPassword)
      mLev = cLng(chkUser5(strDBNTFUserName, strEncodedPassword, Topic_ID))
      mLev2 = cLng(chkUser5(strDBNTFUserName, strEncodedPassword2, Topic_ID))
      if mLev > 0 or mLev2 > 0 then  '## is Member
         if (chkForumModerator(Forum_ID, strDBNTFUserName) = "1") or (mLev = 1) or (mLev = 4) or (mLev2 = 1) or (mLev2 = 4) then
            delAr = split(Topic_ID, ",")


Next, around lines 107-110:

            if (blnModerator = "1") or (mLev = 4) or (mLev2 = 4) then
 'continue
elseif (((mLev = 1) or (mLev2 = 1)) and (intPostLockingTime > 0)) then
 strPostTime = strToDate(Reply_Date)


Next, around lines 91-96:

      strEncodedPassword = sha256("" & strPassword & strPasswordSalt)
      strEncodedPasswordw = sha256("" & strPassword)
      mLev = cLng(ChkUser3(strDBNTFUserName, strEncodedPassword, Reply_ID)) 
      mLev2 = cLng(ChkUser3(strDBNTFUserName, strEncodedPassword2, Reply_ID))
      if mLev > 0 or mLev2 > 0 then  '## is Member
      blnModerator = chkForumModerator(Forum_ID, strDBNTFUserName)
         if (blnModerator = "1") or ((mLev = 1 or mLev2 = 1) and strAllowPostEditing = "1") or (mLev = 4 or mLev2 = 4) then '## is Allowed
            strSql = "SELECT R_STATUS, R_DATE "
<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page

richfed
Average Member

United States
999 Posts

Posted - 09 May 2008 :  08:43:20  Show Profile  Visit richfed's Homepage
Thanks, Bill ... I appreciate your help and a great Mod[s]. All working now as far as I can tell.<

Rich
[size=1]A Complete Idiot's Guide to MOD Implementation || On the Trail of the Last of the Mohicans[/size=1]
Go to Top of Page
Page: of 3 Previous Topic Topic Next Topic  
Previous Page | Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.42 seconds. Powered By: Snitz Forums 2000 Version 3.4.07