Uutiset:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu
Advertisement:

Completely disable the secret question function in smf 2.0.2

Aloittaja lickitung, tammikuu 20, 2012, 07:51:35 AP

« edellinen - seuraava »
Tulosta
Siirry alas Sivuja1
Käyttäjän toimet

lickitung

tammikuu 20, 2012, 07:51:35 AP
Hi, i would like to completely disable the secret question function in my forum. I don't really care whether my users are still prompted to set a secret question & password as they register or through their profile, all i want to do is to make it unable for anyone to use the secret question function, in order to re-gain access to an account.

It should be in the Reminder.php and maybe somewhere else, but i don't want to start messing things up in case something goes bad.

Thanks in advance!  :D

Arantor

#1
tammikuu 20, 2012, 09:54:57 AP
Or better, deal with it higher up the food chain.

It only prompts for secret question in the event that the user has actually set one. So, if you remove any existing ones and then prevent users from being able to do so later... job done.

To empty out existing users' questions, the following SQL query run in phpMyAdmin will do it:
Koodi [Valitse]
UPDATE smf_members SET secret_question = '', secret_anwer = '';

Change smf_members to your own table's name if smf_members is not it.

Then we need to patch Profile-Modify.php to disable these fields.

Find:
Koodi [Valitse]
'secret_question' => array(
'type' => 'text',
'label' => $txt['secret_question'],
'subtext' => $txt['secret_desc'],
'size' => 50,
'permission' => 'profile_identity',
),
'secret_answer' => array(
'type' => 'text',
'label' => $txt['secret_answer'],
'subtext' => $txt['secret_desc2'],
'size' => 20,
'postinput' => '<span class="smalltext" style="margin-left: 4ex;"><a href="' . $scripturl . '?action=helpadmin;help=secret_why_blank" onclick="return reqWin(this.href);">' . $txt['secret_why_blank'] . '</a></span>',
'value' => '',
'permission' => 'profile_identity',
'input_validate' => create_function('&$value', '
$value = $value != \'\' ? md5($value) : \'\';
return true;
'),
),

Replace:
Koodi [Valitse]
'secret_question' => array(
'type' => 'text',
'label' => $txt['secret_question'],
'subtext' => $txt['secret_desc'],
'size' => 50,
'permission' => 'profile_identity',
'enabled' => false,
),
'secret_answer' => array(
'type' => 'text',
'label' => $txt['secret_answer'],
'subtext' => $txt['secret_desc2'],
'size' => 20,
'postinput' => '<span class="smalltext" style="margin-left: 4ex;"><a href="' . $scripturl . '?action=helpadmin;help=secret_why_blank" onclick="return reqWin(this.href);">' . $txt['secret_why_blank'] . '</a></span>',
'value' => '',
'permission' => 'profile_identity',
'input_validate' => create_function('&$value', '
$value = $value != \'\' ? md5($value) : \'\';
return true;
'),
'enabled' => false,
),

I'm not going to package this into a mod but if anyone else wants to, they're more than welcome (provided they credit this thread)
Holder of controversial views, all of which my own.

lickitung

#2
tammikuu 20, 2012, 11:18:24 AP
LainaaIt only prompts for secret question in the event that the user has actually set one.
hmmm yeah i've been having some security issues lately and it seems from apache's acces-logs, the person who's causing the trouble is able to bypass that so i want to disable only that function, so to understand whether he is causing the trouble through that or not.

Your code would be very useful to me if i just didn't want my members to use secret questions, but in this case i want to completely disable the secret questions function so that there's completely nothing for him to mess with there, since there will be no secret question function.

Arantor

#3
tammikuu 20, 2012, 11:21:43 AP
-sigh- It DOES disable it.

The function is only available when the user actually HAS a secret question. Step one removes any secret questions, step two prevents any more from being used.
Holder of controversial views, all of which my own.

lickitung

#4
tammikuu 20, 2012, 11:49:47 AP Viimeisin muokkaus: tammikuu 20, 2012, 11:59:20 AP käyttäjältä lickitung
hmm, i'm really sorry if i'm just being ignorant, but what about:
Lainaa// Delegation can be useful sometimes.
   $subActions = array(
      'picktype' => 'RemindPick',
      'secret2' => 'SecretAnswer2',
      'setpassword' =>'setPassword',
      'setpassword2' =>'setPassword2'
   );

and the "secret_question" function etc in the Reminder.php?

Also, as i mentioned, i've been having a security issue where accounts have been taken over and i can see in the access logs that the person who is taking them over is able to access the "&action=reminder;sa=secret2" page which is only available to the users that have secret questions (after 3 tries he manages to re-gain access). However that user did NOT have a secret question at all!!!! >:(

Arantor

#5
tammikuu 20, 2012, 12:14:59 IP
Then there's something else wrong. The code in Reminder.php checks to see whether the user has a question and if not, it prevents it going any further.

From SecretAnswer2(), after we established the user exists (and we've got the question and answer out of the DB), but before we change the password:
Koodi [Valitse]
// Check if the secret answer is correct.
if ($row['secret_question'] == '' || $row['secret_answer'] == '' || md5($_POST['secret_answer']) != $row['secret_answer'])
{
log_error(sprintf($txt['reminder_error'], $row['member_name']), 'user');
fatal_lang_error('incorrect_answer', false);
}

I'd check that the secret question was actually empty, since it seems like it wasn't at the time.
Holder of controversial views, all of which my own.

Tulosta
Siirry ylös Sivuja1
Käyttäjän toimet
Advertisement: