Home
>
Outdated forums
>
Phorum 3 forums (READ ONLY)
>
Finished Mods and Plug-ins (READ ONLY)
>
Topic
>
Page 4
<b>[code] Who's Online</b>
Posted by <b>Vulpes</b>
|
Sune
Re: <b>[code] Who's Online</b> February 04, 2004 02:35PM |
|
Sune
Re: <b>[code] Who's Online</b> February 04, 2004 04:13PM |
I found out myself. In the file whoisonline.php you must correct the following lines.
After the line;
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>Name</FONT></TD>
you insert;
<? if(!empty($phorum_user['moderator'])){ ?>
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>IP</FONT></TD>
<? } ?>
and then you replace;
echo "<td nowrap bgcolor=$cell_color_1>$rec[username]</td><td width=\"100%\">$rec[forum]</td>";
wiht;
if(!empty($phorum_user['moderator'])){
echo "<td nowrap bgcolor=$cell_color_1>$rec[ip]</td>";
}
echo "<td width=\"100%\">$rec[forum]</td>";
After the line;
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>Name</FONT></TD>
you insert;
<? if(!empty($phorum_user['moderator'])){ ?>
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>IP</FONT></TD>
<? } ?>
and then you replace;
echo "<td nowrap bgcolor=$cell_color_1>$rec[username]</td><td width=\"100%\">$rec[forum]</td>";
wiht;
if(!empty($phorum_user['moderator'])){
echo "<td nowrap bgcolor=$cell_color_1>$rec[ip]</td>";
}
echo "<td width=\"100%\">$rec[forum]</td>";
|
Re: [code] Who's Online March 04, 2004 07:44PM |
|
Re: <b>[code] Who's Online</b> March 13, 2004 10:09AM |
hey,
nice script, it worked out in 3.2.3, but now i have 3.4.6 and it does not show the username very often. its just blank... : [www.swedengate.de]
anyone with an idea ?
thanks, christoph
nice script, it worked out in 3.2.3, but now i have 3.4.6 and it does not show the username very often. its just blank... : [www.swedengate.de]
anyone with an idea ?
thanks, christoph
|
Security Issue ! May 21, 2004 05:29PM |
Registered: 20 years ago Posts: 4 |
There's a security issue with this script.
The time you log in, phorum stores your account name and encrypted password in the URL. If you don't have cookies enabled, this data is encoded in the URL the whole time you use phorum.
The Who's Online Script shows links regardless of any sensitive account data within the url. Risk is that another user may access the board with the same rights as the compromised user.
There's a quick solution to this: The $REQUEST_URI must be filtered.
Sample code (quick'n dirty):
--------------------
// Reverse search of strrchr.
// Phorum Request URI is coded in a way like:
// .../read.php?f=4&i=39186&t=38996&phorum_uriauth=.... (f, i, t, phorum_uriauth)
// Authentification variable is the rightmost part and can be easily cut off
function strrrchr($haystack,$needle)
{
// Returns everything before $needle (inclusive).
return substr($haystack,0,strpos($haystack,$needle));
}
// defines new variable $uri
$uri = $REQUEST_URI;
// Checks for Passwordinfo in URI
if (strstr ($uri, "&phorum_uriauth") != FALSE){
// Removes critical part
$uri = strrrchr ($uri, "&phorum_uriauth");
}
$pagename=get_location($PHP_SELF,$uri,$title,$ForumName);
------------------
I am sure there are more elegant or effective solutions. But this should work and provide a quick fix.
The time you log in, phorum stores your account name and encrypted password in the URL. If you don't have cookies enabled, this data is encoded in the URL the whole time you use phorum.
The Who's Online Script shows links regardless of any sensitive account data within the url. Risk is that another user may access the board with the same rights as the compromised user.
There's a quick solution to this: The $REQUEST_URI must be filtered.
Sample code (quick'n dirty):
--------------------
// Reverse search of strrchr.
// Phorum Request URI is coded in a way like:
// .../read.php?f=4&i=39186&t=38996&phorum_uriauth=.... (f, i, t, phorum_uriauth)
// Authentification variable is the rightmost part and can be easily cut off
function strrrchr($haystack,$needle)
{
// Returns everything before $needle (inclusive).
return substr($haystack,0,strpos($haystack,$needle));
}
// defines new variable $uri
$uri = $REQUEST_URI;
// Checks for Passwordinfo in URI
if (strstr ($uri, "&phorum_uriauth") != FALSE){
// Removes critical part
$uri = strrrchr ($uri, "&phorum_uriauth");
}
$pagename=get_location($PHP_SELF,$uri,$title,$ForumName);
------------------
I am sure there are more elegant or effective solutions. But this should work and provide a quick fix.
|
Re: [code] Who's Online June 03, 2004 04:44PM |
|
Rossez
Who's Online working with latest phorum (modification of callscript.php) June 05, 2004 09:10AM |
Hi all,
I really like this hack and used it for some time in previous version of phorum. Now I upgraded it to latest 3.4.8a version and the who's online hack seemed to stop working. As you write, all I saw was list of Guests. I have modified callscript.php so it does'n use cookies anymore and I made some more modifications (it doesnt show the link to the who is online table to non logged visitors).
Enjoy, Rossez
Here is the callscript.php code (may be a bit dirty):
---------------------------------
<?
if(strlen($phorum_user['id'])>0){
$whoisuser="<a href=\"profile.php?id=$phorum_user[id]\" class=\"topmed\">$phorum_user[name]</a>";
}else{
$whoisuser="Guest";
}
$IP=$REMOTE_ADDR;
?>
<br>
<?
if ($whoisuser!="Guest") {
echo "Logged as ".$whoisuser." :: <a href=\"whoisonline.php?f=".$f."\" class='topmed'>Who's Online</a>";
} else {
echo "Welcome Guest";
}
?>
<?PHP
$ssql="SELECT username FROM whosonline where ip='record'";
$q->query($DB, $ssql);
$record=$q->getrow();
$pagename=get_location($PHP_SELF,$REQUEST_URI,$title,$ForumName);
$justlogged = strpos($pagename, "phorum_uriauth=");
if ($justlogged>0){$pagename="";}
if ($whoisuser!="Guest") {
echo "<font color =white>(".get_whosonline($IP, $whoisuser, $pagename)." now/".$record['username']." max)";
} else {
echo "<font color =white> :: ".get_whosonline($IP, $whoisuser, $pagename)." users online (".$record['username']." max)";
}
?>
</font>
I really like this hack and used it for some time in previous version of phorum. Now I upgraded it to latest 3.4.8a version and the who's online hack seemed to stop working. As you write, all I saw was list of Guests. I have modified callscript.php so it does'n use cookies anymore and I made some more modifications (it doesnt show the link to the who is online table to non logged visitors).
Enjoy, Rossez
Here is the callscript.php code (may be a bit dirty):
---------------------------------
<?
if(strlen($phorum_user['id'])>0){
$whoisuser="<a href=\"profile.php?id=$phorum_user[id]\" class=\"topmed\">$phorum_user[name]</a>";
}else{
$whoisuser="Guest";
}
$IP=$REMOTE_ADDR;
?>
<br>
<?
if ($whoisuser!="Guest") {
echo "Logged as ".$whoisuser." :: <a href=\"whoisonline.php?f=".$f."\" class='topmed'>Who's Online</a>";
} else {
echo "Welcome Guest";
}
?>
<?PHP
$ssql="SELECT username FROM whosonline where ip='record'";
$q->query($DB, $ssql);
$record=$q->getrow();
$pagename=get_location($PHP_SELF,$REQUEST_URI,$title,$ForumName);
$justlogged = strpos($pagename, "phorum_uriauth=");
if ($justlogged>0){$pagename="";}
if ($whoisuser!="Guest") {
echo "<font color =white>(".get_whosonline($IP, $whoisuser, $pagename)." now/".$record['username']." max)";
} else {
echo "<font color =white> :: ".get_whosonline($IP, $whoisuser, $pagename)." users online (".$record['username']." max)";
}
?>
</font>
|
Rossez
Security issue... June 05, 2004 09:13AM |
|
Re: <b>[code] Who's Online</b> June 05, 2004 03:00PM |
|
keyo
Re: <b>[code] Who's Online</b> June 10, 2004 05:57PM |
|
Re: <b>[code] Who's Online</b> June 13, 2004 06:23AM |
|
keyo
Re: <b>[code] Who's Online</b> June 14, 2004 07:24PM |
Sorry, you do not have permission to post/reply in this forum.