Problems with Account Activation Mail - Hack [Q and A]

Ativacao.php - Analysing code for team security

2005/1/4 10:32
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

Quote:

Acho que isto ainda vai para notícias, mas vou postar aqui para futuras consultas no fórum:

Arquivo ATIVACAO.PHP

PHP ### ====================================================== ### [url=http://www.xoops.net.br/]XOOPS Brasil[/url] - A comunidade diferente! ### ====================================================== ### Arquivo para reenvio de Link de Ativa??o ### ====================================================== ### Developer: Fernando Santos, fernando@zend.com.br ### Copyright: www.xoops.net.br ? 2003-2004 ### ------------------------------------------------------ ### www.xoops.net.br ### ====================================================== ### v.1.0, Sun Dec 19 15:33:59 BRST 2004 ### ====================================================== $xoopsOption['pagetype'] = "user"; include "mainfile.php"; include 'header.php'; // Tanto faz, GET ou POST $email = isset($HTTP_GET_VARS['email']) ? trim($HTTP_GET_VARS['email']) : ''; $email = isset($HTTP_POST_VARS['email']) ? trim($HTTP_POST_VARS['email']) : $email; // Se $email for vazio, mostra o form para envio do link if ($email == '') { echo <<< TOPET05 Reenvio de Link para Ativa??o de Cadastro Digite o e-mail que você usou no cadastro em nosso site para receber novamente o link de ativa??o de conta. $_SERVER[PHP_SELF]" method="post"> Seu E-mail: TOPET05; // Se $email n?o for vazio , vamos fazer uma série de verifica??es antes de enviar }else{ $myts =& MyTextSanitizer::getInstance(); $member_handler =& xoops_gethandler('member'); // A linha abaixo retornará um array com todos os usuários que tenham o e-mail citado, no nosso caso será apenas $getuser[0] $getuser =& $member_handler->getUsers(new Criteria('email', $myts->addSlashes($email))); // Se o e-mail n?o existir na base de dados, $getuser será vazio... if (empty($getuser)) { echo "E-mail n?o cadastrado em nossa base de dados! "; include("footer.php"); exit(); } //Verificando se o usuário já está ativo... if($getuser[0]->isActive()){ echo "O usuário ".$getuser[0]->getVar('uname').", cadastrado com o e-mail ".$getuser[0]->getVar('email')." já está ativo! "; include("footer.php"); exit(); } //Enviando a baga?a $xoopsMailer =& getMailer(); $xoopsMailer->useMail(); $xoopsMailer->setTemplate('register.tpl'); $xoopsMailer->assign('SITENAME', $xoopsConfig['sitename']); $xoopsMailer->assign('ADMINMAIL', $xoopsConfig['adminmail']); $xoopsMailer->assign('SITEURL', XOOPS_URL."/"); $xoopsMailer->setToUsers($getuser[0]); $xoopsMailer->setFromEmail($xoopsConfig['adminmail']); $xoopsMailer->setFromName($xoopsConfig['sitename']); $xoopsMailer->setSubject(sprintf("- Reenvio - "._US_USERKEYFOR,$getuser[0]->getVar("uname"))); if ( !$xoopsMailer->send() ) { echo "N?o foi possível enviar o link de ativa??o para ".$getuser[0]->getVar('uname').". Entre em contato com os administradores do site. "; include("footer.php"); exit(); } else { echo "O Link de ativa??o para ".$getuser[0]->getVar('uname')." foi reenviado. Caso n?o receba o e-mail dentro de algumas horas, tente novamente ou entre em contato com os administradores do site. "; } } include("footer.php"); ?>

Coloque este arquivo no seu diretório principal XOOPS. Depois coloque um link para ele no bloco de login e pronto, n?o precisa alterar nada.
Se algum usuário do seu site vier reclamando que n?o recebeu o link de ativa??o, pe?a-o para acessar o seusite.com.br/ativacao.php e preencher o form.
Se quiser enviar via GET, tipo
seusite.com.br/ativacao.php?email=fernando@mastop.com.br
vai funfar do mesmo jeito.
Espero que seja útil... quem quiser aprimorar o código, agrade?o!!

Testado e funfando direitinho.

Grato ao Izzy pelos primeiros testes

Abra??o

Team for security, analysing for me this code ????

Re: Ativacao.php - Analysing code for team security

2005/1/4 14:12
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

Up 1

Re: Ativacao.php - Analysing code for team security

2005/1/4 15:01
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

What do you want us to do?

Re: Ativacao.php - Analysing code for team security

2005/1/4 15:09
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

:) also i notice that that code is not from the current version of xoops.. i have no idea what the text says above as i only speak english.

Re: Ativacao.php - Analysing code for team security

2005/1/4 15:12
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

It would like that esquipe could test this code to know if no breach of security in it does not exist and that was incluido to come with this option already in the versions of the Xoops.
The activation code is very common to fail and later the users it does not receive this again I redispatch.

With this code it will be able to always request that he will not be registered in the site the activation of its I register in cadastre in the hour that to desire.

Sorry my bad english.: -)

Problems with Account Activation Mail - Hack

2005/1/4 17:10
wcrwcr
Home away from home
Posts: 1114
Since: 2003/12/12

Hi and happy new year to all

Let me try to put some light here.

The file that Giba has submitted is a workaround to the famous activation mail sending problem.

It was made following the nice suggestion made by herko on this thread:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=26707&viewmode=flat&order=ASC&start=10

How It works:

1. put the Ativacao.php file on your main XOOPS directory.
2. after that, create and put a link to the Ativacao.php file on your login block

That?s all

If any of your users starts complaining about the non sending of the activation mail ask them to click on the link, fill up the form and it?s done

Feel free to implement the code and write any suggestions.
This file was written by topet05.

PS. If anybody wants to use it with the GET function, like

Quote:

yoursite.com.br/ativacao.php?email=fernando@mastop.com.br

the code also do the job

I hope it helps.
Regards,
Wilson

Re: Ativacao.php - Analysing code for team security

2005/1/4 18:17
Salomao
Just popping in
Posts: 2
Since: 2004/2/25

Trying to translate to English
Quote:

File ATIVACAO.PHP

PHP ### ====================================================== ### [url=http://www.xoops.net.br/]XOOPS Brasil[/url] - A comunidade diferente! ### ====================================================== ### Arquivo para reenvio de Link de Ativação ### Script for resend the activation link ### ====================================================== ### Developer: Fernando Santos, fernando@zend.com.br ### Copyright: www.xoops.net.br © 2003-2004 ### ------------------------------------------------------ ### www.xoops.net.br ### ====================================================== ### v.1.0, Sun Dec 19 15:33:59 BRST 2004 ### ====================================================== $xoopsOption['pagetype'] = "user"; include "mainfile.php"; include 'header.php'; // Doesn't matter GET or POST $email = isset($HTTP_GET_VARS['email']) ? trim($HTTP_GET_VARS['email']) : ''; $email = isset($HTTP_POST_VARS['email']) ? trim($HTTP_POST_VARS['email']) : $email; // If $email is empty, show form for link resend if ($email == '') { echo <<< TOPET05 Resend activation link registration Fill in the e-mail you used to register in our site, so you can receive agaian the activation link for your account. $_SERVER[PHP_SELF]" method="post"> Your E-mail: TOPET05; // If $email is not empty, let's verify some things before sending the link }else{ $myts =& MyTextSanitizer::getInstance(); $member_handler =& xoops_gethandler('member'); // The line below returns an array with all the users registered with the given e-mail, in our case it'll be only the $getuser[0] $getuser =& $member_handler->getUsers(new Criteria('email', $myts->addSlashes($email))); // If the e-mail doesn't exist in the database, $getuser returns empty... if (empty($getuser)) { echo "E-mail doesn't appear to be registered in our databases! "; include("footer.php"); exit(); } //Verifying if the user is already active... if($getuser[0]->isActive()){ echo "The user ".$getuser[0]->getVar('uname').", registered with e-mail ".$getuser[0]->getVar('email')." is already active! "; include("footer.php"); exit(); } //Sending it $xoopsMailer =& getMailer(); $xoopsMailer->useMail(); $xoopsMailer->setTemplate('register.tpl'); $xoopsMailer->assign('SITENAME', $xoopsConfig['sitename']); $xoopsMailer->assign('ADMINMAIL', $xoopsConfig['adminmail']); $xoopsMailer->assign('SITEURL', XOOPS_URL."/"); $xoopsMailer->setToUsers($getuser[0]); $xoopsMailer->setFromEmail($xoopsConfig['adminmail']); $xoopsMailer->setFromName($xoopsConfig['sitename']); $xoopsMailer->setSubject(sprintf("- Resend - "._US_USERKEYFOR,$getuser[0]->getVar("uname"))); if ( !$xoopsMailer->send() ) { echo "It could not be possible to resend the activation link for ".$getuser[0]->getVar('uname').". Contact the site administrators. "; include("footer.php"); exit(); } else { echo "The activation link for ".$getuser[0]->getVar('uname')." was resent. If you don't receive the e-mail in a few hours, try again or contact the site administrators. "; } } include("footer.php"); ?>

Put this file in your XOOPS main directory. Then, put a link for it into the login block, and voilá. No need to alter anything else.
If any user claims that it hasn't received the activation link, ask him to go to yoursite.com/ativacao.php and fill in the form.
If you wanna send through GET, like
yoursite.com/ativacao.php?email=me@myemail.com
it'll work without problems.
Hope it helps... If someone wanna make the code look better, I'll appreciate it!!

Tested and approved.

Thanks to Izzy for the first tests

Big hug

Hope it helps...

Salomão - XT

Re: Ativacao.php - Analysing code for team security

2005/1/4 18:27
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

Very nice

if a developer wants to check this out for sucuity vulnerabilities and code efficiency, please do. In the meantime Giba, would you be so kind and post this to the XOOPS Core patch tracker, so we can process this in the normal development process? Thanks for the great feature!

Herko

Re: Ativacao.php - Analysing code for team security

2005/1/4 18:47
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

Looks good. Only change, I'd suggest is this one:

 // If the e-mail doesn't exist in the database, $getuser returns array()... 
if ($getuser == array() ) { 
    echo "E-mail doesn't appear to be registered in our databases!
"; 
    include("footer.php"); 
    exit(); 
}

I'll be adding this in XOOPS 2.1 with language constants etc. (but do add it to the patches tracker as it is easy to keep track of it there)

Thanks

Re: Ativacao.php - Analysing code for team security

2005/1/5 9:31
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

Ok Thanks

Quote:

Mithrandir wrote:
Looks good. Only change, I'd suggest is this one:
// If the e-mail doesn't exist in the database, $getuser returns array()... if ($getuser == array() ) { echo "E-mail doesn't appear to be registered in our databases! "; include("footer.php"); exit(); }

I'll be adding this in XOOPS 2.1 with language constants etc. (but do add it to the patches tracker as it is easy to keep track of it there)

Thanks

Who aditional in patches tracker ?

Stats
Goal:	AU$15.00
Due Date:	Apr 30
Gross Amount:	AU$0.00
Net Balance:	AU$0.00
Left to go:	AU$15.00

Ativacao.php - Analysing code for team security

E-mail n?o cadastrado em nossa base de dados!

O usuário ".$getuser[0]->getVar('uname').", cadastrado com o e-mail ".$getuser[0]->getVar('email')." já está ativo!

N?o foi possível enviar o link de ativa??o para ".$getuser[0]->getVar('uname').". Entre em contato com os administradores do site.

O Link de ativa??o para ".$getuser[0]->getVar('uname')." foi reenviado. Caso n?o receba o e-mail dentro de algumas horas, tente novamente ou entre em contato com os administradores do site.

Re: Ativacao.php - Analysing code for team security

Re: Ativacao.php - Analysing code for team security

Re: Ativacao.php - Analysing code for team security

Re: Ativacao.php - Analysing code for team security

Problems with Account Activation Mail - Hack

Re: Ativacao.php - Analysing code for team security

E-mail doesn't appear to be registered in our databases!

The user ".$getuser[0]->getVar('uname').", registered with e-mail ".$getuser[0]->getVar('email')." is already active!

It could not be possible to resend the activation link for ".$getuser[0]->getVar('uname').". Contact the site administrators.

The activation link for ".$getuser[0]->getVar('uname')." was resent. If you don't receive the e-mail in a few hours, try again or contact the site administrators.

Re: Ativacao.php - Analysing code for team security

Re: Ativacao.php - Analysing code for team security

E-mail doesn't appear to be registered in our databases!

Re: Ativacao.php - Analysing code for team security

E-mail doesn't appear to be registered in our databases!

Login

Search

Recent Posts

Re: XOOPS 2.7.0 Development Started

Re: XOOPS 2.5.12 Beta-6 available for Testing

XOOPS 2.7.0 Development Started

XOOPS 2.5.12 Beta-5 available for Testing

Richard leaving, Nicolas takes over Core Team

Re: Support for Jadoogaran.org

Re: Support for Jadoogaran.org

Re: Support for Jadoogaran.org

Re: Support for Jadoogaran.org

Re: Support for Jadoogaran.org

Who's Online

Donat-O-Meter

Latest GitHub Commits

e8c46d1 - Merge pull request #1537 from mambax7/feature/Bootstrap_5.3.4 Bootstrap 5.3.4 i

e565e7f - Bootstrap 5.3.4

964be17 - Merge pull request #1536 from mambax7/feature/Bootstrap_5.3.4 Bootstrap 5.3.4