A new autologin hack for 2.0.6 [XOOPS Core Hacks]

1

A new autologin hack for 2.0.6

2004/4/27 8:07
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

My autologin (remember me) hack has two problems.

1) The cookie's path is root (='/'). This cause a collision of the cookies from two XOOPS sites running on the same hostname.

2) This hack weakens XOOPS from CSRF attack. (Some modules are defenseless from CSRF. They delete or update its records by GET methods easily.)

I -GIJOE- remade the autologin hack for XOOPS 2.0.6 like this:

line 69 of user.php


if ($op == 'logout') {

    $message = '';

    $HTTP_SESSION_VARS = array();

    session_destroy();

    if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {

        setcookie($xoopsConfig['session_name'], '', time()- 3600, '/',  '', 0);

    }

    // clear autologin cookies GIJ

    $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

    if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

    setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);

    setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);

    setcookie('autologin_uname', '', time() - 3600, '/', '', 0); //

    setcookie('autologin_pass', '', time() - 3600, '/', '', 0); // for older autologin hack -should be removed-

    // clear entry from online users table

    if (is_object($xoopsUser)) {

        $online_handler =& xoops_gethandler('online');

        $online_handler->destroy($xoopsUser->getVar('uid'));

    }

    $message = _US_LOGGEDOUT.'<br />'._US_THANKYOUFORVISIT;

    redirect_header('index.php', 1, $message);

    exit();

}

line 88 of include/checklogin.php


// set cookie for autologin GIJ

    $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

    if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

    if (!empty($HTTP_POST_VARS['rememberme'])) {

        $expire = time() + $xoopsConfig['session_expire'] * 60;

        setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);

        setcookie('autologin_pass', md5($pass), $expire, $xoops_cookie_path, '', 0);

    }

line 160 of include/common.php


//autologin GIJ

    if(empty($HTTP_SESSION_VARS['xoopsUserId']) && isset($HTTP_COOKIE_VARS['autologin_uname']) && isset($HTTP_COOKIE_VARS['autologin_pass'])) {



        // redirect to Root when query string exists (anti-CSRF)

        if( ! empty( $HTTP_SERVER_VARS['QUERY_STRING'] ) ) {

            redirect_header( XOOPS_URL , 0 , 'Now, logging in automatically' ) ;

            exit ;

        }



        $myts =& MyTextSanitizer::getInstance();

        $uname = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_uname']);

        $pass = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_pass']);

        $myts =& MyTextsanitizer::getInstance();

        $user =& $member_handler->loginUserMd5(addslashes($uname), addslashes($pass));

        $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

        if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

        if (false != $user && $user->getVar('level') > 0) {

            // update time of last login

            $user->setVar('last_login', time());

            if (!$member_handler->insertUser($user, true)) {

            }

            //$HTTP_SESSION_VARS = array();

            $HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');

            $HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();

            // update autologin cookies

            $expire = time() + $xoopsConfig['session_expire'] * 60 ;

            setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);

            setcookie('autologin_pass', $pass, $expire, $xoops_cookie_path, '', 0);

        } else {

            setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);

            setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);

        }

    }

another 4 files are the same as older hack.

modules/system/templates/blocks/system_block_login.html
modules/system/blocks/system_blocks.php
modules/system/language/english/blocks.php
modules/system/language/(your language)/blocks.php

I've updated Xoops Wiki too.

The new hack has not tested sufficiently yet.
Some tests of the charity is waited for.

---------
(28 April updated) fixed which the anti-CSRF code is insufficient

2

Re: A new autologin hack for 2.0.6

2004/4/27 10:13
brash
Friend of XOOPS
Posts: 2206
Since: 2003/4/10

Nice one GIJOE

3

Re: A new autologin hack for 2.0.6

2004/4/27 10:57
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

1) Rather than using a cookie path, wouldn't it be better to have a customizable cookie prefix?

2) What does CSRF mean?

4

Re: A new autologin hack for 2.0.6

2004/4/27 11:11
karuna
Not too shy to talk
Posts: 171
Since: 2002/5/29

i'd like have a try

5

Re: A new autologin hack for 2.0.6

2004/4/27 16:17
karuna
Not too shy to talk
Posts: 171
Since: 2002/5/29

hmm
i upload these files downloaded from your site.

But it seems that it does not work. and the login form in my site has been integrated to the theme, so maybe is the problem of the theme.

6

Re: A new autologin hack for 2.0.6

2004/4/27 20:32
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

Dave_L wrote:
1) Rather than using a cookie path, wouldn't it be better to have a customizable cookie prefix?

I read the thread at first time.
Of course, autologin should use it when XOOPS core includes such functions,
This hack is for 2.0.6

Quote:

2) What does CSRF mean?

Cross-Site Request Forgeries(CSRF, pronounced "sea surf")
http://www.tux.org/~peterw/csrf.txt

July 2003 php conference at oscon
http://conferences.oreillynet.com/os2003/php/
PHP Under Attack
http://conferences.oreillynet.com/cs/os2003/view/e_sess/4114
PHP Under Attack OSCON 2003 (slide)
http://talks.php.net/show/php-under-attack
http://talks.php.net/show/php-under-attack/11
http://talks.php.net/show/php-under-attack/15

in xoops, the records will be lost if a module exists like this:


if( ! $xoopsUser->isadmin() ) exit ;

if( $delok ) {

    $xoopsDB->queryF('DELETE ...')

}

The check will be no use, if older autologin is turned on and some administrators browse CSRF page.

Of course, this is not an autologin's hole but a module's security hole.
The module should use query() instead of queryF().
If XOOPS session is alive, CSRF attack to the weak modules will be succeed without autologin.

But, It is a fact that autologin enlarges the holes of such weak modules.
I'm examining whether the redirection is useful or not...

7

Re: A new autologin hack for 2.0.6

2004/4/28 8:13
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

GIJOE wrote:
But, It is a fact that autologin enlarges the holes of such weak modules.
I'm examining whether the redirection is useful or not...

I've examined my hack can prevent from CSRF attack.
Some patterns are OK, but another patterns are NG. (eg. using multiple <img>)

Thus I remade the anti-CSRF code. (see top of this thread)
It can protect against CSRF like multiple <img>.

8

Re: A new autologin hack for 2.0.6

2004/4/28 8:46
Dach-at
Just popping in
Posts: 5
Since: 2004/4/22

I'm sorry but your hack doesn't change in my website. When we close the browser, we are unlogged. This hack don't change the problem :\

9

Re: A new autologin hack for 2.0.6

2004/4/28 8:53
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

You'd better read this.
Autologin Hack

I don't find any checkbox in login block of your site.

10

Re: A new autologin hack for 2.0.6

2004/4/28 9:00
Dach-at
Just popping in
Posts: 5
Since: 2004/4/22

Sorry, I had been mistaken in liens

I reinstalled the good hack, but that still does not go :\ One always owes reconnecter each time, even if one notches shaves it "remember me".

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}