The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
janar153
PostPosted: Tue Dec 04, 2007 5:24 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Oct 16, 2005 1:07 pm
Posts: 13
I will start this topic from the start.

In several day's I tried to make user & password check from out side Joomla CMS. Finally I have found quit simple solution for this. But when I have searched the solution I have visited many different Joomla forums and website's, but wasn't finding any solution. Then I investigated some Joomla core code and the made some tests about how I will get access to configuration.php where are all necessary information about my mysql server. I needed username & password for mysql. And the solution was very simple, I just included the configuration.php file and everything was working. I think it's not so good when users (hackers) can just include configuration.php file and like so getting access to my Joomla installation information, mysql information.

I will copy this code what I have made to get user & password check outside Joomla:
Code:
// Torn errors off
error_reporting(0);

// include configuration.php for database and other information
include_once('my_joomla_install/configuration.php');

// take info from aadress bar what we want to check
$get_user = addslashes($_GET['user']);
$get_pass = addslashes($_GET['pass']);

// Just take this little funcion from Joomla core
function mosHash( $seed ) {
   return md5( $GLOBALS['mosConfig_secret'] . md5( $seed ) );
}

// Make connection to mysql server and database
$link = mysql_connect($mosConfig_host, $mosConfig_user, $mosConfig_password);
   if (! $link)
      {
      die ("No access to MySQL server");
      }
   if (!mysql_select_db ($mosConfig_db, $link) )
      {
      die ("No access to database: $db: ".mysql_error() );
      }

// Open Joomla users database table and check username & password

      $check = ("SELECT * FROM ".$mosConfig_dbprefix."users WHERE username = '$get_user' LIMIT 1");

      if (!mysql_query ($check, $link) )
         {
         print "This username wasn't found, please try again!!!";
      } else {
            // Username what we have looked are existing and then check the password
                                                                $a_row = mysql_fetch_array (mysql_query($check));

            
            // Make some security staff for Joomla
            $harden = mosHash( @$_SERVER['HTTP_USER_AGENT'] );
            
            list($hash, $salt) = explode(':', $a_row['password']);

            $check_username = md5( $a_row['username'] . $harden );
            $check_password = md5( $hash . $harden );
            
            $username = md5( $get_user . $harden );            
            $cryptpass = md5($get_pass.$salt);
            
            
            
            if ( $check_username == $username && $hash == $cryptpass ) {

// no whe know that username & password is correct just tell this user also
print "Yes, your information are correct - username and password was correct

} else {
// sorry username & passwords doesn't mach
print "Sorry, username or password was wrong";
}
}


I was needed this type username & password check to make SMS activation hack for Joomla!
I some one are interested the full script (component) the I will send it or upload it to this forum.


You do not have the required permissions to view the files attached to this post.

Last edited by janar153 on Tue Dec 04, 2007 5:45 pm, edited 1 time in total.

Top
 Profile  
 
infograf768
PostPosted: Tue Dec 04, 2007 5:34 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 16630
Location: **Translation Matters**
I am sure quite a few people would be interested.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group
Top
 Profile  
 
janar153
PostPosted: Tue Dec 04, 2007 5:43 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Oct 16, 2005 1:07 pm
Posts: 13
OK, I will upload the component what I have made. This will install like normal component. After install (or just unzip it) you will find (from administrator/components/algajasms/getsms.php) file and there are made this user & password check.

This component will work with Fortumo.com dynamic SMS service....maybe other service providers also.

To get it work correct there are neccesary to make some changes in core file.
First you must changes little bit registration.php file:
Original about line 178:
Code:
if ($mosConfig_useractivation == 1){
      $message = sprintf (_USEND_MSG_ACTIVATE, $name, $mosConfig_sitename, $mosConfig_live_site."/index.php?option=com_registration&task=activate&activation=".$row->activation, $mosConfig_live_site, $username, $pwd);
   } else {
      $message = sprintf (_USEND_MSG, $name, $mosConfig_sitename, $mosConfig_live_site);
   }

This must to be replaced with that:
Code:
if ($mosConfig_useractivation == 1){
      $message = sprintf (_USEND_MSG_ACTIVATE, $name, $mosConfig_sitename, $mosConfig_live_site, $username, $pwd);
   } else {
      $message = sprintf (_USEND_MSG, $name, $mosConfig_sitename, $mosConfig_live_site);
   }


And also is neccesary to changes some language file translations.

More information are in this component file, but it's in Estonian language, but these changes are not so important about the security issue.
Top
 Profile  
 
paulmaclennan
PostPosted: Fri Apr 23, 2010 5:26 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Oct 30, 2009 2:12 pm
Posts: 21
I know this is a VERY old post, but love to get this working as I'm trying to use it for a gaming site. So far I'm stuck at installing it....keeps saying "Error! Could not find a Joomla! XML setup file in the package." I've unziped this many times and basically my skills are not up to par with this. I've contacted the developer but he's very busy.

Is anyone able to shed some light on this?
Top
 Profile  
 
mxjoomuser
PostPosted: Sat May 15, 2010 1:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Dec 23, 2008 3:12 am
Posts: 28
Paul, maybe toy are trying to instal this component in a Joomla 1.5 version, and this component has been written in for 1.0 version.

If you want to see the ftp info (user and password, wich maybe can be available at configuration.php) and yo do not have ftp access, but you have access to /administrator, you can install joomlaxplorer http://extensions.joomla.org/extensions ... gement/102

install as a nnormal component and then you will be able to navigate to your files, then double click under configuration.php and if at the firs instalation of joomla the ftp layer has been activated, you will be able to see the ftp information.

Karlo
www.creaunsitiojoomla.com
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group