hi can someone please tell me how to not allow users to hide their online status?
it's not the profile_add_body.tpl
where is it!?
thanks much!
Justin
disable "hide online status" for users?
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
-
justinjoylife
- Registered User
- Posts: 7
- Joined: Fri Jun 06, 2003 5:23 pm
-
zeroK
- Former Team Member
- Posts: 20964
- Joined: Sun Jan 20, 2002 7:36 pm
- Location: Klagenfurt / Austria
- Contact:
Open your profile_add_body.tpl and search for following section:
Replace it with
This will prevent people from changing (actually even to see) this option.
Now go to your database and run following query to make all "invisible" members visible again:
This should do it 
Code: Select all
<tr>
<td class="row1"><span class="gen">{L_HIDE_USER}:</span></td>
<td class="row2">
<input type="radio" name="hideonline" value="1" {HIDE_USER_YES} />
<span class="gen">{L_YES}</span>&&
<input type="radio" name="hideonline" value="0" {HIDE_USER_NO} />
<span class="gen">{L_NO}</span></td>
</tr>Code: Select all
<input type="hidden" name="hideonline" value="0">Now go to your database and run following query to make all "invisible" members visible again:
Code: Select all
UPDATE phpbb_users SET user_allow_viewonline = 1;-
1MG ^Hawk^
- Registered User
- Posts: 5
- Joined: Sat Mar 22, 2003 2:59 am
It's not workin
I tried this and I can't get it to work.....
If I manually turn everyone's hidden off. Do I still need to run the Query?
If I manually turn everyone's hidden off. Do I still need to run the Query?
i tried to run this query but it does not work can anybody help me on this?
anyway, i remove the whole and it works 
Code: Select all
UPDATE phpbb_users SET user_allow_viewonline = 1;Code: Select all
<tr>
<td class="row1"><span class="gen">{L_HIDE_USER}:</span></td>
<td class="row2">
<input type="radio" name="hideonline" value="1" {HIDE_USER_YES} />
<span class="gen">{L_YES}</span>&&
<input type="radio" name="hideonline" value="0" {HIDE_USER_NO} />
<span class="gen">{L_NO}</span></td>
</tr>-
XiomaraGel
- Registered User
- Posts: 2
- Joined: Sun Mar 07, 2004 7:34 am
The problem is....
The problem is that if the user downloads the page, and changes the source code with this :
Setting the value to 1 will register the user making him able to hide his online status.
Anyone has a solution for this exploit?
Code: Select all
<input type="hidden" name="hideonline" value="1">
Anyone has a solution for this exploit?
Re: The problem is....
XiomaraGel wrote: The problem is that if the user downloads the page, and changes the source code with this :Setting the value to 1 will register the user making him able to hide his online status.Code: Select all
<input type="hidden" name="hideonline" value="1">
Anyone has a solution for this exploit?
now how is that going to work, you can download the page make all the changes you want, but you can't upload it back to the server without knowing the username/password to the hosting account and only the site owner knows that.
robert
-
XiomaraGel
- Registered User
- Posts: 2
- Joined: Sun Mar 07, 2004 7:34 am
The Exploit
OK.
Install the modification as shown above to prevent users from changing their online status.
THEN TO TEST THE EXPLOIT:
First of all we need to download the page of the Registration or the page of the Profile if the user was already registered and wants to edit his profile.
To download the page just enter the profile or registration page, wait for the page to load completely. Usually it loads completely when you see the Done message at the bottom part of your browser in the status bar.
Then RIGHT CLICK anywhere on the page and select VIEW SOURCE.
The source code of the page will be displayed usually on Notepad or your preferred text editor.
Then go and search the line that has the following:
And replace it with the following:
Then go and search the line that has the following:
And replace it with the following:
Note that the address http://www.thesite.com/forum/ is the path to the roots forum of the site, that one you can view it at the top of the page. For example in the case of this forum the address will be:
http://www.phpbb.com/phpBB/profile.php
Finally save the file as exploit.html
EXECUTING THE EXPLOIT:
Now we only need to go to the page and if we are a registered user enter to edit our profile clicking on the Profile link. Then GO AND OPEN your exploit.html FILE and just click SUBMIT. You should get the Confirmation Message for your Profile Edition. Now you actually changed your online status to hidden mode.
I've only tested this EXPLOIT for ALREADY REGISTERED USERS but it should be the same when a new user enters the registration page. The mechanics should go as follows:
- enter registration page
- download the source code
- change the source code with the instructions I posted
- fill in the form as you like
- then hit submit
WHY DID IT WORK?
Well because you DON'T need to UPLOAD the file to the server because all the information that you send to the server is controlled from the client. So we only altered the html page that was displayed by the php page and send it to the server. Because the server is expecting the variable "hideonline" we only changed the value to 1 instead of 0 and the server gets it and says OK I have it and saves it on the DB.
FUTURE WORK TO PREVENT THE EXPLOIT:
We have to hardcode the php that recieves the information no the server side so to check if the value hideonline equals 0 then we save it on the DB if it isn't equal to 0 then you can redirect the page to the registration again or instead just force the value by assigning it on the server side again to 0 and save then in the Database.
NOTE:
If the exploit doesn't work then post your problem here to help you.
Install the modification as shown above to prevent users from changing their online status.
THEN TO TEST THE EXPLOIT:
First of all we need to download the page of the Registration or the page of the Profile if the user was already registered and wants to edit his profile.
To download the page just enter the profile or registration page, wait for the page to load completely. Usually it loads completely when you see the Done message at the bottom part of your browser in the status bar.
Then RIGHT CLICK anywhere on the page and select VIEW SOURCE.
The source code of the page will be displayed usually on Notepad or your preferred text editor.
Then go and search the line that has the following:
Code: Select all
<input type="hidden" name="hideonline" value="0">And replace it with the following:
Code: Select all
<input type="hidden" name="hideonline" value="1">Then go and search the line that has the following:
Code: Select all
<form action="profile.php" method="post">And replace it with the following:
Code: Select all
<form action="http://www.thesite.com/forum/profile.php" method="post">http://www.phpbb.com/phpBB/profile.php
Finally save the file as exploit.html
EXECUTING THE EXPLOIT:
Now we only need to go to the page and if we are a registered user enter to edit our profile clicking on the Profile link. Then GO AND OPEN your exploit.html FILE and just click SUBMIT. You should get the Confirmation Message for your Profile Edition. Now you actually changed your online status to hidden mode.
I've only tested this EXPLOIT for ALREADY REGISTERED USERS but it should be the same when a new user enters the registration page. The mechanics should go as follows:
- enter registration page
- download the source code
- change the source code with the instructions I posted
- fill in the form as you like
- then hit submit
WHY DID IT WORK?
Well because you DON'T need to UPLOAD the file to the server because all the information that you send to the server is controlled from the client. So we only altered the html page that was displayed by the php page and send it to the server. Because the server is expecting the variable "hideonline" we only changed the value to 1 instead of 0 and the server gets it and says OK I have it and saves it on the DB.
FUTURE WORK TO PREVENT THE EXPLOIT:
We have to hardcode the php that recieves the information no the server side so to check if the value hideonline equals 0 then we save it on the DB if it isn't equal to 0 then you can redirect the page to the registration again or instead just force the value by assigning it on the server side again to 0 and save then in the Database.
NOTE:
If the exploit doesn't work then post your problem here to help you.
-
safeTsurfa
- I've Been Banned!
- Posts: 1959
- Joined: Sat May 08, 2004 10:21 am
- Location: United Kingdom
- Contact:
Blocking the remote access exploit
Not tested, but this anti-hotlink should work. Upload an HTACCESS file into the phpbb root folder, or above if it's in a sub-folder of a domain. In that HTACCESS file enter the followng:
Also into the root folder for the domain, enter a robots.txt file, containing the following entries:
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(php|tpl|inc|htm|html)$ - [F]Code: Select all
User-agent: *
Disallow: /forum/
User-agent: *
Disallow: /*.inc
Disallow: /*.tpl
Disallow: /*.php