[BETA] MOD Ban_cookie: Ban users with a cookie

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 8:02 am

This MOD has been developed and tested here.

This mod sets a cookie on the user's machine if that user is banned by user_id and/or IP. As long as the cookie matches a banned user_id or banned IP in the database, the user is denied access to the forum so they cannot even see the forum as a guest. Even if the user changes their IP, they are still banned.

The mod works transparently: use the existing ban options in the ACP to ban a user by name or by IP, and the code will take care of setting and maintaining the cookie.

To unban someone, remove the name and/or IP from the lists, and the next time the user visits, the cookie will no longer match a database ban record, and the cookie will be deleted.

No method of banning is fail safe. I won't list the exact method of getting around this MOD but the computer-savvy user can figure it out. However, since it is a simple mod, it is still worth while installing it if you have trouble with banned people coming back and you want another level of control.

Code: Select all

############################################################## 
## MOD Title: Ban_cookie
## MOD Author: Merlin Sythove < Merlin@silvercircle.org >
## MOD Description: Give banned users a cookie and check that too, 
##     in addition to the existing checks. Once the cookie is in place: 
##     if it matches the database, the user is banned, even if the user 
##     gets another IP or is not logged in so the user ID is unknown.
## MOD Version: 0.9 
## 
## Installation Level: (Easy/Intermediate/Advanced) 
## Installation Time: 5 Minutes 
## Files To Edit: includes/sessions.php 
## Included Files: (N/A) 
## License: http://opensource.org/licenses/gpl-license.php GNU General Public License v2 
############################################################## 
## For security purposes, please check: http://www.phpbb.com/mods/ 
## for the latest version of this MOD. Although MODs are checked 
## before being allowed in the MODs Database there is no guarantee 
## that there are no security problems within the MOD. No support 
## will be given for MODs not found within the MODs Database which 
## can be found at http://www.phpbb.com/mods/ 
############################################################## 
## Author Notes: 
## 
############################################################## 
## MOD History: 
## 
##   2005-1101: Version 0.9
## 
############################################################## 
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD 
############################################################## 

# 
#-----[ OPEN ]------------------------------------------ 
# 
includes/sessions.php 

# 
#-----[ FIND ]------------------------------------------ 
# 
   $sql = "SELECT ban_ip, ban_userid, ban_email 
      FROM " . BANLIST_TABLE . " 
      WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff') 
         OR ban_userid = $user_id"; 
   if ( $user_id != ANONYMOUS ) 
   { 
      $sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "' 
         OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'"; 
   } 
   if ( !($result = $db->sql_query($sql)) ) 
   { 
      message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql); 
   } 

   if ( $ban_info = $db->sql_fetchrow($result) ) 
   { 
      if ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] ) 
      { 
         message_die(CRITICAL_MESSAGE, 'You_been_banned'); 
      } 
   } 

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
  //START MOD Ban_cookie
  //Give banned users a cookie and check that too, in addition to the existing checks.
  //Once the cookie is in place: if it matches the database, the user is banned,
  //even if the user gets another IP or is not logged in so the user ID is unknown.

  //Get cookie ban settings.
  $ban_cookie = '';
  $banned_id = isset($HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_id']) ? $HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_id'] : '';
  $banned_ip = isset($HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_ip']) ? $HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_ip'] : '';
  
  //Yes, cookie ban settings were there. See if they match the database. 
  //If not, delete cookie.
  if ($banned_ip || $banned_id)
  {
    $sql = "SELECT *
    	FROM " . BANLIST_TABLE . "
  		WHERE ";
      $sql .= ($banned_ip) ? " ban_ip = '" . $banned_ip . "'" : '';
      $sql .= ($banned_id) ? ($banned_ip ? ' OR ' : '') . ' ban_userid = ' . $banned_id : '';
  	if ( !($result = $db->sql_query($sql)) )
  	{
  		message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
  	}
  	if ( $ban_info = $db->sql_fetchrow($result) )	  
    {
      $ban_cookie =  ( $ban_info['ban_ip'] || $ban_info['ban_userid']);
  	}
    //There was a cookie but no match in the database, so the ban is lifted: 
    //delete the cookie by setting the expiry time 1 hour ago	
    if (! $ban_cookie) 
    {
      if ($banned_ip) setcookie($board_config['cookie_name'].'_banned_ip',$banned_ip, time()-3600);
      if ($banned_id) setcookie($board_config['cookie_name'].'_banned_id',$banned_id, time()-3600);
  	}
  }	
  //Have $ban_cookie, if not empty, the user is banned via a cookie. 
  //If empty, then there was no cookie, or there was no LONGER a database match so the cookie was deleted

  //Check if there is database ban info - this is roughly the original ban code
  $ban_database = '';
	$sql = "SELECT *
		FROM " . BANLIST_TABLE . "
		WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')
			OR ban_userid = $user_id";
	if ( $user_id != ANONYMOUS )
	{
		$sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "'
			OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'";
	}
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
	}
	if ( $ban_info = $db->sql_fetchrow($result) )	  
  {
    $ban_database = ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] );
    //Fill these variables from database if not filled from cookie yet
    if (! $banned_ip) $banned_ip = $ban_info['ban_ip'];
    if (! $banned_id) $banned_id = $ban_info['ban_userid']; 	
  }
  
  //User is banned in some way?
  if ($ban_cookie || $ban_database)
  {
    //Set the ban_cookie, time it for 1 year. The time restarts every time the user comes here
    if ($banned_ip) setcookie($board_config['cookie_name'].'_banned_ip',$banned_ip, time()+365*24*3600);
    if ($banned_id) setcookie($board_config['cookie_name'].'_banned_id',$banned_id, time()+365*24*3600);
  	//Close the forum to this person
    message_die(CRITICAL_MESSAGE, 'You_been_banned');
  }
  //END MOD Ban_cookie

# 
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------ 
# 
# EoM

WARNING

If you test this, follow this procedure, because once it works, the cookie is on your computer and even though you are admin, you won't be able to get to the login screen anymore!!!

Make sure you can access phpMyAdmin to access your database. (If you can't, get a friend on a different computer to play hacker.)
Create a test user
Ban the test user using the name and/or IP
Log out and log in as the test user. Once you have logged in the cookie will be set and you will see that you are banned.
Try to come back to see the index as a guest. You should not be able to even see the index page as guest. This will only work if there is no existing session for you as admin with auto-login in operation, so either wait 1 hour or remove the session record from the database.
Once you are satisfied that it all works, try to go to your forum to log in as Admin. Realise that this will not work.
In phpMyAdmin, open the banlist table and remove the record (probably the last record with the highest user_id) that banned you.
Surf to the forum again to log in, verify that it works this time.
Log in as admin

I have tested it succesfully and implemented the code.

Small addition: To avoid any confusion, the existing original phpBB ban code that checks IP, user email address and/or user ID, is still present and working!! This MOD simply adds a fourth check to the existing three, so that people who change their IP won't be able to get on your forum either. And also they don't have to be logged in (or trying to) before the ban is effective - this MOD will show ban messages when a banned person simply surfs to the index page, without logging in.

esserdk · Post by **esserdk** » Sun Oct 30, 2005 8:18 am

I have tested it on a vanila phpBB2 forum and as i can see it's VERY EASY to crack thrug. I started by trying to proxy thrug, and it was a successful try, i did get thrug.

i'd also tried by just removing the cookie from my browser and i got thrug, so it's very insecure, but some ppl may not know how to crack thug.

if i shud rate it wud i rate it 3/5 = Good Job ! (it need some work but it's good as is

)

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 8:25 am

esserdk wrote: if i shud rate it wud i rate it 3/5 = Good Job ! (it need some work but it's good as is )

Thanks for the positive comment, and yes, no banning is fail safe, most of it is easy to crack.

This mod ADDS another level of safety, on top of the existing banning by user_id and IP, which of course remain completely unaltered in this mod.

eman · Post by **eman** » Sun Oct 30, 2005 8:41 am

just for admin purposes, if you create two accounts, ban one, and the cookie is set, log into the admin accoun. It should give you the banned message. Then, just simply go to Tools -> Options and click clear next to the cookie tab. Then, go reload the page, and click yes when it give you the "POSTDATA" warning. (because you want to log in again, and the postdata is a way to do that, without entering it over and over

)

this should log you into the admin panel.
(Note: I used Mozilla firefox for this "clear cookies" example, but most browsers will allow you to clear your cookes from the tools, or options menu, just look around.

eman · Post by **eman** » Sun Oct 30, 2005 8:54 am

esserdk wrote: I have tested it on a vanila phpBB2 forum and as i can see it's VERY EASY to crack thrug. I started by trying to proxy thrug, and it was a successful try, i did get thrug.

i'd also tried by just removing the cookie from my browser and i got thrug, so it's very insecure, but some ppl may not know how to crack thug.

if i shud rate it wud i rate it 3/5 = Good Job ! (it need some work but it's good as is )

wait a second though, i just noticed - you wont be able to proxy through if the cookie is already set on the computer, which is the main point of the cookie.

Follow the step by step instuctions above on how to test this, and see if it works again after, by proxy'ing through (it shouldn't, i've tried)

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 9:15 am

If you test it, make sure there is no session with automatic login active on your admin account! Because that will let you as far as the index page.

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 9:20 am

eman wrote: just for admin purposes, if you create two accounts, ban one, and the cookie is set, log into the admin accoun. It should give you the banned message....

You can't. If your old admin session is no longer there, you cannot even open the index page to log in, nor use a direct URL to the login page.

Then, just simply go to Tools -> Options and click clear next to the cookie tab.

That works, after that you can visit the index page and log in as admin. But you DO lose all your cookies and you may not want that.

esserdk · Post by **esserdk** » Sun Oct 30, 2005 10:51 am

eman wrote:
esserdk wrote:I have tested it on a vanila phpBB2 forum and as i can see it's VERY EASY to crack thrug. I started by trying to proxy thrug, and it was a successful try, i did get thrug.

i'd also tried by just removing the cookie from my browser and i got thrug, so it's very insecure, but some ppl may not know how to crack thug.

if i shud rate it wud i rate it 3/5 = Good Job ! (it need some work but it's good as is )

wait a second though, i just noticed - you wont be able to proxy through if the cookie is already set on the computer, which is the main point of the cookie.

Follow the step by step instuctions above on how to test this, and see if it works again after, by proxy'ing through (it shouldn't, i've tried)

call it what ever yout want but i was able to, couz basicly with proxy it dose this:

you enter the address, it ensds it to the proxy whitch get's the request then it goes to tha selected page, and gives you the result so it will session the proxies IP and not yours

inokis · Post by **inokis** » Sun Oct 30, 2005 10:52 am

I haven't implemented it, but I was reading through the original topic and now this one. It's very impressive.

I'm not sure how many ppl innately would consider cookies as a source ban, of course after reading this everyone will probably automatically clear their cookies if they know they've been banned.

Nicely done.

esserdk · Post by **esserdk** » Sun Oct 30, 2005 11:02 am

eres also other ways of making IP security

you can for example do like this:

Code: Select all

<?php
$ip = $_SERVER["REMOTE_ADDR"];
$myip = "your.PCs.ip.here";
if( $ip==$myip )
{
echo "content";
}
else
{
echo "you have been banned";
}
?>

i think that it's a little better way to protect content, by IP.
beacause there's no cookies the user can delete to break thrug

This example was from my project called: Content MAnage System Blog wit IP-S.

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 11:05 am

esserdk wrote: call it what ever yout want but i was able to, couz basicly with proxy it dose this:

you enter the address, it ensds it to the proxy whitch get's the request then it goes to tha selected page, and gives you the result so it will session the proxies IP and not yours

Provided that there is no old session stil active when you were logged in as admin: Once the cookie is in place, it does no longer matter what your current IP is, you will be blocked on the basis that the cookie matches a database record.

So if you managed to log in using a proxy, my guess is that you were still able to see the index page and an old session was still active. Delete old admin sessions from the sessions table, or wait 1 hour (or however long your sessions are) and then try again.

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 11:10 am

inokis wrote: I haven't implemented it, but I was reading through the original topic and now this one. It's very impressive.

I'm not sure how many ppl innately would consider cookies as a source ban, of course after reading this everyone will probably automatically clear their cookies if they know they've been banned.

If you do, it won't be long before you have another cookie

Plus, the original ban code is still there and working, you still cannot log in nor post...

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 11:14 am

The next step is to make banning more "interesting" than just giving this "You have been banned" message. You could change the message to something less obvious, like "Sorry, we are temporarily closed for maintenance". Of give them a "page not found" page, or "Loading, please wait"...

Merlin Sythove · Post by **Merlin Sythove** » Sun Oct 30, 2005 11:27 am

esserdk wrote: eres also other ways of making IP security

you can for example do like this:
Code: Select all
<?php
$ip = $_SERVER["REMOTE_ADDR"];
$myip = "your.PCs.ip.here";
if( $ip==$myip )
{
echo "content";
}
else
{
echo "you have been banned";
}
?>
i think that it's a little better way to protect content, by IP.
beacause there's no cookies the user can delete to break thrug

This example was from my project called: Content MAnage System Blog wit IP-S.

Hi esserdk,

The existing phpBB banning system already bans by IP. Anyone who reads the phpBB code will see that. In my MOD above, you can see it is still there, as a matter of fact I did take the trouble to write some comments to show were the phpBB original code is, alive and working right inside the MOD...

What the ban by cookie does, is ADD an extra level of security, so that once someone is banned, even if they change their IP, they are STILL banned.

eman · Post by **eman** » Sun Oct 30, 2005 12:01 pm

i banned a friend, and he got this error

phpBB : Critical Error

Could not obtain ban information

DEBUG MODE

SQL Error : 1054 Unknown column '53a82431' in 'where clause'

SELECT * FROM phpbb_banlist WHERE ban_ip = 53a82431

Line : 166
File : sessions.php

advertisements