MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Is this fine? Core Edit
Full Version: Is this fine? Core Edit
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

iHydra

2013-07-31, 09:44 PM
Was adding the ACP Pin from the tutorial that Paul made, and it seems like it has changed and differs from what is said in the tutorial so I took a wild shot and read the php code and I added it like this:

*Scroll to the end
if($mybb->input['action'] == "unlock")

{

	$user = array();

	if($mybb->input['username'])

	{

		$query = $db->simple_select("users", "*", "LOWER(username)='".$db->escape_string(my_strtolower($mybb->input['username']))."'");

		$user = $db->fetch_array($query);

		if(!$user['uid'])

		{

			$error[] = $lang->error_invalid_username;

		}

	}

	else if($mybb->input['uid'])

	{

		$query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'");

		$user = $db->fetch_array($query);
		$acpuid = $mybb->user['uid'];
<!--WHAT I ADDED-->	
    	if (isset($config['acp_pin'][$acpuid]) && $mybb->input['pin'] != $config['acp_pin'][$acpuid]) {
        $default_page->show_login("Invalid PIN","error");
		}
<!--END | Nothing else was changed, just this portion was added.-->
		
		if(!$user['uid'])

		{

			$error[] = $lang->error_invalid_uid;

		}

	}

Tutorial:
http://www.mybbsecurity.net/topic-add-se...-acp-login

Would what I added cause a security issue or is that fine?

Thanks,
Hydra

Jambuster

2013-07-31, 09:59 PM
Place it at the top of the file, you dont want running any code at all if the user is a guest.

iHydra

2013-07-31, 10:08 PM
On top where?
[Image: YSAoiVr.png]

Jambuster

2013-07-31, 10:17 PM
No colour. The top.

iHydra

2013-07-31, 10:36 PM
I'm not sure you understand, unless if I'm misunderstanding you.

I am a guest when I go to ACP to log in. What exactly is happening when I move it to the top? Btw, the file I'm editing is ./admin/index.php

frostschutz

2013-07-31, 10:55 PM
You should also heed post #2 of that page you linked to, it's good advice.

And a few posts below it's even there as a plugin, why not just use that if you absolutely want it.

iHydra

2013-08-01, 02:37 AM
(2013-07-31, 10:55 PM)frostschutz Wrote: [ -> ]You should also heed post #2 of that page you linked to, it's good advice.

And a few posts below it's even there as a plugin, why not just use that if you absolutely want it.

A plugin isn't what I need because that is changeable thru ACP, but no one will have access to files directly besides me. It's more secure.

And I have updated the code regarding Post #2


Now back to the question, is the way I have it fine or do I still need to move it as it was suggested before? I tested it and works fine but not sure if there is a security vuln now.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Is this fine? Core Edit