Users names can be changed even though set to NOT TO

[waiheke]

Oldwolf
if $userIsLogged is empty or not set will redirect you anyway in the code I put dont it?
Although your code if good too..
I have put that code before finding the security issue at wheheke's site .
Remember I am still a noob at all this codeing things

The security issues you mention are:

1. logging in and banning me
That is now fixed.
http://www.phpfreechat.net/forum/viewtopic.php?id=4647
It would only ever happen, of course, if someone had been given admin status.

2. flooding the channel with spam using /notice.
I might think that's a general security issue not just specific to my chat

3. Being able to change the nickname, despite setting it as frozen, is out-of-the-box webpage setup.
This is a bug report thread - I am simply reporting a bug that I have seen.

[re*s.t.a.r.s.*2]

Oldwolf
if $userIsLogged is empty or not set will redirect you anyway in the code I put dont it?
Although your code if good too..
I have put that code before finding the security issue at wheheke's site .
Remember I am still a noob at all this codeing things

The security issues you mention are:

1. logging in and banning me
That is now fixed.
It could also only ever happen if someone has been given the pre-approval, as you were.

2. flooding the channel with spam using /notice.
I might think that's a general security issue not just specific to my chat

3. Being able to change the nickname, despite setting it as frozen, is out-of-the-box webpage setup.
This is a bug report thread - I am simply reporting a bug.

I am keen to help resolve it.

As I told you before, I dint know that got me level of admin, and when I banned you i was to show you that if somebody was registered it could ban anyone without you knowing this...
and that wasn't the purpose of the registration... and that about the notice command I showed to you and once to your stupid moderators, you weren't there at that particular time, to see what really happens you are so over the top....
and this is not a damn bug from the script get it straight At my site never had this kind of issues as standalone as with registration system that is a normal thing to happen ... so get it straight you are so wrong, and been an arrogant don't make more smart.. but an smart ARSE...
Just fix your registration system so you don't get this kind of stuff anymore.. period and "MAY THE FORCE BE WITH YOU"...

[waiheke]

.. is not a damn bug from the script get it straight At my site never had this kind of issues as standalone as with registration system that is a normal thing to happen ... so get it straight you are so wrong, and been an arrogant don't make more smart.. but an smart ARSE...
Just fix your registration system so you don't get this kind of stuff anymore.. period and "MAY THE FORCE BE WITH YOU"...

What the ???
Where do you get off on the personal attacks ?
gee whiz !! do you see me 'bad mouthing' you?
what IS your problem ??

do you want me to post the chat log where your foul mouth let rip much to my astonishment ?
dude, if you can't control your temper, go away ...

(there must be an ignore button somewhere)

.. Remember I am still a noob at all this codeing things

then why are you here calling me a smart arse ?????
what are you doing here ???

My mum always said if you can't say something nice, don't say anything

[waiheke]

Wouldn't that throw a notice? If so:

Code: Select all

if(!isset($_SESSION['name']) || empty($_SESSION['name']))
header ("Location: index.php");

will try that



thanks

[re*s.t.a.r.s.*2]

What the ???
Where do you get off on the personal attacks ?
gee whiz !! do you see me 'bad mouthing' you?
what IS your problem ??

do you want me to post the chat log where your foul mouth let rip much to my astonishment ?
dude, if you can't control your temper, go away ...

(there must be an ignore button somewhere)

.. Remember I am still a noob at all this codeing things

then why are you here calling me a smart arse ?????
what are you doing here ???

My mum always said if you can't say something nice, don't say anything

Man to the hell with you, this ends now.. not worth it

[waiheke]

Man to the hell with you, this ends now.. not worth it

Thank you very much, that's a relief

Moving on ....

Oldwolf, the code above works perfectly if the user opens another chat page, ie chat.php

However, if they open a new login page and start a new session, following the usual routine, and put in another name -- when they get to the chat page, there is an instant change of nickname occuring. And then all they have to do is close the first browser window

So thinking about it, there's one constant that can never be changed, and that's the IP.

I did think of storing each IP in a database, as a user enters - but you can't rely on people exiting properly, and thus allowing the entry in the database to be deleted.

But of course the IP is in the container, in the files named "ip".
The IP info of all users online at that moment is already there.

I wrote a page that burrows down into the files in the recursed data folder, specifically:
"data/private/chat/$sessionid/nickid-to-metadata/";
and then cycles through the folders (the online users)

eg, data/private/chat/s_f5fc3dxxxxad612761bd0ce48f68c097/nickid-to-metadata/fe2f5b230767d7da8xxxx8a3c9e972e8097f2e4c/ip
and then stumbled into an error 403 - access forbidden !

Oh to be so close !!
Is there another step forward I could take, or I am on the wrong track do you think?

[waiheke]

Or is there a simple additional routine that could be run, to store all IP's, independantly of the container ?

[waiheke]

NOT tested

Code: Select all

<?php
$ipz=@$REMOTE_ADDR;
if (!($ipz)) $ipz=$_SERVER['REMOTE_ADDR'];

$dir = "data/private/chat/s_<insert your own unique container id string here>/nickid-to-metadata/";
if (is_dir($dir)) {
   if ($dh = opendir($dir)) {
       while (($folder = readdir($dh)) !== false) {
               
                //mirror IP's to the page

      $metaip = @include "data/private/chat/s_f5fc3d0d8dad612761bd0ce48f68c097/nickid-to-metadata/" .$folder. "/ip";
             }
       closedir($dh);
   }
}
$pagez = $_SERVER["PHP_SELF"];
if (strlen(strstr($pagez, $ipz))>0) {
} else {
echo "<br><span class=style1>You are already logged in on IP address " .$ipz. "</span>";
exit;
}
?>

[OldWolf]

I would strongly recommend against using any sort of IP handling. There are many flaws with that, simply because malicious users can get around it (really easily) and legitimate users can be frustrated by it (think of two people both accessing your chat at school, as an example).

What I would suggest instead is adding more control to how a person logs in. Make registration just a little more of a hassle, so that a one time user wont be bothered by it, but someone trying to register three names will get weary of it. Also, I'd suggest examining why you care if a user can change their name (it doesn't sound like a problem to me, but I don't know the whole story)... if they're getting some advantage from changing names, I'd suggest brainstorming a way to take that advantage away instead.

[waiheke]

Points are well taken

Hmmm
Okay, thanks