Pfc-Chat Login System v1.2 (06/10/2012)

by **re*s.t.a.r.s.*2** » Tue Jan 03, 2012 4:48 pm

HI,

Came a bit late..

glad it worked for you..

regards

by **xgamer224** » Sun Mar 04, 2012 7:10 am

Hey very nice! The only problem I can find is that it is very easy for people to locate the password salt/encryption thing.... It took me about 5 mins total to find then de-activate it.... This could be a potential problem for people who attempt to use this for malicious purposes.... But there isn't much you can do about that.... So, all and all, its an extremely good addition to the program.

by **re*s.t.a.r.s.*2** » Sun Mar 04, 2012 8:08 am

Hi,
Appreciate your comment, it would be nice if you give us more info of what you done to get that conclusion..
The encryption of the hash function are weak , although i am not using md5 , sha1() can be decrypted easily too..

To decrypt the hash you need to have access to the database, if you do, the server is already compromised... so decrypting the hash is pointless because we know is easy to do..

What is needed to take care is that nobody has access to the script and change alter things server side or at code level.. because that's how you hack a script..

Did you brute force or just reverted the has set in the database?.
if you see a weak spot on the Code let me know.

Thanks appreciate it.

Regards Utan

by **OldWolf** » Sun Mar 04, 2012 8:49 pm

xgamer224 wrote:Hey very nice! The only problem I can find is that it is very easy for people to locate the password salt/encryption thing.... It took me about 5 mins total to find then de-activate it.... This could be a potential problem for people who attempt to use this for malicious purposes.... But there isn't much you can do about that.... So, all and all, its an extremely good addition to the program.

If you're saying you were able to locate it in the php because you had access to the files, I guess I have to say "well of course you can." Passwords are encrypted so that folks who somehow get access to your database can't read them as plain text. That's the only purpose.

by **xgamer224** » Mon Mar 05, 2012 1:53 am

re*s.t.a.r.s.*2 wrote:Hi,
Appreciate your comment, it would be nice if you give us more info of what you done to get that conclusion..
The encryption of the hash function are weak , although i am not using md5 , sha1() can be decrypted easily too..

To decrypt the hash you need to have access to the database, if you do, the server is already compromised... so decrypting the hash is pointless because we know is easy to do..

What is needed to take care is that nobody has access to the script and change alter things server side or at code level.. because that's how you hack a script..

Did you brute force or just reverted the has set in the database?.
if you see a weak spot on the Code let me know.

Thanks appreciate it.

Regards Utan

No there isn't a weak spot. I just mean that someone who owns a website could use this login interface as some kind of phishing scam. I mean, the admin already gets the user's email address, and he wouldn't even have to decrypt the password if he just slightly edited the code. But, obviously, it isn't your problem.... I'm just saying that you may want to make it slightly harder to decrypt and harder to remove the encryption in the code. Just a recommendation.

by **re*s.t.a.r.s.*2** » Mon Mar 05, 2012 2:15 am

Hi,

Thats true, this could happens for any login system , you have as website owner the opportunity to use as you like, is up to you if its going to be use as it was intended or not.
Make harder to decrypt is possible chaging the use of sha1 and making the salt more ramdon would help
But would make more slower, point is all the know hash functioncan be easily decrypted..

No much to do on that regard..

Appeciate your aclaration..

Best wishes.

by **xgamer224** » Mon Mar 05, 2012 2:36 am

re*s.t.a.r.s.*2 wrote:Hi,

Thats true, this could happens for any login system , you have as website owner the opportunity to use as you like, is up to you if its going to be use as it was intended or not.
Make harder to decrypt is possible chaging the use of sha1 and making the salt more ramdon would help
But would make more slower, point is all the know hash functioncan be easily decrypted..

No much to do on that regard..

Appeciate your aclaration..

Best wishes.

Thanks for replying.... Just out of curiosity, what other coding languages do you know?

by **re*s.t.a.r.s.*2** » Mon Mar 05, 2012 2:46 am

Hi,
Php and some javascript..

Later.

by **OldWolf** » Mon Mar 05, 2012 10:14 pm

xgamer224 wrote:
re*s.t.a.r.s.*2 wrote:Hi,
Appreciate your comment, it would be nice if you give us more info of what you done to get that conclusion..
The encryption of the hash function are weak , although i am not using md5 , sha1() can be decrypted easily too..

To decrypt the hash you need to have access to the database, if you do, the server is already compromised... so decrypting the hash is pointless because we know is easy to do..

What is needed to take care is that nobody has access to the script and change alter things server side or at code level.. because that's how you hack a script..

Did you brute force or just reverted the has set in the database?.
if you see a weak spot on the Code let me know.

Thanks appreciate it.

Regards Utan

No there isn't a weak spot. I just mean that someone who owns a website could use this login interface as some kind of phishing scam. I mean, the admin already gets the user's email address, and he wouldn't even have to decrypt the password if he just slightly edited the code. But, obviously, it isn't your problem.... I'm just saying that you may want to make it slightly harder to decrypt and harder to remove the encryption in the code. Just a recommendation.

It is assumed that the admin could do whatever they please with any app. The admin could just as easily write their own app if they wanted to.

Developers don't add hashing to protect against the administrator, it's designed to protect against unauthorized access of the database. A good example would be when phpbb's main forum was exploited, and the attacker was able to download and publish the entire contents of their database... including the user table. Had they not hashed the passwords, anyone could have simply grabbed those passwords and used them at other sites (such as the listed e-mails). Had the password not been salted before hashing, a rainbow table comparison would have provided the password anyway.

by **FlexiPack** » Wed Apr 04, 2012 10:25 pm

Hi,

Thanks so much for this script. It's just what I was looking for. I have a couple of questions though if you don't mind. The Pfc login system and phpfreechat is working ok but there's a couple of modifications I'd like to make. I apologise in advanced because I have absolutely no coding knowledge!

After users have logged in, I'd like them all to be sent to a default room with a name of my choosing. I tried to edit the modified custom index.php (that was originally called index.phpfreechat). I changed line 11 from:

$params['channels'] = $chatChannel;

to...

$params['channels'] = "the name of my chat room";

But I ended up with the following error:

phpFreeChat cannot be initialized, please correct these errors: 'channels' parameter must be an array

I changed the entry back to what it was originally but for some reason it just wouldn't work anymore. I tried overwriting the index.php file but no luck. In the end I had to uninstall PHPFreeChat and reinstall it. It's working again now but I don't want to attempt editing the index.php file again without asking your advice.

Thanks

by **re*s.t.a.r.s.*2** » Wed Apr 04, 2012 11:50 pm

Hi,

What you need to do is change that setting in the file /login/settings.php.
You will find a line like this:

Code: Select all: $chatChannel = array('Pfc chat'); // N_V- set the name of the room put it between ('hello','room')

Change the array value adding the channel name you wanna use between the single quotes, if you want more, then add another string in quotes but separated by a Comma like so:

Code: Select all: $chatChannel = array('Pfc chat','the name of my chat room'); // N_V- set the name of the room put it between ('hello','room')

now we have 2 channels 'Pfc chat' and 'the name of my chat room'..

then run the command "/rehash" as admin and without the quotes for the new setting to take in account.

regards.

by **FlexiPack** » Thu Apr 05, 2012 8:13 am

Thank you very much!

by **FlexiPack** » Sun Apr 08, 2012 5:44 pm

Is it permitted to change the 'Pfc Login System' logo at the top? I wish to change it to the logo for my group.

by **re*s.t.a.r.s.*2** » Sun Apr 08, 2012 7:04 pm

Is it permitted to change the 'Pfc Login System' logo at the top? I wish to change it to the logo for my group.

Yes, no problem if you like to have a link back to my site that would be awesome but if not its OK too..

regards

by **FlexiPack** » Sun Apr 08, 2012 11:07 pm

Absolutely, I notice there's already a link to http://vcomputadoras.com/ - is this the site you would like the link to? I'm happy to leave that in there.

I tried changing logo but for some reason it didn't work. Instead of the new logo I just ended up with an image marker. In chat/login/settings.php I replaced the pfclogin.png (line 69) with my own image file name and I placed my png file in the login/img directory.

Have you any ideas as to why it didn't work?

Pfc-Chat Login System v1.2 (06/10/2012)

Who is online