Index: trunk/CHANGELOG =================================================================== --- trunk/CHANGELOG (revision 431) +++ trunk/CHANGELOG (revision 432) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.7.0 ------------------------------------- +12-Feb-2007 Christian Sommer +! Security enhancement (reduced number of login trials from 50 to 3) 02-Feb-2007 Matthias Gallas # Applied fix for ticket #380 (Thanks to pcwacht) 29-Jan-2007 Matthias Gallas Index: trunk/wb/admin/login/index.php =================================================================== --- trunk/wb/admin/login/index.php (revision 431) +++ trunk/wb/admin/login/index.php (revision 432) @@ -1,70 +1,70 @@ - - Copyright (C) 2004-2007, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - -require_once("../../config.php"); -require_once(WB_PATH."/framework/class.login.php"); - -if(defined('SMART_LOGIN') AND SMART_LOGIN == 'enabled') { - // Generate username field name - $username_fieldname = 'username_'; - $password_fieldname = 'password_'; - $salt = "abchefghjkmnpqrstuvwxyz0123456789"; - srand((double)microtime()*1000000); - $i = 0; - while ($i <= 7) { - $num = rand() % 33; - $tmp = substr($salt, $num, 1); - $username_fieldname = $username_fieldname . $tmp; - $password_fieldname = $password_fieldname . $tmp; - $i++; - } -} else { - $username_fieldname = 'username'; - $password_fieldname = 'password'; -} - -$thisApp = new Login( - array( - 'MAX_ATTEMPS' => "50", - 'WARNING_URL' => ADMIN_URL."/login/warning.html", - 'USERNAME_FIELDNAME' => $username_fieldname, - 'PASSWORD_FIELDNAME' => $password_fieldname, - 'REMEMBER_ME_OPTION' => SMART_LOGIN, - 'MIN_USERNAME_LEN' => "2", - 'MIN_PASSWORD_LEN' => "2", - 'MAX_USERNAME_LEN' => "30", - 'MAX_PASSWORD_LEN' => "30", - 'LOGIN_URL' => ADMIN_URL."/login/index.php", - 'DEFAULT_URL' => ADMIN_URL."/start/index.php", - 'TEMPLATE_DIR' => ADMIN_PATH."/login", - 'TEMPLATE_FILE' => "template.html", - 'FRONTEND' => false, - 'FORGOTTEN_DETAILS_APP' => ADMIN_URL."/login/forgot/index.php", - 'USERS_TABLE' => TABLE_PREFIX."users", - 'GROUPS_TABLE' => TABLE_PREFIX."groups", - ) - ); - + + Copyright (C) 2004-2007, Ryan Djurovich + + Website Baker is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + Website Baker is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with Website Baker; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +require_once("../../config.php"); +require_once(WB_PATH."/framework/class.login.php"); + +if(defined('SMART_LOGIN') AND SMART_LOGIN == 'enabled') { + // Generate username field name + $username_fieldname = 'username_'; + $password_fieldname = 'password_'; + $salt = "abchefghjkmnpqrstuvwxyz0123456789"; + srand((double)microtime()*1000000); + $i = 0; + while ($i <= 7) { + $num = rand() % 33; + $tmp = substr($salt, $num, 1); + $username_fieldname = $username_fieldname . $tmp; + $password_fieldname = $password_fieldname . $tmp; + $i++; + } +} else { + $username_fieldname = 'username'; + $password_fieldname = 'password'; +} + +$thisApp = new Login( + array( + 'MAX_ATTEMPS' => "3", + 'WARNING_URL' => ADMIN_URL."/login/warning.html", + 'USERNAME_FIELDNAME' => $username_fieldname, + 'PASSWORD_FIELDNAME' => $password_fieldname, + 'REMEMBER_ME_OPTION' => SMART_LOGIN, + 'MIN_USERNAME_LEN' => "2", + 'MIN_PASSWORD_LEN' => "2", + 'MAX_USERNAME_LEN' => "30", + 'MAX_PASSWORD_LEN' => "30", + 'LOGIN_URL' => ADMIN_URL."/login/index.php", + 'DEFAULT_URL' => ADMIN_URL."/start/index.php", + 'TEMPLATE_DIR' => ADMIN_PATH."/login", + 'TEMPLATE_FILE' => "template.html", + 'FRONTEND' => false, + 'FORGOTTEN_DETAILS_APP' => ADMIN_URL."/login/forgot/index.php", + 'USERS_TABLE' => TABLE_PREFIX."users", + 'GROUPS_TABLE' => TABLE_PREFIX."groups", + ) + ); + ?> \ No newline at end of file Index: trunk/wb/account/login.php =================================================================== --- trunk/wb/account/login.php (revision 431) +++ trunk/wb/account/login.php (revision 432) @@ -1,86 +1,86 @@ - - Copyright (C) 2004-2007, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - -require_once("../config.php"); - -// Make sure the login is enabled -if(!FRONTEND_LOGIN) { - if(INTRO_PAGE) { - header('Location: '.WB_URL.PAGES_DIRECTORY.'/index'.PAGE_EXTENSION); - exit(0); - } else { - header('Location: '.WB_URL.'/index'.PAGE_EXTENSION); - exit(0); - } -} - -// Required page details -$page_id = 0; -$page_description = ''; -$page_keywords = ''; -define('PAGE_ID', 0); -define('ROOT_PARENT', 0); -define('PARENT', 0); -define('LEVEL', 0); -define('PAGE_TITLE', 'Please login'); -define('MENU_TITLE', 'Please login'); -define('VISIBILITY', 'public'); -// Set the page content include file -define('PAGE_CONTENT', WB_PATH.'/account/login_form.php'); - -require_once(WB_PATH.'/framework/class.login.php'); - -// Create new login app -$thisApp = new Login( - array( - "MAX_ATTEMPS" => "50", - "WARNING_URL" => ADMIN_URL."/login/warning.html", - "USERNAME_FIELDNAME" => 'username', - "PASSWORD_FIELDNAME" => 'password', - "REMEMBER_ME_OPTION" => SMART_LOGIN, - "MIN_USERNAME_LEN" => "2", - "MIN_PASSWORD_LEN" => "2", - "MAX_USERNAME_LEN" => "30", - "MAX_PASSWORD_LEN" => "30", - "LOGIN_URL" => WB_URL."/account/login".PAGE_EXTENSION.'?redirect='.$_REQUEST['redirect'], - "DEFAULT_URL" => WB_URL.PAGES_DIRECTORY."/index".PAGE_EXTENSION, - "TEMPLATE_DIR" => ADMIN_PATH."/login", - "TEMPLATE_FILE" => "template.html", - "FRONTEND" => true, - "FORGOTTEN_DETAILS_APP" => WB_URL."/account/forgot.php".PAGE_EXTENSION, - "USERS_TABLE" => TABLE_PREFIX."users", - "GROUPS_TABLE" => TABLE_PREFIX."groups", - "REDIRECT_URL" => $_REQUEST['redirect'] - ) - ); - -// Set extra outsider var -$globals[] = 'thisApp'; - -// Include the index (wrapper) file -require(WB_PATH.'/index.php'); - - + + Copyright (C) 2004-2007, Ryan Djurovich + + Website Baker is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + Website Baker is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with Website Baker; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +require_once("../config.php"); + +// Make sure the login is enabled +if(!FRONTEND_LOGIN) { + if(INTRO_PAGE) { + header('Location: '.WB_URL.PAGES_DIRECTORY.'/index'.PAGE_EXTENSION); + exit(0); + } else { + header('Location: '.WB_URL.'/index'.PAGE_EXTENSION); + exit(0); + } +} + +// Required page details +$page_id = 0; +$page_description = ''; +$page_keywords = ''; +define('PAGE_ID', 0); +define('ROOT_PARENT', 0); +define('PARENT', 0); +define('LEVEL', 0); +define('PAGE_TITLE', 'Please login'); +define('MENU_TITLE', 'Please login'); +define('VISIBILITY', 'public'); +// Set the page content include file +define('PAGE_CONTENT', WB_PATH.'/account/login_form.php'); + +require_once(WB_PATH.'/framework/class.login.php'); + +// Create new login app +$thisApp = new Login( + array( + "MAX_ATTEMPS" => "3", + "WARNING_URL" => ADMIN_URL."/login/warning.html", + "USERNAME_FIELDNAME" => 'username', + "PASSWORD_FIELDNAME" => 'password', + "REMEMBER_ME_OPTION" => SMART_LOGIN, + "MIN_USERNAME_LEN" => "2", + "MIN_PASSWORD_LEN" => "2", + "MAX_USERNAME_LEN" => "30", + "MAX_PASSWORD_LEN" => "30", + "LOGIN_URL" => WB_URL."/account/login".PAGE_EXTENSION.'?redirect='.$_REQUEST['redirect'], + "DEFAULT_URL" => WB_URL.PAGES_DIRECTORY."/index".PAGE_EXTENSION, + "TEMPLATE_DIR" => ADMIN_PATH."/login", + "TEMPLATE_FILE" => "template.html", + "FRONTEND" => true, + "FORGOTTEN_DETAILS_APP" => WB_URL."/account/forgot.php".PAGE_EXTENSION, + "USERS_TABLE" => TABLE_PREFIX."users", + "GROUPS_TABLE" => TABLE_PREFIX."groups", + "REDIRECT_URL" => $_REQUEST['redirect'] + ) + ); + +// Set extra outsider var +$globals[] = 'thisApp'; + +// Include the index (wrapper) file +require(WB_PATH.'/index.php'); + + ?> \ No newline at end of file