Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-01-09 15:21:03

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

mck_login

This plugin allow user to login into Public Side and self register.

Thanks to Jeremy Amos and his plugin ing_password_protect that inspired me.

Usage

After installing and activating the plugin you can insert function into page or form
This plugin use txp_user_public cookie, create also on Admin login.

Function and Attributes

<txp:mck_show_login />

This function show login form and logout link

class: login form class ()==> mck_login_form
remember: remember me with cookie (1/0) > 1+ *logout:* show logout? +(1/0)> 1
logout_user: show logout user as ==> name
wraplogout: logout wrap link ()=> p
classlogout: logout wrap class link ()=> mck_logout
reglink: link where show registration form ==> /register
regtext: show text invite for register ()=> ‘No account? Register NOW
regclass: register link class ()=> ‘’
msgclass: error msg class ()=> ‘’

<txp:mck_if_logged_in />

Check if user is logged in

<txp:mck_user_public />

Output name or RealName of user logged in.

type: Value to output. => RealName
<txp:mck_register_form />

Output a simple register form

class: register form class ()=> mck_reg_form
msg: Show message before input field ()=> Compila i campi per registrarti
msgclass: Message class ()=> ‘’
confirm: ragistration confirm message ()=> Utente registrato. Abbiamo inviato al password alla tua mail
confirmclass: class for confirm messagedi conferma ()=> ‘’

Release

Now is the 1.6.1 release
Thanks to all for help!

Download

Download Gzip ed Uncompressed

Last edited by MarcoK (2012-01-18 07:21:11)

Offline

#2 2012-01-13 15:23:27

milosevic
Member
From: Madrid, Spain
Registered: 2005-09-19
Posts: 390

Re: mck_login

Ey, nice plugin! It Will be nice to have a param to fix the default privilegies level for the self registered users.


<txp:rocks/>

Offline

#3 2012-01-14 09:26:11

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Good Idea. I think to insert in next release.

Offline

#4 2012-01-15 23:25:21

aslsw66
Member
From: Canberra, Australia
Registered: 2004-08-04
Posts: 342
Website

Re: mck_login

Could you outline the differences between this plugin and ign_password_protect?

I’m using ign_password_protect at the moment, but I am contemplating using cbe_frontauth together with smd_user_manager, so I’m interested in a new login plugin!

Offline

#5 2012-01-16 01:18:34

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

Nice to see you making plugins. But I do see some smaller and bigger issues, all the way to very serious security issues;

  • The queries in mck_register_form() contain SQL injection holes. All user-provided data should be escaped with doSlash().
  • mck_show_login() has server-side remote code execution hole.
  • In mck_user_public() returned values should be escaped with htmlspecialchars() to prevent server-side code injections.
  • The escaping in _update_access() makes no sense. At most it just makes the query to update the wrong user. Just use doSlash() and don’t do anything to _ or %.
  • $form_action in mck_show_login() makes no sense.
  • Everything in global scope should be prefixed with your prefix. Including functions _doTxpValidate(), _validate(), _update_access() and _valid_email(), and global variables like log_status and $login_updated.
  • mck_snd_psw() among others contain hard-coded content — which is not in English.
  • There is quite a bit of duplicated code. Textpattern has various functions you should use instead, including; is_valid_email() for validating emails, txp_hash_password() for hashing, generate_password() and so on.

Last edited by Gocom (2012-01-16 01:40:31)

Offline

#6 2012-01-16 15:36:36

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

Re: mck_login

Hi Marco

Thanks for your plugin.
I’m sure there are a number of people happy to help you fix the security issues, suggest improvements and extend it.

I hope you will continue to work on it as I’m sure a lot of people will use it.

Last edited by geoff777 (2012-01-16 15:36:58)


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#7 2012-01-16 19:01:02

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Hi

#aslsw666 theprincipal difference between ign_password_protect is that this plugin use the original txp_cookie so, when an admin log in into frontend it is logged in also in backend.

#geoff777 thanks, i have read the issuse show me by gocome and i will fix it immedialty.

#gocom very,very thanks!!!

  • The queries in mck_register_form() contain SQL injection holes. All user-provided data should be escaped with doSlash(). FIX
  • In mck_user_public() returned values should be escaped with htmlspecialchars() to prevent server-side code injections. FIX
  • $form_action in mck_show_login() makes no sense. FIX
  • Everything in global scope should be prefixed with your prefix. Including functions _doTxpValidate(), _validate(), _update_access() and _valid_email(), and global variables like log_status and $login_updated. FIX
  • There is quite a bit of duplicated code. Textpattern has various functions you should use instead, including; is_valid_email() for validating emails, txp_hash_password() for hashing, generate_password() and so on. FIX
  • mck_snd_psw() among others contain hard-coded content — which is not in English. (hum-… I’m traing to understand how implement textpack)
  • The escaping in _update_access() makes no sense. At most it just makes the query to update the wrong user. Just use doSlash() and don’t do anything to _ or %. FIX

mck_show_login() has server-side remote code execution hole. ()
Not understand what you mean. Please you can show me the errors please.

Last edited by MarcoK (2012-01-17 17:37:31)

Offline

#8 2012-01-16 21:45:15

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

MarcoK wrote:

mck_show_login() has server-side remote code execution hole. ()
Not understand what you mean. Please you can show me the errors please.

Request URI comes directly from the user. In any case it at least should be escaped with htmlspecialchars(). As Textpattern has its tag parser, everything passed to page template translates to server-side code.

Offline

#9 2012-01-17 17:35:17

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Ok, i have fix the issuse show me by Gocom.
Now I’m integrating the textpack code.

If someone can help me to extend other language i’m very glad.
Italian it’s ok (I hope :) ).
I have write only english and french. I hope correctly!

#@language en-gb
mck_login_name  => User Name
mck_name_surname  => Real Name
mck_user_already_exist  => User alredy exist
mck_register_now  => No account? Register now!
mck_site_registration_successfully => Registration made with in the website
mck_can_login_at  => You can login at
mck_your_login_name  => Your login name is: 
mck_your_password  => Your password is: 
mck_register  => Register
mck_user_password_send => Registered user. We have sent the password to your email.
mck_user_unknown => User unknow
mck_data_error => Error, check your data
#@language fr-fr
mck_login_name  => Nom d'utilisateur
mck_name_surname  => Nom et Prenom
mck_user_already_exist  => Utilisateur existe déjà
mck_register_now  => Pas de compte? Enregistre-vous maintenant
mck_site_registration_successfully => Enregistrement effectué dans le site
mck_can_login_at  => Vous pouvez vous connecter au
mck_your_login_name  => Votre nom d'utilisateur est: 
mck_your_password  => Votre mot de passe est:
mck_register  => Enregistre-vous
mck_user_password_send => Enregistré utilisateur. Nous avons envoyé le mot de passe de votre messagerie
mck_user_unknown => Utilisateur inconnu
mck_data_error => Erreur, vérifiez vos informattions

Offline

#10 2012-01-17 20:47:41

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mck_login

Some improvments for french version

#@language fr-fr
mck_login_name  => Nom d'utilisateur
mck_name_surname  => Nom / Prenom
mck_user_already_exist  => Cet utilisateur existe déjà
mck_register_now  => Pas encore de compte? Enregistrez-vous maintenant
mck_site_registration_successfully => Enregistrement effectué avec succès
mck_can_login_at  => Vous pouvez vous connecter au
mck_your_login_name  => Votre nom d'utilisateur est: 
mck_your_password  => Votre mot de passe est:
mck_register  => Enregistrez-vous
mck_user_password_send => Utilisateur Enregistré. Un mail vous a été envoyé
mck_user_unknown => Utilisateur inconnu
mck_data_error => Erreur, vérifiez vos informations

Cheers

Offline

#11 2012-01-18 07:20:26

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Merci Dragondz

I have publish 1.6.1 release version.

Offline

#12 2012-01-18 08:30:06

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

Nice. v1.6.1 is a big improvement. After taking a quick look, I still found some issue, including same security issues;

  • mck_register_form() is still as vulnerable to SQL injections, i.e. missing "name = '" .trim($reg['name']). "'".
  • mck_show_login() and mck_register_form() are vulnerable to server-side code injections, i.e. $_SERVER['REQUEST_URI'], which should at least in all cases, escaped with htmlspecialchars().
  • The plugin defines (global) un-prefixed variables, i.e. $textpack, $log_msg. Wrap the code at the top to a function to define them in their own scope.
  • mck_register_form() doesn’t prevent forging or brute attacks. Anyone can create as many accounts as the server can handle (i.e. 5000 accounts a second). You could at minimum call sleep() before saving the details to add 3-5 second wait. It would be best if the form had a nonce (once used token) system that prevents sending the same form directly repeatedly.

Last edited by Gocom (2012-01-18 08:35:18)

Offline

Board footer

Powered by FluxBB