function verify_strike_status($username = '', $supress_error = false) { global $vbulletin; $vbulletin->db->query_write("DELETE FROM " . TABLE_PREFIX . "strikes WHERE striketime < " . (TIMENOW - 3600)); if (!$vbulletin->options['usestrikesystem']) { return 0; } $strikes = $vbulletin->db->query_first("\n\t\tSELECT COUNT(*) AS strikes, MAX(striketime) AS lasttime\n\t\tFROM " . TABLE_PREFIX . "strikes\n\t\tWHERE strikeip = '" . $vbulletin->db->escape_string(IPADDRESS) . "'\n\t"); if ($strikes['strikes'] >= 5 and $strikes['lasttime'] > TIMENOW - 900) { //they've got it wrong 5 times or greater for any username at the moment // the user is still not giving up so lets keep increasing this marker exec_strike_user($username); if (!$supress_error) { eval(standard_error(fetch_error('strikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl']))); } else { return false; } } else { if ($strikes['strikes'] > 5) { // a bit sneaky but at least it makes the error message look right $strikes['strikes'] = 5; } } return $strikes['strikes']; }
} // ############################### start do login ############################### // this was a _REQUEST action but where do we all login via request? if ($_POST['do'] == 'login') { $vbulletin->input->clean_array_gpc('p', array('vb_login_username' => TYPE_STR, 'vb_login_password' => TYPE_STR, 'vb_login_md5password' => TYPE_STR, 'vb_login_md5password_utf' => TYPE_STR, 'postvars' => TYPE_BINARY, 'cookieuser' => TYPE_BOOL, 'logintype' => TYPE_STR, 'cssprefs' => TYPE_STR)); // can the user login? $strikes = verify_strike_status($vbulletin->GPC['vb_login_username']); if ($vbulletin->GPC['vb_login_username'] == '') { eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes))); } // make sure our user info stays as whoever we were (for example, we might be logged in via cookies already) $original_userinfo = $vbulletin->userinfo; if (!verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true)) { ($hook = vBulletinHook::fetch_hook('login_failure')) ? eval($hook) : false; // check password exec_strike_user($vbulletin->userinfo['username']); if ($vbulletin->GPC['logintype'] === 'cplogin' or $vbulletin->GPC['logintype'] === 'modcplogin') { // log this error if attempting to access the control panel require_once DIR . '/includes/functions_log_error.php'; log_vbulletin_error($vbulletin->GPC['vb_login_username'], 'security'); } $vbulletin->userinfo = $original_userinfo; if ($vbulletin->options['usestrikesystem']) { eval(standard_error(fetch_error('badlogin_strikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes))); } else { eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl']))); } } exec_unstrike_user($vbulletin->GPC['vb_login_username']); // create new session process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
function do_login() { global $vbulletin, $fr_version, $fr_platform; $vbulletin->input->clean_array_gpc('r', array('username' => TYPE_STR, 'password' => TYPE_STR, 'md5_password' => TYPE_STR, 'fr_username' => TYPE_STR, 'fr_b' => TYPE_BOOL)); $navbg = null; if (strlen($vbulletin->options['forumrunner_branding_navbar_bg'])) { $navbg = $vbulletin->options['forumrunner_branding_navbar_bg']; if (is_iphone() && strlen($navbg) == 7) { $r = hexdec(substr($navbg, 1, 2)); $g = hexdec(substr($navbg, 3, 2)); $b = hexdec(substr($navbg, 5, 2)); $navbg = "{$r},{$g},{$b}"; } } $vbulletin->GPC['username'] = prepare_remote_utf8_string($vbulletin->GPC['username']); $vbulletin->GPC['password'] = prepare_remote_utf8_string($vbulletin->GPC['password']); $out = array('v' => $fr_version, 'p' => $fr_platform); if ($navbg) { $out['navbg'] = $navbg; } if (is_iphone() && $vbulletin->options['forumrunner_admob_publisherid_iphone']) { $out['admob'] = $vbulletin->options['forumrunner_admob_publisherid_iphone']; } else { if (is_android() && $vbulletin->options['forumrunner_admob_publisherid_android']) { $out['admob'] = $vbulletin->options['forumrunner_admob_publisherid_android']; } } if ($vbulletin->options['forumrunner_google_analytics_id']) { $out['gan'] = $vbulletin->options['forumrunner_google_analytics_id']; } if ($vbulletin->options['forumrunner_facebook_application_id']) { $out['fb'] = $vbulletin->options['forumrunner_facebook_application_id']; } if ($vbulletin->options['forumrunner_cms_onoff']) { $out['cms'] = true; $out['cms_section'] = $vbulletin->options['forumrunner_cms_section']; } if ($vbulletin->options['forumrunner_enable_registration']) { $out['reg'] = true; } if ($vbulletin->options['socnet'] & $vbulletin->bf_misc_socnet['enable_albums']) { $out['albums'] = true; } if (!$vbulletin->GPC['username'] || !$vbulletin->GPC['password'] && !$vbulletin->GPC['md5_password']) { // This could be an attempt to see if forums require login. Check. $requires_authentication = false; if (!($vbulletin->userinfo['permissions']['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview'])) { $requires_authentication = true; } // If the forum is closed, require login! if (!$vbulletin->options['bbactive']) { $requires_authentication = true; } $out += array('authenticated' => false, 'requires_authentication' => $requires_authentication); } else { // can the user login? $strikes = verify_strike_status($vbulletin->GPC['username'], true); // make sure our user info stays as whoever we were (for example, we might be logged in via cookies already) $original_userinfo = $vbulletin->userinfo; if (!verify_authentication($vbulletin->GPC['username'], $vbulletin->GPC['password'], $vbulletin->GPC['md5_password'], $vbulletin->GPC['md5_password'], true, true)) { exec_strike_user($vbulletin->GPC['username']); if ($vbulletin->options['usestrikesystem']) { if ($strikes === false) { $message = 'Incorrect login. You have used up your login allowance. Please wait 15 minutes before trying again.'; } else { $message = 'Incorrect login (' . ($strikes + 1) . ' of 5 tries allowed)'; } } else { $message = 'Incorrect login.'; } json_error($message, RV_BAD_PASSWORD); } exec_unstrike_user($vbulletin->GPC['username']); // create new session process_new_login('', true, ''); cache_permissions($vbulletin->userinfo, true); $vbulletin->session->save(); // If the forum is closed, boot em if (!$vbulletin->options['bbactive'] && !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { process_logout(); json_error(strip_tags($vbulletin->options['bbclosedreason']), RV_BAD_PASSWORD); } fr_update_push_user($vbulletin->GPC['fr_username'], $vbulletin->GPC['fr_b']); $out += array('authenticated' => true, 'username' => prepare_utf8_string($vbulletin->userinfo['username']), 'cookiepath' => $vbulletin->options['cookiepath']); } return $out; }
} process_new_login('', 1, $vbulletin->GPC['cssprefs']); cache_permissions($vbulletin->userinfo, true); $vbulletin->session->save(); } } } } else { $valid_entries = FALSE; $messages['errors'][] = $message = "Please check your username and password."; $messages['fields'][] = $error_type = "username-member"; $messages['errors'][] = $message = ""; $messages['fields'][] = $error_type = "password-member"; if ($vbulletin->options['usestrikesystem']) { $strikes = verify_strike_status($vbulletin->GPC['username']); exec_strike_user($vbulletin->GPC['username']); if ($strikes >= 4) { unset($messages); $message = fetch_error('badlogin_strikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes); $message = rewrite_error($message); $messages['errors'][] = $message; $messages['fields'][] = $error_type = "username-member"; $messages['errors'][] = ""; $messages['fields'][] = $error_type = "password-member"; } } } } $arr = array("valid_entries" => $valid_entries, "messages" => $messages, "url" => $url); json_headers($arr); break;