PEAK XOOPS - auto-login hacked files for XOOPS 2.0.10/11/12/13.x

== AUTO-LOGIN V3 (REMEMBER ME) hacked files for XOOPS 2.0.10/11/12/13 ==

This package is only for 2.0.10/11/12/13 released from www.xoops.org. Don't apply it to 2.0.10JP or higher
Also don't apply it to 2.0.14 or higher

------------------------------------------------------------------

Hacked core files to be able to login automatically (+ alpha).
This package is for XOOPS 2.0.10/11/12/13


USAGE:
1) Overwrite these files into your XOOPS 2.0.10/11/12/13
2) update system module. If you are using a custom template set you will need to edit the system_block_login.html for that set.

AUTO-LOGIN V3 is a little safer than V2.
V3 stores user's password as md5 encoded with time limitation.
If cookie is stolen by someone, he can't login after auto-login expiration.
This means that short expiration makes your site a little bit safer.

The feature of Retry or Repost is implemented with AUTO-LOGIN V2.

- You can access dynamic contents directly with autologin without CSRF vulnerablities.

- You can retry to post even if you are timed-out from the session.

These features are implemented in session_confirm.php.
Don't forget uploding this file.


If you want to set the life time of remembering, insert a line into mainfile.php like this:

This example specifies the life time as 1 month.
The default value is 604800 (= 1week).

The prior version of auto-login hacks useed the value of session_expire.
But this hack harms customizing session.
Thus I've changed the code like above.


This hack stores the password as an MD5 hash on the client, but this is vulnerable to dictionary attacks, and simple copying to another computer.

This hack is a potential security hole, don't enable it lightly.


HACKED POINTS:

You can easily find hacked points by searching the words 'GIJ'.
If you use customized language files or some language files other than english or japanese, you should manually add a line into language/(your language)/global.php



And if you can, edit this line.




ABOUT + ALPHA:

This hack also modifies your XOOPS can be logged in by email.
Users can login not only uname+password but also email+password.
Of course, even the users logged in by email+password can login automatically on/after next access.


APPENDIX:
Onokazu took the auto-login hack which GIJOE had released, into XOOPS core with comment-outed.

But I think these codes should be deprecated.
These are the reasons why:

A) The cookie's path is root (='/'). This cause a collision of the cookies from two Xoops sites running on the same hostname.

B) This hack weakens XOOPS from CSRF attack. (Some modules are defenseless from CSRF. They delete or update its records by GET methods easily.)

To prevents from CSRF, my autologin codes force redirection to XOOPS_URL when query is not null.

C) The old hack harms customized session.



[xlang:ja]

¡üXOOPS 2.0.10/11/12/13ÍѤΥª¡¼¥È¥í¥°¥¤¥ó¥Ï¥Ã¥¯(+¦Á)ºÑ¤ß¥³¥¢¥Õ¥¡¥¤¥ë¥Ñ¥Ã¥¯ (V3)

¤³¤ì¤ÏËܲÈÈÇÍѤǤ¹¡£2.0.*JP ÍѤǤϤʤ¤¤Î¤Ç¡¢Ãí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡ª

--------------------------------------------------

XOOPS 2.0.10/11/12/13 ¤Ë¼«Æ°¥í¥°¥¤¥óµ¡Ç½¤òÉÕÍ¿¤¹¤ë¤¿¤á¤Î¥Ñ¥Ã¥Á¤Ç¤¹¡£
¤³¤Î¥¢¡¼¥«¥¤¥ÖÆâ¤Ë´Þ¤Þ¤ì¤ëÁ´¥Õ¥¡¥¤¥ë¤ò¡¢¤ª»È¤¤¤ÎXOOPS 2.0.10/11/12/13 ¤Ë¾å½ñ¤­¤¹¤ë¤³¤È¤Ç¡¢¼«Æ°¥í¥°¥¤¥óµ¡Ç½¤¬Í­¸ú¤Ë¤Ê¤ê¤Þ¤¹¡£¡Ê¼ÂºÝ¤Ë¤Ï¾å½ñ¤­¸å¤Ë¡¢¥·¥¹¥Æ¥à¥â¥¸¥å¡¼¥ë¤ò¥¢¥Ã¥×¥Ç¡¼¥È¤¹¤ë¤«¡¢¥í¥°¥¤¥ó¥Ö¥í¥Ã¥¯¤Î¥Æ¥ó¥×¥ì¡¼¥È¤òÊÔ½¸¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡Ë

V3 ¤Ç¤Ï¡¢¥¯¥Ã¥­¡¼¤Ø¤ÎÊݸ·Á¼°¤ò¼ã´³ÊѤ¨¤ë¤³¤È¤Ç¡¢°ÂÁ´À­¤¬Â¿¾¯¥Þ¥·¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
´ü¸ÂÉÕ¤­¤Çmd5¥¨¥ó¥³¡¼¥É¤µ¤ì¤¿¥Ñ¥¹¥ï¡¼¥É¤·¤«¥¯¥Ã¥­¡¼¤ËÊݸ¤·¤Þ¤»¤ó¤Î¤Ç¡¢Ã¯¤«¤¬¥¯¥Ã¥­¡¼¤òÅð¤ó¤À¤È¤·¤Æ¤â¡¢¤½¤Î´ü¸Â°Ê¹ß¤Ç¤¢¤ì¤Ð¥í¥°¥¤¥ó¤ËÀ®¸ù¤·¤Þ¤»¤ó¡£
¤Ä¤Þ¤ê¡¢¥ª¡¼¥È¥í¥°¥¤¥óÍ­¸ú´ü¸Â¤¬½ÅÍפʤ櫓¤Ç¡¢¥Ç¥Õ¥©¥ë¥È¤Î£±½µ´Ö¤ò£±¥ö·î¤ä£±Ç¯¤Ë±äŤ¹¤ë¤È¡¢¤½¤ì¤À¤±´í¸±À­¤¬Áý¤¹¤³¤È¤Ëα°Õ¤¯¤À¤µ¤¤¡£

¥ª¡¼¥È¥í¥°¥¤¥óV2¤Ç¡¢¥ê¥È¥é¥¤µ¡Ç½¤¬¤Ä¤­¤Þ¤·¤¿¡£½¾Íè¤Î¥ª¡¼¥È¥í¥°¥¤¥óHack¤Ç¤Ï¡¢CSRFÂкö¤Î¤¿¤á¤Ë¡¢¤¤¤­¤Ê¤ê¥³¥ó¥Æ¥ó¥Ä¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤È¥È¥Ã¥×¤ËÈô¤Ð¤µ¤ì¤ë¤³¤È¤¬Â¿¤¯¤¢¤ê¤Þ¤·¤¿¤¬¡¢º£¤Ï¤¤¤Ã¤¿¤ósession_confirm.php¤Ë¥ê¥À¥¤¥ì¥¯¥È¤·¤Æ¤«¤é¡¢¸µ¤Î¾ì½ê¤ËÌá¤ê¤Þ¤¹¡£

¤³¤Îsession_confirm.php¤¬V2¤ÇÁý¤¨¤¿¥Õ¥¡¥¤¥ë¤Ç¤¹¡£Ëº¤ì¤º¤Ë¥¢¥Ã¥×¥í¡¼¥É¤·¤Æ¤¯¤À¤µ¤¤¡£

¤Þ¤¿¡¢²¿¤«Åê¹Æ¤·¤¿»þ¤Ë¥»¥Ã¥·¥ç¥ó¤¬»þ´ÖÀÚ¤ì¤Ç¡¢Åê¹ÆÆâÍƤò¥í¥¹¥È¤·¤¿¡¢¤È¤¤¤¦·Ð¸³¤ò¤ª»ý¤Á¤ÎÊý¤â¾¯¤Ê¤¯¤Ê¤¤¤È»×¤¤¤Þ¤¹¤¬¡¢¤³¤Î¥ª¡¼¥È¥í¥°¥¤¥óV2¤òÍ­¸ú¤Ë¤·¤Æ¤¤¤ë¥æ¡¼¥¶¤Ç¤¢¤ì¤Ð¡¢ºÆÅÙ¼«Æ°¥í¥°¥¤¥ó¤·¤Æ¡¢Ä¾¸å¤ËºÆÅê¹Æ¤Îµ¡²ñ¤¬Í¿¤¨¤é¤ì¤Þ¤¹¡£¡ÊV2¤ÎÌ̵ܶ¡Ç½¡Ë


¤³¤ÎHack¤Ï¡¢uname¤Èmd5¥Ï¥Ã¥·¥åºÑ¤Î¥Ñ¥¹¥ï¡¼¥É¤ò¥¯¥Ã¥­¡¼¤ËÊݸ¤¹¤ë¤Î¤Ç¤¹¤¬¡¢¤½¤ÎÍ­¸ú»þ´Ö¤Ï¡¢¥Ç¥Õ¥©¥ë¥È¤Ç£±½µ´Ö(604800)¤È¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£

¤â¤·¡¢¤³¤ÎÃͤòÊѹ¹¤·¤¿¤¤¾ì¹ç¤Ï¡¢mainfile.php ¤ËÂФ·¤Æ²¼¤Î¤è¤¦¤Ë£±¹ÔÄɲ䷤Ʋ¼¤µ¤¤¡£

¤³¤Î¹Ô¤Ï¾¯¤Ê¤¯¤È¤â¡¢include XOOPS_ROOT_PATH."/include/common.php"; ¤È½ñ¤«¤ì¤¿¹Ô¤è¤ê¾å¤Ë¤¢¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£

¤Þ¤¿¡¢¸À¸ì¥Õ¥¡¥¤¥ë (langage/japanese/global.php) ¤Ë¼ê¤òÆþ¤ì¤Æ¤¤¤ëÊý¤Ï¡¢¤³¤Î¥Õ¥¡¥¤¥ë¤ò¾å½ñ¤­¤¹¤ë¤Î¤Ç¤Ï¤Ê¤¯¡¢¤´¼«¿È¤Ç½ñ¤­´¹¤¨¤Æ¤¯¤À¤µ¤¤¡£






¤³¤ì¤Ï½ÅÍפÊÃí°ÕÅÀ¤Ç¤¹¤¬¡¢¥¯¥Ã¥­¡¼¤Ë¥í¥°¥¤¥ó¾ðÊ󤬻ĤäƤ¤¤ë¤È¤¤¤¦¤³¤È¤Ï¡¢ÅöÁ³¡¢Ã¯¤«¤ËÅð¤Þ¤ì¤ë²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£¶¦ÍÑ¥³¥ó¥Ô¥å¡¼¥¿¤Ê¤É¤ò¤´ÍøÍѤκݤˤϡ¢É¬¤º¥í¥°¥¢¥¦¥È¤·¤Æ¤«¤é½ªÎ»¤¹¤ë¤è¤¦¤Ë¥¢¥Ê¥¦¥ó¥¹¤¹¤ëɬÍפ¬¤¢¤ë¤Ç¤·¤ç¤¦¡£


¼Â¤Ï¡¢2.0.4°Ê¹ß¡¢onokazu¤µ¤ó¤¬»ä¤Î¼«Æ°¥í¥°¥¤¥óHack¤ò¥³¥á¥ó¥È¥¢¥¦¥È¤·¤¿¾õÂ֤Ǽè¤ê¹þ¤ó¤Ç¤¯¤ì¤Æ¤¤¤ë¤Î¤Ç¤¹¤¬¡¢¤³¤Î¥³¡¼¥É¤Ï¤¢¤Þ¤ê¿ä¾©¤Ç¤­¤Þ¤»¤ó¡£¤½¤ÎÍýͳ¤Ï¡¢¥¯¥Ã¥­¡¼¤Î¾×ÆͤÈCSRF¹¶·â¤Ø¤ÎÂÑÀ­¤Ç¤¹¡£

2.0.6°Ê¹ß¤Î¥ª¡¼¥È¥í¥°¥¤¥óHack¤Ç¤Ï¡¢CSRFÂкö¤Î¤¿¤á¤Ë¡¢¥¯¥¨¥ê¤Î¤Ä¤¤¤¿URL¤Ë¤¤¤­¤Ê¤ê¼«Æ°¥í¥°¥¤¥ó¤·¤Æ¤­¤¿»þ¤Ë¤Ï¡¢¥Û¡¼¥à¥Ú¡¼¥¸¤Ë¶¯À©¥ê¥À¥¤¥ì¥¯¥È¤·¤Þ¤¹¡£¤Á¤ç¤Ã¤È¶Ã¤¯¤«¤âÃΤì¤Þ¤»¤ó¤¬¡¢¤½¤¦¤¤¤¦¤â¤Î¤À¤ÈÍý²ò¤·¤Æ¤¯¤À¤µ¤¤¡£

¤Þ¤¿¡¢½¾Á°¤Î¼«Æ°¥í¥°¥¤¥óHack¤Ç¤Ï¡¢¼«Æ°¥í¥°¥¤¥ó¤ÎÍ­¸ú´ü¸Â¤È¤·¤Æ¡¢session_expire¤ÎÃͤòήÍѤ·¤Æ¤¤¤Þ¤·¤¿¤¬¡¢¤³¤¦¤·¤Æ¤·¤Þ¤¦¤È¡¢¥«¥¹¥¿¥à¥»¥Ã¥·¥ç¥óµ¡Ç½¤¬»ö¼Â¾å»È¤¨¤Ê¤¯¤Ê¤Ã¤Æ¤·¤Þ¤¦¤¿¤á¡¢XOOPS_AUTOLOGIN_LIFETIME ¤È¤¤¤¦Äê¿ô¤Ç»ØÄꤹ¤ëÊý¼°¤Ë²þ¤á¤Þ¤·¤¿¡£


¤½¤ì¤È¡¢¤³¤Î¥¢¡¼¥«¥¤¥Ö¤ò¾å½ñ¤­¤¹¤ë¤È¡¢email¥¢¥É¥ì¥¹¤Ç¤â¥í¥°¥¤¥ó¤Ç¤­¤ëHack¤â¼«Æ°Åª¤ËÍ­¸ú¤Ë¤Ê¤ê¤Þ¤¹¡£
¤³¤ì¤À¤±½ñ¤¯¤È¡¢Ryuji¤µ¤ó¤ÎemailLoginHack¤ÈƱ¤¸¤¸¤ã¤Ê¤¤¤«¡¢¤È»×¤ï¤ì¤½¤¦¤Ç¤¹¤¬¡¢¤¢¤½¤³¤Þ¤Ç¤­¤Á¤ó¤Èºî¤Ã¤Æ¤¤¤Þ¤»¤ó¡£¥æ¡¼¥¶¡¼Ì¾¤È¤·¤ÆÁ÷¤é¤ì¤Æ¤­¤¿Ê¸»úÎó¤Ë¡¢@ ¤¬´Þ¤Þ¤ì¤Æ¤¤¤ì¤Ð¡¢email ¤Ë¤è¤ë¥í¥°¥¤¥ó¤À¤È¿äÄꤷ¤Æ¥í¥°¥¤¥ó¤ò»î¤¹¡¢¤È¤¤¤¦¤À¤±¤ÎHack¤Ç¤¹¡£

µÕ¤Ë¸À¤¨¤Ð¡¢¤½¤Îʬ¡¢Hack²Õ½ê¤â¾¯¤Ê¤¯¤ÆºÑ¤ó¤Ç¤¤¤Þ¤¹¡£´ðËÜŪ¤Ë¤Ï¡¢include/checklogin.php ¤À¤±¤ÎÊѹ¹¤Ç¤¹¤Î¤Ç¡¢¥³¥¢¥Ð¡¼¥¸¥ç¥ó¤Ø¤ÎÄÉ¿ï¤â¾¯¤·¤Ï³Ú¤Ë¤Ê¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£

ºÇ¶á¤Î¥·¥ç¥Ã¥Ô¥ó¥°¥µ¥¤¥È¤Ç¤Ï¡¢²ñ°÷ÈÖ¹æ¤Ç¤â¥á¡¼¥ë¥¢¥É¥ì¥¹¤Ç¤â¼õ¤±ÉÕ¤±¤ë¡¢¤È¤¤¤¦¤â¤Î¤¬Áý¤¨¤Æ¤­¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤ì¤Ê¤ê¤Ë¼õÆþ¤ì¤ä¤¹¤¤Hack¤Ç¤Ï¤Ê¤¤¤Ç¤·¤ç¤¦¤«¡£


¤Þ¤¿¡¢include/common.php ¤Ê¤É¤Ï¡¢Â¾¤ÎHack¤È¥Ð¥Ã¥Æ¥£¥ó¥°¤·¤ä¤¹¤¤¤Î¤Ç¡¢¾å½ñ¤­¤µ¤ì¤ë¤Èº¤¤ë¥±¡¼¥¹¤â¤¢¤ë¤Ç¤·¤ç¤¦¡£¤½¤Î¾ì¹ç¤Ï¡¢¤³¤Î¥¢¡¼¥«¥¤¥Ö¤Î³Æ¥Õ¥¡¥¤¥ë¤Ë¤Ä¤¤¤Æ¡¢'GIJ'¤È¤¤¤¦Ê¸»úÎó¤Ç¸¡º÷¤¹¤ì¤Ð¡¢Hack²Õ½ê¤¬¤É¤³¤«¡¢¤¹¤°¤ËȽ¤ë¤Ï¤º¤Ç¤¹¡£


by GIJOE http://www.peak.ne.jp/xoops/
[xlang:ja]