Pligg Security Vulnerability - Password Change Request

wwwSENSERELYcom · #11 (**permalink**) 05-27-2007, 01:54 PM

yes but the god use leaves a trace in the pageviews table, where is/are the queries for that where i can add WHERE userid > 1???

dollars5 · #12 (**permalink**) 05-27-2007, 09:35 PM

But where does other users see the detials of page_view table?
Even should you use the page_statistics module - it just only gets the count and not all those who saw the pages. So you can just ignore that page_view most users will not make most use of this table.

wwwSENSERELYcom · #13 (**permalink**) 05-28-2007, 12:26 AM

no, the page view is used in theprofile pages to show which users have viewed the profile. it's called Last 5 people to view this profile:

of course I could just delete this information showing, if I could find it, or I could just modify the query to ignore user 1

dollars5 · #14 (**permalink**) 05-28-2007, 03:53 AM

Just edit last_viewers() function in /libs/pageview.php that the query there ignores admin user. Just change pv_user_id > 0 to pv_user_id > 1 - but if the site has more than 1 god user - you will have to list them all in the query.

It is a good practice to just have only 1 God user and there are other level of users like admins - which can be used to administer links etc. That should be of some help.

tristonezhou · #15 (**permalink**) 05-28-2007, 04:00 PM

Quote:

Originally Posted by dollars5

also we added a small additional query to remove the user for top users list (where user_id > 1) - this way there is less possibility that a hacker can predict and attach on any system.

Could you give more details about this? Such as which page should I change and how to change. Thanks very much.

dollars5 · #16 (**permalink**) 05-28-2007, 09:59 PM

Generally the users are listed in following places:
1] top-users: topusers.php

Code:

case 0: // sort users alphabetically
		$select = "SELECT user_id";
 		$from_where = " FROM " . table_users . " WHERE user_id != 1 ";
 		$order_by = " ORDER BY user_karma DESC ";
		break;

- so admin is not listed in the top-user

2] last_viewers() function in /libs/pageview.php - pv_user_id > 0 to pv_user_id > 1
This makes admin not shown in the who visited this profile page

If you see the users listed in other places let me know I will try to provide you a way to hide the admin.
I have not edited the who votes as the admin is reserved from voting in my proposed case

AshDigg · #17 (**permalink**) 05-28-2007, 10:03 PM

The 'god' users are now hidden starting with the 9.6 release.

dollars5 · #18 (**permalink**) 05-28-2007, 10:05 PM

Wow - that is great news - good work Ash.

Also as pointed here Pligg Security Vulnerability - Password Change Request - God should be hidden from profile views too.

pls change the user_id to user_level in my above post.

tristonezhou · #19 (**permalink**) 05-29-2007, 05:22 PM

Thanks dollars5. These information are really helpful.

haxhax · #20 (**permalink**) 06-01-2007, 02:53 PM

In this patch i cann't modify password

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Pligg Database User Name and Password...	ReddyEye	Questions and Comments	1	08-02-2009 11:24 AM
Security Question - Pligg Sumbitter / Auto Pligg	MissDanni	Questions and Comments	3	07-04-2009 11:34 AM
Pligg Donation Drive 2009	chuckroast	Questions and Comments	0	03-23-2009 05:42 PM
Pligg 9.9 - Cannot Change Password - "There was a token error."	sethc	Questions and Comments	6	12-25-2008 11:14 AM
God cannot change his own password.	vanlawrence	Questions and Comments	3	04-08-2008 05:35 PM

Pligg Security Vulnerability - Password Change Request

Login