Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 29 Aug 2019, 02:43
doc55 doc55 is offline
 
Join Date: Aug 2019
Custom Profile Update

Hi,
I'm trying to make a custom form for users to update their profile. I have the following code, which I thought it should work.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

But I'm getting the following error message:
Your submission could not be processed because a security token was missing.
If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.


And I see the following error at the top of the page:
Notice: Undefined index: usefiles in /home/myserver/mysite.com/forum/includes/vb5/template/stylesheet.php on line 70 Notice: Undefined index: usefiles in /home/myserver/mysite.com/forum/includes/vb5/template/stylesheet.php on line 70

I appreciate if someone could help me with fixing this code.
Thanks
Reply With Quote
  #2  
Old 02 Sep 2019, 04:40
doc55 doc55 is offline
 
Join Date: Aug 2019
I made some progress, but the code is still not working correctly.
Here is what I have:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Couple issues with this code are:
1- It is not updating the email address
2- You can enter wrong current password and it still runs without throwing an error.
3- Can I update the user email, password and username without the need to enter the current user?

I appreciate anyone that could help with this.
Reply With Quote
  #3  
Old 02 Sep 2019, 13:10
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
You must pass 'acnt_settings' => true to the 'extra' array. Based on the code that allows you to edit the email/password as a regular user and also includes current password verification.

You need to extract the userid from the current session returned by vBulletin and not from a cookie because I can just simply use a cookie editor to edit my bbuserid cookie to the userid of an administrator and then hijack the account.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #4  
Old 02 Sep 2019, 16:04
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Originally Posted by Dave View Post
You must pass 'acnt_settings' => true to the 'extra' array. Based on the code that allows you to edit the email/password as a regular user and also includes current password verification.

You need to extract the userid from the current session returned by vBulletin and not from a cookie because I can just simply use a cookie editor to edit my bbuserid cookie to the userid of an administrator and then hijack the account.
I'd like and quote this a million times if I could. There seems to be a growing trend of vBulletin customers hacking their software without any regard for security.
Reply With Quote
  #5  
Old 02 Sep 2019, 17:37
doc55 doc55 is offline
 
Join Date: Aug 2019
Thank you both for your valuable feedback. I'm not a programmer and I had someone do this for me. That's why I shared it here to make sure we are doing things correctly and improve it.

I really appreciate your advice.
Reply With Quote
  #6  
Old 03 Sep 2019, 23:14
doc55 doc55 is offline
 
Join Date: Aug 2019
After reading the vB API documentation, it looks like the acnt_setting should be set to 1.
So, I changed the code as you advised and I'm getting the userid from vB fetchUserinfo instead of cookies.

However, my code still not working. It is not updating the username. Also it is not verifying the current password.
What am I missing?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I appreciate any feedback.

Last edited by doc55; 04 Sep 2019 at 00:47.
Reply With Quote
  #7  
Old 03 Sep 2019, 23:36
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
var_dump($response); to see what that is showing. If nothing happens, dump the variables one by one to make sure everything is still working as expected.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #8  
Old 04 Sep 2019, 00:53
doc55 doc55 is offline
 
Join Date: Aug 2019
Thank you Dave.
It appeared that actually my code worked (partially).
When I enter the wrong current password, it doesn't update anything, appropriately. But It is not showing any errors to the user.
the var_dump($response); showed the following:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I know this is the error message, but I'm not sure how can I write the if statement that if there is an error, then show a message. Meaning, how can I capture this error in the php script?

The other problem is that even when I enter the correct current password, it only updates the email and password and DOES NOT update the username. I'm not sure why.
Reply With Quote
  #9  
Old 04 Sep 2019, 01:13
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Does the new password save properly? You might have to set the 'password' key to the new password in the array.

As for showing errors, just iterate over the errors array if it's set.
Something like

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.

Last edited by Dave; 04 Sep 2019 at 01:22.
Reply With Quote
  #10  
Old 04 Sep 2019, 01:32
doc55 doc55 is offline
 
Join Date: Aug 2019
Dave,
Thanks again for your reply.
That took care of the error message. Great.
The password is updating appropriately.
However, the username is still not saving at all. Any idea why?
Also, I noticed just now that the last line is actually not needed. I ran the code without the vB::getDbAssertor and it is working exactly the same. Do you know if I need this line?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #11  
Old 04 Sep 2019, 01:44
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
It's not needed as far as I can see. Now regarding the username... I'm not entirely sure but it seems that the username is not updated by making use of the save method in the user API. Not sure at the moment how that can be done.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #12  
Old 04 Sep 2019, 02:52
doc55 doc55 is offline
 
Join Date: Aug 2019
Interesting. After you said that, I went back and looked at the default profile edit page. It looks like vB does not give the option to users to change their username either. So, probably that's why we can't use this api to change the user's name. I guess I need to follow the same process and not allow users change their usernames.

So in that case and for my knowledge, why do we need the following line in the save user api?

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Do we really need it? or can I change it to

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

--------------- Added 04 Sep 2019 at 04:07 ---------------

OK, now I think I'm losing my mind. This is crazy. When I tested the script I posted here 10 minutes ago, it was working by updating the user's email and password, and when I was entering a wrong password, it was giving me the error message "badpassword".
Now I went back to test again (without changing anything in the code) and I'm getting the error message "enter_current_password" error message, even when I enter correct current password or wrong currect password and nothing is updating.
How in the world is this possible that I'm getting a different response?
Reply With Quote
  #13  
Old 05 Sep 2019, 03:20
doc55 doc55 is offline
 
Join Date: Aug 2019
Finally, I was able to put everything together and make this thing work. Thank you both for all your help.
Now. I have one issue/question.
The following line is updating the username:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The only issue is that it doesn't check if the username is already in use or not and it allows duplicate usernames. So I need to first check the user table in the database and throw an error if username is duplicate.

Is there any instruction on how to search the vB database to search for data? Can you help?
Reply With Quote
  #14  
Old 05 Sep 2019, 09:19
delicjous's Avatar
delicjous delicjous is offline
 
Join Date: Nov 2014
You should not use "vB::getDbAssertor()->update" because this is a direct database action. There are api-functions for that.
__________________
vBulletin-Forum.de closed!
Reply With Quote
  #15  
Old 05 Sep 2019, 11:43
doc55 doc55 is offline
 
Join Date: Aug 2019
Originally Posted by delicjous View Post
You should not use "vB::getDbAssertor()->update" because this is a direct database action. There are api-functions for that.
Thank you for your reply.
I managed to figure out how to search the database to prevent duplicate username entry by using vB::getDbAssertor()->getRow.

What is the API that I could use instead of vB::getDbAssertor()->update which will be more secure? Can you please advise?

Is it ok to use vB::getDbAssertor()->getRow in an if statement to search for the data?

Thank you again.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Profile Enhancements Profile Update - MySpace Profile Rewrite Hex_legend vBulletin 3.7 Add-ons 81 24 Feb 2009 18:36



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:16.

Layout Options | Width: Wide Color: