+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Website Scripting & Security (https://lckb.dev/forum/forumdisplay.php?fid=197)
+---- Forum: Website Releases (https://lckb.dev/forum/forumdisplay.php?fid=135)
+----- Forum: Ep4 Websites (https://lckb.dev/forum/forumdisplay.php?fid=126)
+----- Thread: Fix for FCV2005 Website (/showthread.php?tid=4802)
- Veni - 07-29-2021
sup,
this seems to fix the problem some people are facing with the fcv2005 website. you can abuse the lost password feature to reset the password of accounts you know the username of. seems to work on every website that uses it.
Either replace the file, or just take every change from the switch statement:
switch ( $code )
{
case 1:
if(!$this->Mlostpass->validnow($this->Mlostpass->user)) $this->errors[] = 'You have\'t entered your username.';
elseif(!$this->Mlostpass->valid_username($this->Mlostpass->user)) $this->errors[] = 'The username you entered is invalid.';
else{
$this->load->set('gsecret', $this->Mlostpass->get_secret_question($this->Mlostpass->user) );
$_SESSION['lp_user'] = $this->Mlostpass->user;
$type = 1;
}
break;
case 2:
if(!$this->Mlostpass->validnow($this->Mlostpass->secret_answer)) $this->errors[] = 'You have\'t entered your secret answer.';
else{
if ( $this->Mlostpass->get_secret_answer( $_SESSION['lp_user'], $this->Mlostpass->secret_answer) )
{
$type = 2;
$_SESSION['secret_answer'] = $this->Mlostpass->secret_answer; // added
}
else
{
$this->errors[] = 'The secret answer is incorrect.';
}
}
break;
case 3:
if(!$this->Mlostpass->validnow($this->Mlostpass->new_password)) $this->errors[] = 'You have\'t entered your new password.';
else if(!$this->Mlostpass->get_secret_answer( $_SESSION['lp_user'], $_SESSION['secret_answer'])) $this->errors[] = 'Answer not correct!'; //added
else if(!$this->Mlostpass->validnow($_SESSION['secret_answer']) || !isset($_SESSION['secret_answer'])) $this->errors[] = "Answer not correct!" // added
else {
if(!$this->Mlostpass->valid_password($this->Mlostpass->new_password)) $this->errors[] = 'The new password you entered is invalid.';
else {
if(!isset($this->Mlostpass->new_password_again)) $this->errors[] = 'You have\'t entered new password-repetition.';
else {
if($this->Mlostpass->new_password != $this->Mlostpass->new_password_again) $this->errors[] = 'The two passwords you entered do not match.';
else {
if($this->Mlostpass->update_password()) {
$this->load->set('success', array('Your password was successfully changed.', 'You\'ve been logged out for security reasons!'));
unset($_SESSION['lp_user']);
unset($_SESSION['secret_answer']); // added
}
else{
$this->errors[] = 'Password could not be updated.' ;
}
}
}
}
}
}
case 2 and 3 have been modified in this. Havent tested it myself, but people told me it works.
2
- Revenge - 07-29-2021
?????
- saschi123 - 07-29-2021
Good fix.
- cristiangramosa - 07-30-2021
anyone have this site files?