1 (edited by 2008-08-21 20:04:01)

Topic: [HACK] Remove admin password from comments

Name: Remove admin password from comments
Author: Haddaway
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet)
Description: This should eliminate the need for your website asking registered users to provide their password before the comment will be checked.  This is a security issue and will allow anyone to post using a registered users names but some people have asked for this.
In the shows.inc. You just have to erase

// Check if name is Protected
$is_member = FALSE;
foreach($all_users as $member_db_line)
if(!eregi("<\?",$member_db_line) and $member_db_line != ""){
$user_arr = explode("|",$member_db_line);

//if the name is protected
if((strtolower($user_arr[2]) == strtolower($name) or strtolower($user_arr[4]) == strtolower($name)) and $user_arr[3] != md5($password) and $name != "")
// $comments = replace_comment("add", $comments); //commented because will mess up the 

$comments = preg_replace(array("'\"'", "'\''", "''"), array(""", "'", ""), $comments);
$name = replace_comment("add", preg_replace("/\n/", "",$name));
$mail = replace_comment("add", preg_replace("/\n/", "",$mail));

echo"<div style=\"text-align: center;\">This name is owned by a registered user and you must enter password to use it

<form method=\"post\" action=\"\">Password: <input type=\"password\" name=\"password\" />
<input type=\"hidden\" name=\"name\" value=\"$name\" />
<input type=\"hidden\" name=\"comments\" value=\"$comments\" />
<input type=\"hidden\" name=\"mail\" value=\"$mail\" />
<input type=\"hidden\" name=\"ip\" value=\"$ip\" />
<input type=\"hidden\" name=\"subaction\" value=\"addcomment\" />
<input type=\"hidden\" name=\"show\" value=\"$show\" />
<input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />
<input type=\"submit\" /></form></div>";
break 2;
// exit();

if(strtolower($user_arr[2]) == strtolower($name)) $is_member = TRUE;