From 64fbadf3d6e05c00b7b72ed0f40d9c16f0806f3b Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Sat, 25 Mar 2006 17:21:32 +0000
Subject: [PATCH] changed the way re-authentication is handled, basically
 hardening the process. - also forbid re-authenticating as another user.

needs further testing.


git-svn-id: file:///svn/phpbb/trunk@5724 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/functions.php                  | 51 ++++++++++-----
 phpBB/language/en/common.php                  | 62 ++++++++++---------
 .../styles/subSilver/template/login_body.html | 10 ++-
 3 files changed, 74 insertions(+), 49 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index e49d459254..39068ccbb8 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1368,6 +1368,14 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		$user->setup();
 	}
 
+	// Print out error if user tries to authenticate as an administrator without having the privileges...
+	if ($admin && !$auth->acl_get('a_'))
+	{
+		// Not authd
+		add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
+		trigger_error('NO_AUTH_ADMIN');
+	}
+
 	if (isset($_POST['login']))
 	{
 		$username	= request_var('username', '');
@@ -1376,27 +1384,35 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		$viewonline = (!empty($_POST['viewonline'])) ? 0 : 1;
 		$admin 		= ($admin) ? 1 : 0;
 
+		// Check if the supplied username is equal to the one stored within the database if re-authenticating
+		if ($admin && strtolower($username) != strtolower($user->data['username']))
+		{
+			// We log the attempt to use a different username...
+			add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
+			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
+		}
+		
 		// If authentication is successful we redirect user to previous page
 		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
 
+		// If admin authentication and login, we will log if it was a success or not...
+		// We also break the operation on the first non-success login - it could be argued that the user already
+		// knows 
+		if ($admin)
+		{
+			if ($result['status'] == LOGIN_SUCCESS)
+			{
+				add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS');
+			}
+			else
+			{
+				add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
+			}
+		}
+
 		// The result parameter is always an array, holding the relevant informations...
 		if ($result['status'] == LOGIN_SUCCESS)
 		{
-			// If admin authentication
-			if ($admin)
-			{
-				if ($auth->acl_get('a_'))
-				{
-					add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS');
-				}
-				else
-				{
-					// Authenticated, but not having admin permissions
-					add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
-					trigger_error('NO_AUTH_ADMIN');
-				}
-			}
-
 			$redirect = request_var('redirect', "index.$phpEx$SID");
 			meta_refresh(3, $redirect);
 
@@ -1485,7 +1501,10 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 
 		'S_DISPLAY_FULL_LOGIN'	=> ($s_display) ? true : false,
 		'S_LOGIN_ACTION'		=> (!$admin) ? "{$phpbb_root_path}ucp.$phpEx$SID&amp;mode=login" : "index.$phpEx$SID",
-		'S_HIDDEN_FIELDS' 		=> $s_hidden_fields)
+		'S_HIDDEN_FIELDS' 		=> $s_hidden_fields,
+
+		'S_ADMIN_AUTH'			=> $admin,
+		'USERNAME'				=> ($admin) ? $user->data['username'] : '')
 	);
 
 	page_header($user->lang['LOGIN']);
diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php
index 3b65324951..0a4be6edb3 100644
--- a/phpBB/language/en/common.php
+++ b/phpBB/language/en/common.php
@@ -268,36 +268,38 @@ $lang = array_merge($lang, array(
 	'MONTH'				=> 'Month',
 	'MOVE'				=> 'Move',
 
-	'NA'				=> 'N/A',
-	'NEWEST_USER'		=> 'Our newest member <b>%s%s%s</b>',
-	'NEW_MESSAGE'		=> 'New Message',
-	'NEW_MESSAGES'		=> 'New Messages',
-	'NEW_PM'			=> '<b>%d</b> new message',
-	'NEW_PMS'			=> '<b>%d</b> new messages',
-	'NEW_POST'			=> 'New post',
-	'NEW_POSTS'			=> 'New posts',
-	'NEXT'				=> 'Next',
-	'NO'				=> 'No',
-	'NONE'				=> 'None',
-	'NOT_WATCHING_FORUM'=> 'You no subscribe to updates on this forum',
-	'NOT_WATCHING_TOPIC'=> 'You are no longer subscribed to this topic.',
-	'NO_AUTH_OPERATION'	=> 'You do not have the neccessary permissions to complete this operation.',
-	'NO_BIRTHDAYS'		=> 'No birthdays today',
-	'NO_FORUM'			=> 'The forum you selected does not exist',
-	'NO_FORUMS'			=> 'This board has no forums',
-	'NO_GROUP'			=> 'The requested usergroup does not exist.',
-	'NO_MEMBERS'		=> 'No members found for this search criteria',
-	'NO_MESSAGES'		=> 'No Messages',
-	'NO_NEW_MESSAGES'	=> 'No new messages',
-	'NO_NEW_PM'			=> '<b>0</b> new messages',
-	'NO_NEW_POSTS'		=> 'No new posts',
-	'NO_POSTS'			=> 'No Posts',
-	'NO_SUCH_SEARCH_MODULE' => 'The specified search backend doesn\'t exist',
-	'NO_TOPIC'			=> 'The requested topic does not exist.',
-	'NO_TOPICS'			=> 'There are no topics or posts in this forum.',
-	'NO_UNREAD_PM'		=> '<b>0</b> unread messages',
-	'NO_USER'			=> 'The requested user does not exist.',
-	'NO_USERS'			=> 'The requested users do not exist',
+	'NA'						=> 'N/A',
+	'NEWEST_USER'				=> 'Our newest member <b>%s%s%s</b>',
+	'NEW_MESSAGE'				=> 'New Message',
+	'NEW_MESSAGES'				=> 'New Messages',
+	'NEW_PM'					=> '<b>%d</b> new message',
+	'NEW_PMS'					=> '<b>%d</b> new messages',
+	'NEW_POST'					=> 'New post',
+	'NEW_POSTS'					=> 'New posts',
+	'NEXT'						=> 'Next',
+	'NO'						=> 'No',
+	'NONE'						=> 'None',
+	'NOT_WATCHING_FORUM'		=> 'You no subscribe to updates on this forum',
+	'NOT_WATCHING_TOPIC'		=> 'You are no longer subscribed to this topic.',
+	'NO_AUTH_ADMIN'				=> 'You do not have admin permissions and therefore not allowed to access the administration control panel.',
+	'NO_AUTH_ADMIN_USER_DIFFER'	=> 'You are not able to re-authenticate as a different user.',
+	'NO_AUTH_OPERATION'			=> 'You do not have the neccessary permissions to complete this operation.',
+	'NO_BIRTHDAYS'				=> 'No birthdays today',
+	'NO_FORUM'					=> 'The forum you selected does not exist',
+	'NO_FORUMS'					=> 'This board has no forums',
+	'NO_GROUP'					=> 'The requested usergroup does not exist.',
+	'NO_MEMBERS'				=> 'No members found for this search criteria',
+	'NO_MESSAGES'				=> 'No Messages',
+	'NO_NEW_MESSAGES'			=> 'No new messages',
+	'NO_NEW_PM'					=> '<b>0</b> new messages',
+	'NO_NEW_POSTS'				=> 'No new posts',
+	'NO_POSTS'					=> 'No Posts',
+	'NO_SUCH_SEARCH_MODULE'		=> 'The specified search backend doesn\'t exist',
+	'NO_TOPIC'					=> 'The requested topic does not exist.',
+	'NO_TOPICS'					=> 'There are no topics or posts in this forum.',
+	'NO_UNREAD_PM'				=> '<b>0</b> unread messages',
+	'NO_USER'					=> 'The requested user does not exist.',
+	'NO_USERS'					=> 'The requested users do not exist',
 
 	'OCCUPATION'				=> 'Occupation',
 	'OFFLINE'					=> 'Offline',
diff --git a/phpBB/styles/subSilver/template/login_body.html b/phpBB/styles/subSilver/template/login_body.html
index 2fe915ac55..71d56061c5 100644
--- a/phpBB/styles/subSilver/template/login_body.html
+++ b/phpBB/styles/subSilver/template/login_body.html
@@ -29,11 +29,15 @@
 			<!-- ENDIF -->
 
 			<tr>
-				<td><b class="gensmall">{L_USERNAME}:</b></td>
-				<td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" /><br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a></td>
+				<td valign="top"><b class="gensmall">{L_USERNAME}:</b></td>
+				<td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" />
+					<!-- IF not S_ADMIN_AUTH -->
+						<br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a>
+					<!-- ENDIF -->
+				</td>
 			</tr>
 			<tr>
-				<td><b class="gensmall">{L_PASSWORD}:</b></td>
+				<td valign="top"><b class="gensmall">{L_PASSWORD}:</b></td>
 				<td>
 					<input class="post" type="password" name="password" size="25" maxlength="100" tabindex="2" />
 					<!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF -->