A website core account replacement

[doekia]

Please find attached a "account" core replacement package for WB2.6 - 2.7.

 - Some code clean-up
 - Better security
 - Security breach close
 - Better user experience
 - Better multi-language support

Somebody may like it.

EDIT: this is NOT a module!!! it is core replacement function (read the archive README file)

[ruebenwurzel]

Hello,

thanks for your contribution, but i don't think this will find the way to the core of WB files. Reasons are:

1.)the using of .htaccess requires an Apache server
2.)all files of WB should be within the wb directory, using symlinks is not possible for the most wb users
3.)languages of core files should be in the language folder and not in the corefiles
4.)The code seems not compatible to existing pages wich wanna upgrade to WB 2.7

This are only what I've seen in the first 5 minutes. Will have a deeper look in the files later. All additons wich makes WB more secure are very welcomed. So is there a chance to use your changes within the WB 2.7 RC2 files and make it downwards compatible to existing pages?

Matthias

[doekia]

  no problem,
 

• I did not contributed for the purpose of been or not accepted to migrate to the core of WB. Just to address a need that others can be facing.
• the .htaccess is not required for the code to run. It is used however WHEN the files are in the wb tree and when apache - or other modern web server that supports it - are serving the page.I should have stated that the .htaccess file should be dropped/tweaked if you choose to run from the wb tree by referencing it directly - missed that, but people serious about their security will never install a code without first understanding what it does ... hopefully 
• putting the files under the wb folder tree is just fine.
• using direct mode addressing work just fine without the symbolic link(adapt the .htaccess or drop it)
• and last but not least  , the actual code - either 2.6 release or 2.7 RC uses language ... directly in the source for the portion targetted.
• Actual (2.7RC1) details.php MISSED to add_slash of 2 user provided var (possible SQLinjection), email.php does not check email existance first (multi-account forging), email user provided var is sometimes add_slashed twice.
  

As I stated in the README I may not got the time to adapt it for the RC2 (need to install it first) but if, I will post it here. Others can do so btw.

[ruebenwurzel]

Hello,

thanks for the reply.

and last but not least  shocked, the actual code - either 2.6 release or 2.7 RC uses language ... directly in the source for the portion targetted.

Yes, this is a know issue and is on the wishes for the next release ( WB 2.8 ) as for WB 2.7 we have feature freeze. All hardcoded text should be replaced by variables for the mainlanguage files.

Actual (2.7RC1) details.php MISSED to add_slash of 2 user provided var (possible SQLinjection), email.php does not check email existance first (multi-account forging), email user provided var is sometimes add_slashed twice.

Think this should be (or is already) fixed in WB 2.7 final. Will ask doc if he is back from holiday if he as already done it or if something has to be done.

Matthias

[doekia]

... (WB 2.8), as for WB 2.7 we have feature freeze...

Consistency will be a good one if not paramount