uRGENT: USERNAME

[at_rcc]

dear steven or everyone , i am having a strange problem with nubuilder, whenever i type globeadmin as username and without any password , it is allowing access to the whole system. Even if i use correct user name with a correct password also it allows correct access.

[shane]

There are two config.php files you need to check

The one is located in

/db/{your site name}/config.php

in this file check that you have

$DBGlobeadminPassword = "put your password here";

the other is located in

/productionnu2/config.php

in this file check that you have

$NUGlobeadminPassword = "put your password here";


The password in these files do not need to match. This enables you to have a Global globeadmin and a site level globeadmin.

[at_rcc]

Dear Friend, I tried and checked both files , both have a password still by typing username globeadmin without keying the password i am getting access, i am sending the system sample so as you may have a check .
i have tried countlessly but was unable to find the bug!!!

[admin]

I installed you sql file and there was no problem for me.

So I'm not sure,

maybe try this..

Empty the table called zzsys_trap and login again.
Then look in zzsys_trap again

OR

debug this bit in formlogin.php

Code: Select all

		$globeadminPasswords[] = $RQ[3];
	if ($DBGlobeadminPassword)
		$globeadminPasswords[] = $DBGlobeadminPassword;
	if (!$DBSiteGlobeadminPasswordOnly && $NUGlobeadminPassword)
		$globeadminPasswords[] = $NUGlobeadminPassword;
	if ($user=='globeadmin' && in_array($pass, $globeadminPasswords)){//----hardcoded user name and password
		nuSessionSet($id, 'globeadmin', 'globeadmin', 'globeadmin', $_GET['small'], $parameter); tofile('IN GLOBEADMIN');
	}else{
		$s                                 = "SELECT zzsys_user_id AS ID, sal_name AS AccessLevel, sug_group_name as UserGroupName FROM zzsys_user ";
		$s                                 = $s . "INNER JOIN zzsys_user_group ON sus_zzsys_user_group_id = zzsys_user_group_id ";
		$s                                 = $s . "INNER JOIN zzsys_access_level ON sug_zzsys_access_level_id = zzsys_access_level_id ";
		$s                                 = $s . "WHERE sus_login_name = '$user' AND sus_login_password = '$pass'";
/*
===============================
put a nuDebug($s) just below here
===============================
*/
		$t                                 = nuRunQuery($s);
		$r = db_fetch_object($t);
tofile('IN NORMAL USER '.$s);
		if($r->ID==''){//--not there
			$stoplogin                     = true; 
			tofile('IN NORMAL USER - EMPTY USER');
		}else{ 
			tofile('IN NORMAL USER - NON EMPTY USER');
			if($user=='globeadmin'){//--can't have any other user as globeadmin
				$stoplogin                     = true;
			}else{
				nuSessionSet($id, $r->AccessLevel, $r->ID, $r->UserGroupName, $_GET['small'], $parameter);
			}
		}
	}

It will be up to you to find the problem as I can't duplicate it.
(in the code above tofile is the same as nuDebug and puts a message in the same place.)

Systematically put nuDebugs in the place you think things shouldn't work and I'm sure you'll figure it out, maybe findout where $RQ[3] is coming from.

Steven