Certificate login

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Re: Certificate login

Post by hannuko »

paulus wrote:Please make sure you escape all data from the $_SERVER var correctly to prevent sql injection. You need to call $db->sql_escape on the variable in the query.

Beside that, the query itself should be uppercase (Ofcourse with the correct case for the table names, so lower case) instead of the current lower case you use.
And keys in the array should be around single quotes, else it would be a constant, that doesnt exists, what will generate a notice :).
Ok, thanks for the hints! I edited the original post according to your instructions.
btw, the $_SERVER var comes originally from a verified certificate, so it would not be that easy to use it for an sql injection. But better to be safe than sorry. They key on the original one was around single quotes already.

adisan82
Registered User
Posts: 2
Joined: Mon Jul 16, 2012 10:43 am

Re: Certificate login

Post by adisan82 »

Hi,


I know this is old post but I need help:

Apache configuration:

Code: Select all

<VirtualHost *:443>

SSLEngine On
SSLVerifyClient require
SSLVerifyDepth 10
#---------------------------------------
# grid certification
SSLCACertificatePath /usr/lib/ssl/certs/
SSLCADNRequestPath /usr/lib/ssl/certs/
#------------------------------------------------
# server cert
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
#------------------------------------------------
ServerName 150.254.148.60:443
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

</VirtualHost>
Here /usr/lib/ssl/certs/ I have installed CA.

I added to /usr/share/phpBB3/includes/auth_db.php new function:
phpb3 configuration:

Code: Select all

function autologin_db()
{
        global $db, $config;
        if ($_SERVER[SSL_CLIENT_VERIFY] == "SUCCESS")
        {
                $sql = "SELECT * FROM " . phpbb_users . "
                  WHERE username = '($_SERVER[SSL_CLIENT_S_DN_CN])'";
                $result = $db->sql_query($sql);
                $row = $db->sql_fetchrow($result);
                $db->sql_freeresult($result);
                if ($row)
                {
                        return $row;
                }
        }
        return array();
}

This is how this should work, if you have certificate installed in web-broswer accepted by CA installed on server and your user name in phpbb3 database is the same as certificate CN and you use https:// you should be autho loging into pbpbb3. Right now only the last part "you should be autho loged into pbpbb3" wont work ;/ no error i log file ;/

I'm not sure where and how call function autologin_db(). Perhaps instead of adding new function I should edit "login_db" function ?

Post Reply