TwoBlog Secure Web Edition

iNFERiON

I recently downloaded the freeware blog script: TwoBlog (http://twoblog.com). When I downloaded it, I noticed that it was built to host locally and not on a web server, because the admin panel had no security at all. Anyone could log into it. So I modified the admin files so that a password can be set by the user to login to the admin panel. I changed the following:

I added a admin/config.php file with the following content:

// TwoBlog Secure Web Edition - ©2004 iNFERiON [http://www.webzooi-log.tk]
/* Set your admin password below */
$adminpass = 'yourpass';

I edited the admin/header.php file which is the top of the admin panel and I added a logout function and a requirement for the correct password:

/* Pass requirement */
// TwoBlog Secure Web Edition - ©2004 iNFERiON [http://www.webzooi-log.tk]
if (!session_id()){
	session_start(); }
require('config.php');
if (isset($_SESSION['password'])){
if ($_SESSION['password'] == $adminpass){

/* Updated navbar with logout function */
<br /><a href="add.php">Post Entry</a> |
 <a href="editdelete.php">Edit / Delete</a> |
<a href="comments.php">Mod Comments</a> |
<a href="../index.php" target="_blank">View Blog</a> |
<a href="index.php?action=logout">Log Out</a>

/* File end */
}
else { echo "No admin password found"; exit; } }
else { echo "No admin session found"; exit; }

Then I altered admin/index.php:

// TwoBlog Secure Web Edition - ©2004 iNFERiON [http://www.webzooi-log.tk]
if (!session_id()){
	session_start(); }
require('config.php');
if ($_GET['action'] == 'logout'){
session_unset();
echo "<META HTTP-EQUIV=\"refresh\" content=\"2;URL=../index.php\">";
echo "Succesfully logged out, returning to blog index...";
exit; }
if (isset($_POST['password'])){
$_SESSION['password'] = $_POST['password']; }
if (isset($_SESSION['password'])){
if ($_SESSION['password'] == $adminpass){
/*
Original code here
*/
}
else { echo "Login Failed"; session_unset; exit; } }
else { echo "<form action=\"index.php\" method=\"post\" name=\"login\" id=\"login\">
  Please enter the admin password: 
  <input name=\"password\" type=\"password\" id=\"password\">
  <input type=\"submit\" name=\"Submit\" value=\"Login\">
</form>"; }

So now, viewing the admin panel index requires a password.
But, the seperate files for editing and adding blog entries were still publically usable. So I changed the admin function files, by adding the following:

// TwoBlog Secure Web Edition - ©2004 iNFERiON [http://www.webzooi-log.tk]
if (!session_id()){
	session_start(); }
require('config.php');
if (isset($_SESSION['password'])){
if ($_SESSION['password'] == $adminpass){
/*
Original PHP here
*/
}
else { echo "No admin password found"; exit; } }
else { echo "No admin session found"; exit; }
/*
Original HTML here
*/

And the system works well now. You can download my TwoBlog Secure Web Edition here: http://webzooi.frac.dk/mirrored/tb_swe/tb_swe.rar

I hope more people will find the use for it. 🙂
Critiques and comments always welcome.

planetsim

Its still insecure, as your using a Password to recognise the user. Try having the Session store something that is unrelated to the user as much as possible but still can be recognised when required.