Old php script from 2001 lets you login without password

[amsgwp]

I'm been editing a old script I found on source forge for doing NCAA pickems, I've noticed its seems to be a pretty vulnerable script but it'll work for my uses. 

 

Can anyone help figure this out?

 

When you go to the site, and if you click the sign in button, it logs you in and lets you edit stuff with out even entering anything at all!

 

Here is the login code

 

$user=$conn->qstr($HTTP_POST_VARS["user"], get_magic_quotes_gpc());
$pass=$HTTP_POST_VARS["pass"];
//$remember = $HTTP_POST_VARS["remember"];

$qry="SELECT playerID, username, password, fullname, email, defProfile FROM $playertbl WHERE username=$user";
if($rs=&$conn->Execute($qry)===FALSE) {
  echo "<p><strong>Authentication failed:<br/>\n" .
    $conn->ErrorNo() . ": " . $conn->ErrorMsg() . "</strong></p>\n";
    exit;
}

if($rs->EOF) {
  header("Location: " . $SYS["base_href"] . "/signon.php?message=8&" . SID);
} elseif($pass!=$rs->fields["password"]) {
  header("Location: " . $SYS["base_href"] . "/signon.php?message=9&" . SID);
} else {
  unset($pass); unset($user);
  $HTTP_SESSION_VARS["userID"]=$rs->fields["playerID"];
  $HTTP_SESSION_VARS["username"]=$rs->fields["username"];
  $HTTP_SESSION_VARS["fullname"]=$rs->fields["fullname"];
  $HTTP_SESSION_VARS["email"]=$rs->fields["email"];
  $HTTP_SESSION_VARS["profileID"]=$rs->fields["defProfile"];
  unset($rs);
  $HTTP_SESSION_VARS["phoolID"]=0;
  header("Location: " . $SYS["base_href"] . "/success.php?type=return&" . SID);
}

 

I've also checked the database for a blank entry or something but that didnt work.

[ratcateme]

looks to like it will only fail if the query gets an error it might have been meant for a really old database that got a error if it returned 0 results. i would recommend writing your own it is not very hard.

 

Scott.

[amsgwp]

Ya, that does sound right.  I also realized that for some reason it would have a blank row in the database which allowed anyone to login!  And it creates this field if you submit a blank register form!  Wow, I checked the database structure and it requires that the username be over 1 character so I don't understand how thats happening.  I might just be missing something.

 

Anyways,

 

I tried re-writing login code with the below code but I get the following error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/login.php on line 16

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/login.php on line 18

 

require("./shared.php");
$user=$conn->qstr($HTTP_POST_VARS["user"], get_magic_quotes_gpc());
$pass=$HTTP_POST_VARS["pass"];
//$remember = $HTTP_POST_VARS["remember"];

$qry="SELECT playerID, username, password, fullname, email, defProfile FROM $playertbl WHERE username='$user'";
$result=mysql_query($qry);
$count=mysql_num_rows($result);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))
if($count==1) {
  unset($pass); unset($user);
  $HTTP_SESSION_VARS["userID"]=$row["playerID"];
  $HTTP_SESSION_VARS["username"]=$row["username"];
  $HTTP_SESSION_VARS["fullname"]=$row["fullname"];
  $HTTP_SESSION_VARS["email"]=$row["email"];
  $HTTP_SESSION_VARS["profileID"]=$row["defProfile"];
  $HTTP_SESSION_VARS["phoolID"]=0;
  header("Location: " . $SYS["base_href"] . "/success.php?type=return&" . SID);
}
else {
echo "<strong>Wrong Username or Password. </strong>";
}

 

 

[ratcateme]

your script looks good but you have a SQL error change your query line to

$result=mysql_query($qry) or die(mysql_error());

also replace $HTTP_POST_VARS with $_POST and $HTTP_SESSION_VARS with $_SESSION.

$_POST and $_SESSION are superglobals so they are avilabe every where in your script unlike $HTTP_POST_VARS and $HTTP_SESSION_VARS.

change this code you don't need a loop because you should only have one row or else the login failed and also having the ($count == 1) inside the loop will mean if the login fails and no rows are returned it will output a error

if($count==1) {
  $row = mysql_fetch_array($result, MYSQL_ASSOC);
  unset($pass); unset($user);
  $HTTP_SESSION_VARS["userID"]=$row["playerID"];
  $HTTP_SESSION_VARS["username"]=$row["username"];
  $HTTP_SESSION_VARS["fullname"]=$row["fullname"];
  $HTTP_SESSION_VARS["email"]=$row["email"];
  $HTTP_SESSION_VARS["profileID"]=$row["defProfile"];
  $HTTP_SESSION_VARS["phoolID"]=0;
  header("Location: " . $SYS["base_href"] . "/success.php?type=return&" . SID);
}
else {
echo "<strong>Wrong Username or Password. </strong>";
}

 

Scott.

[amsgwp]

Well I think I figured out my issue and it's a lot bigger than I thought.

 

The script uses ADODB connections instead of the mysql connect functions.  I would have to modify so many lines to replace it with mysql connect functions.

 

I think thats why mysql_num_rows isn't working.

 

here is the connect code

 

require($SYS["includes"] . "/adodb/adodb.inc.php");
$conn = &ADONewConnection("mysql");
$conn->Connect($SYS["db_host"], $SYS["db_user"], $SYS["db_pass"], $SYS["db_data"]);

 

I tried replacing $conn with mysql(connect) but it then kills all other parts of the script.

 

Does anyone know if any ADODB method for counting rows so I can use this login script?

[ratcateme]

sorry i don't know ADODB but how much other stuff relies on it you could rewrite it all with mysql so you understand it

 

Scott.