PHP script allows any Admin password for entry to control panel

[BigJohnno]

Hello all,

 

My dopey web developers (who I have now fired) have created a Control Panel login into my website for CMS etc.

The trouble is, in FireFox, Safari, Chrome ANY password works! In IE8 only the correct password in the database works. Handy!

 

Any ideas on this? I will provide any further information you need, but I'm desparate to get this fixed, now I think my developers have been given the boot they may log into the control panel have wreck stuff.

 

Thank you ...

 

The PHP code below is for the Control Panel index page.

 

---------------------

require_once("Includes/Configure.php");

require_once(DIR_FS_SITE_CONTROL_INCLUDES_CLASSES."Controllers.Class");

 

if(isset($_POST['Control']) and $_POST['Control']==1)

{

 

$ControllerTemp=$ControllerObj->GetControllerByUserNameAndPassword($_POST['UserName'],$_POST['Password']);

if(is_object($ControllerObj) or ($_POST['UserName']=="admin" and $_POST['Password']=="master"))

{

if(isset($_POST['Save']))

{

setcookie("ADMIN1",$_POST['UserName'],time()+3600*24*365);

setcookie("ADMIN2",$_POST['Password'],time()+3600*24*365);

}

else

{

setcookie("ADMIN1","");

setcookie("ADMIN2","");

}

ob_clean();

session_register("AdminObj");

session_register("Cart");

session_register("ErrorMessage");

session_register("InfoMessage");

session_register("Opr");

$_SESSION['Opr'] = isset($_POST['UserName'])?$_POST['UserName']:"";

$_SESSION['AdminObj'] = $_POST['UserName'];

$_SESSION['InfoMessage'] ="";

$_SESSION['ErrorMessage'] ="";

if($_SESSION['Opr']=="admin")

{

$_SESSION['InfoMessage']=USER_LOGIN_THANK_MSG;

}

else

{

$_SESSION['InfoMessage']="Welcome to Print Operator Control Panel";

}

header("location:".DIR_WS_SITE_CONTROL."Admin.php");

exit;

}

else

{

session_register("ErrorMessage");

$_SESSION['ErrorMessage']="Invalid Login.";

 

}

}

 

require_once(DIR_FS_SITE_CONTROL_INCLUDES."ControlHeader.php");

?>

<script>

function createRequestObject() {

if (window.XMLHttpRequest) {

return new XMLHttpRequest();

} else if(window.ActiveXObject) {

return new ActiveXObject("Microsoft.XMLHTTP");

}

}

 

var http = createRequestObject();

 

function LoginCheck()

{

UserNameObj = document.getElementById('UserName');

PasswordObj = document.getElementById('Password');

    http.open('get', 'Mytest.php?UserName=' + UserNameObj.value + '&Password=' + PasswordObj.value);

    //http.open('get', 'gallery.php?UserName=' + UserNameObj.value + '&Password=' + PasswordObj.value);

    http.onreadystatechange = handleResponse;

    http.send(null);

return false;

}

 

function handleResponse() {

    if(http.readyState == 4){

var response = http.responseText;

      if(response==1)

      {

FormObj = document.getElementById('LoginForm');

FormObj.submit();

return true;

      }

else

{

alert("Invalid User detail. Please try again.");

return false;

}

 

    }

    return false;

}

 

</script>

<table border="0" cellpadding="0" cellspacing="0" width="98%">

<tr>

<td height="550">

<div align="center">

<!-------Start Here --------->

<div align="center">

<table border="0" cellpadding="0" cellspacing="0" width="100%" height="100%">

<tr>

<td align="center">

<table border="0" cellpadding="3" cellspacing="1" bgcolor="white" class="LoginTable">

<form name="LoginForm" id="LoginForm" action="<?=DIR_WS_SITE_CONTROL?>index.php" method="POST" onsubmit="return LoginCheck();">

<tr height="25">

<td colspan="2" height="25">

<div align="center">

<b><font size="2" color="#76AD13">WEBSITE CONTROL PANEL</font></b></div>

</td>

</tr>

<tr>

<td width="80" class="LfCell">

<div align="right">

<b>Username</b></div>

</td>

<td  class="RtCell"><input type="text" name="UserName" size="30" value="<?=(isset($_COOKIE['ADMIN1']) and !empty($_COOKIE['ADMIN1'])) ? $_COOKIE['ADMIN1']:""?>" ></td>

</tr>

<tr>

<td width="80"  class="LfCell">

<div align="right">

<b>Password</b></div>

</td>

<td  class="RtCell"><input type="password" name="Password" size="30" value="<?=(isset($_COOKIE['ADMIN2']) and !empty($_COOKIE['ADMIN2'])) ? $_COOKIE['ADMIN2']:""?>" ></td>

</tr>

<tr>

<td width="80" class="LfCell"></td>

<td class="RtCell"><input type="checkbox" style="border:0" name="Save" id="Save" size="30" <?=(isset($_COOKIE['ADMIN1']) and !empty($_COOKIE['ADMIN1']) and isset($_COOKIE['ADMIN2']) and !empty($_COOKIE['ADMIN2'])) ? "checked":""?>><label for="Save">Remember Me</label></td>

</tr>

<tr>

<td width="80"><input type="hidden" name="Control" value="1"></td>

<td><input type="submit" value="Submit" name="Submit" class="Button" border="0" onclick="return CascadeCheck('ss');" style="border:none"></td>

</tr>

</form>

</table>

</td>

</tr>

</table>

</div>

 

 

<!--

<table border="0" cellpadding="3" cellspacing="1"  bgcolor="white" class="LoginTable">

<form name="LoginForm" id="LoginForm" action="<?=DIR_WS_SITE_CONTROL?>index.php" method="POST" onsubmit="return LoginCheck();">

<tr height="25">

<td colspan="2" height="25" align="center">

<b><font size="2" color="#8b0000">WEBSITE CONTROL PANEL</font></b>

</td>

</tr>

<tr>

<td width="80">

<div align="right" class="LfCell"><b>Username</b></div>

</td>

<td  class="RtCell"><input type="text" name="UserName" id="UserName" value="<?=(isset($_COOKIE['ADMIN1']) and !empty($_COOKIE['ADMIN1'])) ? $_COOKIE['ADMIN1']:""?>" size="30"></td>

</tr>

<tr>

<td width="80" class="LfCell">

<div align="right" >

<b>

Password</b></div>

</td>

<td  class="RtCell"><input type="password" name="Password" id="Password" value="<?=(isset($_COOKIE['ADMIN2']) and !empty($_COOKIE['ADMIN2'])) ? $_COOKIE['ADMIN2']:""?>" size="30"></td>

</tr>

<tr>

<td width="80"></td>

<td><input type="checkbox" style="border:0" name="Save" id="Save" size="30" <?=(isset($_COOKIE['ADMIN1']) and !empty($_COOKIE['ADMIN1']) and isset($_COOKIE['ADMIN2']) and !empty($_COOKIE['ADMIN2'])) ? "checked":""?>><label for="Save">Remember Me</label></td>

</tr>

<tr>

<td width="80"><input type="hidden" name="Control" value="1"></td>

<td><input type="submit" name="Login" value=" Submit " class="btn" onclick="return CascadeCheck('ss');"></td>

</tr>

</form>

</table>-->

<!-------End Here--------->

</div>

</td>

</tr>

</table>

<?

require_once(DIR_FS_SITE_CONTROL_INCLUDES."ControlFooter.php");

?>

 

[gr1zzly]

Okay what you've got here, I don't know if you're aware, is Javascript handling the form submit and validation which is then using AJAX to send and receive the login validation from the database.

 

This is not good, if only from an accessibility point of view since Javascript could be disabled meaning that you couldn't login at all password or not! To be honest I am amazed that any 'web developer' would use this approach without providing solid standard php/mysql functionality first as a fall back.

 

I'm not great with JS / AJAX but the key point seems to me to be

 

if(isset($_POST['Control']) and $_POST['Control']==1)
   {

      $ControllerTemp=$ControllerObj->GetControllerByUserNameAndPassword($_POST['UserName'],$_POST['Password']);
      if(is_object($ControllerObj) or ($_POST['UserName']=="admin" and $_POST['Password']=="master"))
      {

 

Without having access to the function definitions used here I can't say for sure what's happening, but there's a good chance that as it is only being validated as an object it may always be 'TRUE' regardless of if it's a match for the username and password entered. Also it has a default of ADMIN and MASTER set for each respectively.

 

 

If it's any help a simple php method could be used...

 

# Some validation on the user input...

$qry = "SELECT * FROM users WHERE user_name='$un' AND user_pw=SHA1('$pw')"; // Retrieve the record for that email/password combination:
$rsp = @mysqli_query ($databaseConnection, $q); // Run the query.

# Some validation of the db response...
# ...Accept / Reject login.