MySQL_Narb Posted October 24, 2009 Share Posted October 24, 2009 How does this one person keep getting access to my user account, he keeps posting with it! The Master account is mine, but it's not me posting. http://chataddict.netau.net/bbdemo.php?start=0 I have these characters blocked out on the register, posting, and logging in form: *`<>() So they can't use scripts. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/ Share on other sites More sharing options...
MySQL_Narb Posted October 24, 2009 Author Share Posted October 24, 2009 Please?! Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943665 Share on other sites More sharing options...
cags Posted October 24, 2009 Share Posted October 24, 2009 I dare say you have multiple security flaws in your site. I just attempted to post a comment using the name "Master", seemed to have worked well enough, I didn't even need to login. Your post.php seems to have no validation, if it recieves post data for both name and message it just inserts it into the database. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943666 Share on other sites More sharing options...
MySQL_Narb Posted October 24, 2009 Author Share Posted October 24, 2009 It does to say you need to be logged in. It worked on me. <?php require "global_settings.php"; ?> <title><?php echo $sitetitle; ?></title> <center><style type="text/css"> a:link { color:#24374C; text-decoration:bold; } a:visited { color:#24374C; text-decoration:bold; } a:active { outline: none; color:#24374C; text-decoration:bold; } body {background-color:#b0c4de} div.box { width:250px; padding:10px; border:3px double #000000; margin:10px; background-color:#74AFF2; } p { border-top-style:dotted; border-right-style:solid; border-bottom-style:dotted; border-left-style:solid; } div.menu-blue { BORDER-RIGHT: #333366 1px solid; BORDER-LEFT: #6699cc 1px solid; BORDER-TOP: #6699cc 1px solid; BORDER-BOTTOM: #333366 1px solid; FONT-WEIGHT: normal; FONT-SIZE: 2px; COLOR: #ffffff; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; BACKGROUND-COLOR: #23559C; TEXT-DECORATION: none; font-stretch : condensed; } .menu-top { BORDER-RIGHT: 1px solid #333366; BORDER-TOP: 1px solid #6699CC; FONT-WEIGHT: normal; FONT-SIZE: 2px; BORDER-LEFT: 1px solid #6699CC; COLOR: #FFFFFF; BORDER-BOTTOM: 1px solid #333366; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; BACKGROUND-COLOR: #23559C; TEXT-DECORATION: none; font-stretch : condensed } </style> <center> <div class='menu-blue'> <div align="center"> <table width="600" cellspacing="1" cellpadding="5" style="background-color:#23559C"> <tr> <td style="background-color:#FFFFFF"> <div align="center"> <table border="0"> </form> </table> <?php $name = $_POST['name']; $message = $_POST['message']; if (!$name) { echo "You must be logged in before posting."; } else { //protection $before = array('(', ')', '^', '<', '>', '`', '*'); $after = array('', '', '', '', '', '', ''); $output = str_replace($before, $after, $message); $connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!"); mysql_select_db("$db") or die("Database fail!"); //extract $extract = mysql_query("SELECT * FROM users WHERE username='$name'"); $numrows = mysql_num_rows($extract); while ($row = mysql_fetch_assoc($extract)) { $banned = $row[banned]; if ($banned ==1) { echo "Sorry, your account is currently disabled."; } else { //connect $connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!"); mysql_select_db("$db") or die("Database fail!"); //write $write = mysql_query("INSERT INTO posts VALUES ('','$name','$output')") or die(mysql_error()); $postcount = mysql_query("UPDATE users SET post_count = post_count + 1 WHERE username='$name'"); echo "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='bbdemo.php'>View it!</a></b>"; } } } ?> Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943668 Share on other sites More sharing options...
cags Posted October 24, 2009 Share Posted October 24, 2009 It says you have to be logged in if you try and view the page, but if you know what the source of the page looks like (as we do since you posted it) you can quite clearly see that you can still submit data without being logged in. You can test it yourself if you want. Save the following in a script, call it whatever you like and store it wherever you want. Then open it in a browser, type something in the box and click submit. <form action="http://chataddict.netau.net/post.php" method="post"> <input type="hidden" name="name" value="master" /> <textarea name="message"></textarea> <input type="submit" /> </form> As you can see we don't need you password to post a message using your name. Theres a chance the person doesn't know your password, but I suspect that you have multiple other security flaws so it's possible. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943671 Share on other sites More sharing options...
Mark Baker Posted October 24, 2009 Share Posted October 24, 2009 Not escaping the posted data (e.g. $name used in the SELECT * from users query), so susceptible to SQL injection Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943672 Share on other sites More sharing options...
MySQL_Narb Posted October 24, 2009 Author Share Posted October 24, 2009 How would I fix the problem? Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943675 Share on other sites More sharing options...
mrMarcus Posted October 24, 2009 Share Posted October 24, 2009 mysql_real_escape_string() for starters. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943677 Share on other sites More sharing options...
cags Posted October 24, 2009 Share Posted October 24, 2009 You will need to check if the user has a valid session and you should never accept the username as a submitted field, you should grab it from a valid session. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943678 Share on other sites More sharing options...
mrMarcus Posted October 24, 2009 Share Posted October 24, 2009 You will need to check if the user has a valid session and you should never accept the username as a submitted field, you should grab it from a valid session. especially since the invention of FireBug .. able to just alter HTML, such as 'username' inputs in a form. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943680 Share on other sites More sharing options...
MySQL_Narb Posted October 24, 2009 Author Share Posted October 24, 2009 I believe I have it working. Link to comment https://forums.phpfreaks.com/topic/178873-solved-emergency/#findComment-943682 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.