[SOLVED] Emergency!

[MySQL_Narb]

How does this one person keep getting access to my user account, he keeps posting with it! The Master account is mine, but it's not me posting.

 

http://chataddict.netau.net/bbdemo.php?start=0

 

I have these characters blocked out on the register, posting, and logging in form: *`<>()

 

So they can't use scripts.

[MySQL_Narb]

Please?!

[cags]

I dare say you have multiple security flaws in your site. I just attempted to post a comment using the name "Master", seemed to have worked well enough, I didn't even need to login. Your post.php seems to have no validation, if it recieves post data for both name and message it just inserts it into the database.

[MySQL_Narb]

It does to say you need to be logged in. It worked on me.

 

<?php require "global_settings.php"; ?>
<title><?php echo $sitetitle; ?></title>
<center><style type="text/css">

a:link {
color:#24374C;
text-decoration:bold;
}

a:visited {
color:#24374C;
text-decoration:bold;
}

a:active {
outline: none;
color:#24374C;
text-decoration:bold;
}

body {background-color:#b0c4de}

div.box {
width:250px;
padding:10px;
border:3px double #000000;
margin:10px;
background-color:#74AFF2;
}

p
{
border-top-style:dotted;
border-right-style:solid;
border-bottom-style:dotted;
border-left-style:solid;
}

div.menu-blue {
BORDER-RIGHT: #333366 1px solid;
BORDER-LEFT: #6699cc 1px solid;
BORDER-TOP: #6699cc 1px solid;
BORDER-BOTTOM: #333366 1px solid;

FONT-WEIGHT: normal;
FONT-SIZE: 2px;
COLOR: #ffffff;
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;
BACKGROUND-COLOR: #23559C;
TEXT-DECORATION: none;
font-stretch : condensed;
}

.menu-top  {
BORDER-RIGHT: 1px solid #333366; BORDER-TOP: 1px solid #6699CC; FONT-WEIGHT: normal; FONT-SIZE: 2px; BORDER-LEFT: 1px solid #6699CC; COLOR: #FFFFFF; BORDER-BOTTOM: 1px solid #333366; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; BACKGROUND-COLOR: #23559C; TEXT-DECORATION: none;
font-stretch : condensed
}

</style>
<center>
<div class='menu-blue'>
<div align="center"> 
<table width="600" cellspacing="1" cellpadding="5" style="background-color:#23559C"> 
<tr> 
<td style="background-color:#FFFFFF"> 


    <div align="center"> 
    <table border="0"> 
    
    </form> 
    </table>
<?php

$name = $_POST['name'];
$message = $_POST['message'];

if (!$name)
          {
   echo "You must be logged in before posting.";
          }
          else
          {

//protection
$before = array('(', ')', '^', '<', '>', '`', '*');
$after   = array('', '', '', '', '', '', '');
$output  = str_replace($before, $after, $message);

$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

//extract
$extract = mysql_query("SELECT * FROM users WHERE username='$name'");
$numrows = mysql_num_rows($extract);

while ($row = mysql_fetch_assoc($extract))

{
           $banned = $row[banned];
           
if ($banned ==1) {
    echo "Sorry, your account is currently disabled.";
    }
    else
    {

//connect
$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

//write
$write = mysql_query("INSERT INTO posts VALUES ('','$name','$output')") or die(mysql_error());
$postcount = mysql_query("UPDATE users SET post_count = post_count + 1 WHERE username='$name'");

echo "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='bbdemo.php'>View it!</a></b>";
}
}
           }

?>

[cags]

It says you have to be logged in if you try and view the page, but if you know what the source of the page looks like (as we do since you posted it) you can quite clearly see that you can still submit data without being logged in. You can test it yourself if you want. Save the following in a script, call it whatever you like and store it wherever you want. Then open it in a browser, type something in the box and click submit.

 

<form action="http://chataddict.netau.net/post.php" method="post">
<input type="hidden" name="name" value="master" />
<textarea name="message"></textarea>
<input type="submit" />
</form>

 

As you can see we don't need you password to post a message using your name. Theres a chance the person doesn't know your password, but I suspect that you have multiple other security flaws so it's possible.

[Mark Baker]

Not escaping the posted data (e.g. $name used in the SELECT * from users query), so susceptible to SQL injection

[MySQL_Narb]

How would I fix the problem?

[mrMarcus]

mysql_real_escape_string() for starters.

[cags]

You will need to check if the user has a valid session and you should never accept the username as a submitted field, you should grab it from a valid session.

[mrMarcus]

You will need to check if the user has a valid session and you should never accept the username as a submitted field, you should grab it from a valid session.

especially since the invention of FireBug .. able to just alter HTML, such as 'username' inputs in a form.

[MySQL_Narb]

I believe I have it working.