Security Check my Login Script v1.0

[Lamez]

Hey guys, I am working on a login script for my website. I want you guys to do a full security check. Please create your own account, because I want that tested as well. Test everything. The Forgot System, the Registration Process, The Login Process, any thing else you can think of. Try to access the /administration folder as well!

 

Registration Password: phpfreaks

Here is the webby: http://www.krazypickem.com/new_kp/

Proof of Ownership: http://www.krazypickem.com/new_kp/phpfreaks.txt

[Lamez]

okay so I did some updates. You can now resend confirmation emails and forgot password emails up to a limit of five times before getting a error. The website loads now in IE, the problem was due to a time check function that left it in a loop. I did some other subtle changes, but I have forgotten them.

 

-Thanks!

[oni-kun]

Hmm..

 

Registration code allows large names, such as 'RandomblablaRandomblablaRandomblabla' and does not check each field if there are duplicates , such as having your name the same as pass (an obvious security risk). Also in your confirmation e-mail, it lists the name put in the subject: IE:

To: Randomblablarandomblablarandomblabla Randomblablarandomblablarandomblabla (oni[dash]kun[at]hotmail[dot]com)

 

Since the address is too long, it's recommended to shorten it so it doesn't get trapped in spam filters etc.

 

I think I typo'd my password after, so I tested the recovery function, clicking the recovery link just leads back to the 'recover password or e-mail?' page, may be broken there.

 

 

 

[Lamez]

Okay, so let me see if I got this.

 

Check to see if first name, last name are the same as the password.

Check the length of the first name and last name.

I have fixed that recovery problem. I just have not uploaded the new website.

 

Anything else?

 

Thanks so much. I will fix those problems.

[oni-kun]

From what I can see it is a very good system, It's clean and quite compact for it having the ability to verify by e-mail etc.

[Lamez]

Thanks, this is my first 100% Me Login system.

[Adam]

Think it may be broken. When I click the link in the password retrieval email I'm just taken to the two "i forgot my password" / "i forgot my email" links, with no option to reset password.

[oni-kun]

Think it may be broken. When I click the link in the password retrieval email I'm just taken to the two "i forgot my password" / "i forgot my email" links, with no option to reset password.

 

It seems to parse something, then just gives an empty $_GET variable, may be a problem on the code.

[Lamez]

I have yet to upload the new site, with the updates. Could you guys post the links you get in your email?

 

-Thanks

[Adam]

You have seem to forgotten your password at KrazyPick'em please click the link below to reset your password. If you recieved this email in error, please delete it.

http://www.krazypickem.com/new_kp/forgot.php?account=19&key=1961212151622242525&pw=reset

[oni-kun]

http://www.krazypickem.com/new_kp/forgot.php?account=19&key=1961212151622242525&pw=reset

 

Which leads to:

http://www.krazypickem.com/new_kp/forgot.php?

[Lamez]

Ya, see both of you have the same link.

 

The account number is the, and the key is the same. The script is faulty. I will upload my new version here in a second. I have not done those things you told me about oni-kun. I will post back when I upload those, though.

[oni-kun]

Ya, see both of you have the same link.

 

The account number is the, and the key is the same. The script is faulty. I will upload my new version here in a second. I have not done those things you told me about oni-kun. I will post back when I upload those, though.

 

Sounds good. How are you doing the e-mail verification? Cron jobs? Or something simple?

[tail]

Did someone kill it?

 

Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13) in /mounted-storage/home48c/sub007/sc33591-LWQU/picks_web/new_kp/core/includes/db-config.php on line 11

Site Returned Error: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)

[oni-kun]

Did someone kill it?

 

Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13) in /mounted-storage/home48c/sub007/sc33591-LWQU/picks_web/new_kp/core/includes/db-config.php on line 11

Site Returned Error: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)

 

A server error it seems, It works now so you can assume it's intermittent. There would be no access to that file (assuming it's a web host) so it couldn't have been a crashing attempt.

[Lamez]

No, I have a dev. server, and my web host server have different database creds. I forgot to change it

[Lamez]

Ya, see both of you have the same link.

 

The account number is the, and the key is the same. The script is faulty. I will upload my new version here in a second. I have not done those things you told me about oni-kun. I will post back when I upload those, though.

 

Sounds good. How are you doing the e-mail verification? Cron jobs? Or something simple?

As in emailing? I am using Pear's powerful SMTP class. I love pear!

[Coreye]

Full Path Disclosure:

http://www.krazypickem.com/new_kp/core/includes/wide-variables.php

Fatal error: Call to undefined function checkStaleUsers() in /mounted-storage/home48c/sub007/sc33591-LWQU/picks_web/new_kp/core/includes/wide-variables.php on line 40

 

Full Path Disclosure:

http://www.krazypickem.com/new_kp/core/main.php

Warning: require_once(core/includes/db-config.php) [function.require-once]: failed to open stream: No such file or directory in /mounted-storage/home48c/sub007/sc33591-LWQU/picks_web/new_kp/core/main.php on line 5

 

Fatal error: require_once() [function.require]: Failed opening required 'core/includes/db-config.php' (include_path='.:/usr/share/php5/') in /mounted-storage/home48c/sub007/sc33591-LWQU/picks_web/new_kp/core/main.php on line 5

[Lamez]

Thanks, I am soon going to put a index in those folders, but because I am testing I am going to leave them open for ease. Is there a way where they can access them via the address? I bet I would have to use .htaccess

[oni-kun]

Thanks, I am soon going to put a index in those folders, but because I am testing I am going to leave them open for ease. Is there a way where they can access them via the address? I bet I would have to use .htaccess

 

Access them? They can't via HTTP, but they can certainly use further exploits found to run a script and inject it into your root path, or worse, above that.

 

If you're meaning you want to deny main.php (etc) itself, because it is being included for example:

<Files main.php>
  order allow,deny
  deny from all
</Files> 

 

Within the current folder. More examples online.

[Lamez]

Thanks. is .htaccess only with apache right?

[oni-kun]

Thanks. is .htaccess only with apache right?

 

Yes, IIS is not exactly the best to work with for mod_rewrite.

 

EDIT: btw, your sig, I give you ++

[Lamez]

lol I was just making sure. Also, try to log back into your account.

[oni-kun]

Works well until the user list (or are you still making it?)

1264216753
xxxxxxx.  - Offline - 0
xxxxxxx - Offline - 0
xxxxxxx - Offline - 0
(me) - Online - 1
xxxxxxx - Offline - 0
xxxxxxx - Online - 1

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in xxxxxxxx/sc33591-LWQU/picks_web/new_kp/core/includes/functions.php on line 411
GUESTS: 

 

When I pressed user list a few times, it said "SET OFFLINE FOR ..), Something to check user session lengths?

 

 

[Lamez]

Ya, I am still working on it. You where able to log in?