A security issue

[speckledapple]

Hi,

I am having an issue with security on me site.  I thought with the code I put in that it would be enough but it seems like all my efforts are pointless.  My code for the login page is below and the username works but you can enter any password into the box and you can get it.  That obviously is not supposed to happen.  So i need a little help trying to figure out what do code in there. 

<?php
session_start();

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

function secure($x) 
{ 
   $x = mysql_real_escape_string($x); 
   return $x; 
} 
require_once('connection.php'); 

    if(isset($_POST['Login'])) 
    { 
        if(($_POST['username']!='') && ($_POST['password']!='')) 
        { 
              $username = secure($_POST['username']); 
              $password = secure(md5($_POST['password'])); 
            //Use the input username and password and check against table 
            $qry = ("SELECT * FROM $tbl_name WHERE username = '$username' AND password = '$password'") or die(mysql_error());;
            $result=mysql_query($qry);
		//Check whether the query was successful or not
		if($result) {
			if(mysql_num_rows($result) == 1) {
				//Login Successful
				$row = mysql_fetch_assoc($result);
				if($row['confirmed'] == "yes")
				{		
						$_SESSION['SESS_USER'] = $row['username'];
						$_SESSION['SESS_LNAME'] = $row['last name'];
						$_SESSION['SESS_FNAME'] = $row['first name'];
						$_SESSION['SESS_JOINED'] = $row['date'];
						$_SESSION['SESS_EMAIL'] = $row['email'];
						$_SESSION['SESS_CITY'] = $row['city'];
						$_SESSION['SESS_REGION'] = $row['state/region'];
						$_SESSION['SESS_LOGGED_IN'] = TRUE;
						header("Location: memhome.php");
				}
				else {
					$errmsg_arr[] = 'Your account is not activated.  Please click the confirmation link in the email received or request a new confirmation email.';
					$errflag = true;
				}
			}else {
			$errmsg_arr[] = 'Login failed';
			$errflag = true;
			}
		}else {
			die("Query failed");
		} 
        } 
        else { 
			$errmsg_arr[] = 'Please enter both your username and password to access your account';
		$errflag = true;
        } 
}
?>

[PFMaBiSmAd]

you can get it.

You can get what?

 

For all we can tell that means you can visit a protected page and access anything like there was no security check code on it.

[speckledapple]

what I meant is that you can gain access into the site even if you enter in the wrong password.  As you can see in the code, I thought when I made it that it checks for the password against the database but apparently it does not work.  That is why im wondering if there is something wrong in the code because that should not be happening.

[PFMaBiSmAd]

you can gain access into the site even if you enter in the wrong password

 

The posted code appears that it will only set the session variables upon a correct login. Any chance that the session variables were already set from previous testing and you were already logged in?

 

Beyond that, it would take seeing the code you are putting on the protected pages that is supposed to be preventing access.

[speckledapple]

Well that ties into another problem.  I have been tinkering with the code so it allows users to be guests on pages that require no login and members signed in all on the same page (this is to prevent me having to make a guest page and seperate member page for essentially similar content.)  When a user is logged in I set the sessions variables like the code below and when they logout I destroy the session.  The problem is that I already clicked the logout link and still I can log in with any password.  My logout code is below along with my membercheck code.  Maybe theres a error that allows the login somewhere in there.

 

The Logout code:

<?php
//Start session
session_start();

if( $_SESSION['SESS_USER'] == true 
	&& $_SESSION['SESS_LOGGED_IN'] == true ) {
   session_destroy();
} else {
    unset($_SESSION['SESS_USER']);
    unset($_SESSION['SESS_LOGGED_IN']);
    unset($_SESSION['SESS_LNAME']);
unset($_SESSION['SESS_FNAME']); 
unset($_SESSION['SESS_JOINED']);
unset($_SESSION['SESS_EMAIL']); 
unset($_SESSION['SESS_CITY']); 
unset($_SESSION['SESS_REGION']);
   session_destroy();
}

?>

 

 

The member check code:

<?php
//Start session
session_start();
require_once('access-function.php');
checkLogin('1 2');

?>

<?php
require_once('connection.php');


function checkLogin($levels)
{
// Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_USER']) || (trim($_SESSION['SESS_USER']) == '')) {
		if(!$_SESSION['SESS_LOGGED_IN'])
	{
		$access = FALSE;
	}
	else {
		$kt = split(' ', $levels);

		$query = ('SELECT level_access FROM users WHERE id = "'.mysql_real_escape_string($_SESSION['SESS_USER']).'"');
		$info = mysql_query($query);
		$row = mysql_fetch_assoc($info);

		$access = FALSE;

		while(list($key,$val)=each($kt))
		{
			if($val==$row['level_access'])
			{//if the user level matches one of the allowed levels
				$access = TRUE;
			}
		}
	}
	if($access==FALSE)
	{
		header("Location: signin.php");
	}
	else {
	//do nothing: continue
	}

}
}
?>