Jump to content

Script isn't working, and therefore insecure :(


adamjones

Recommended Posts

Hi.

I have a basic script which removes a user from my database, but only those logged into the CMS can run the script. This is done via sessions.

 

Here is my code;

 

<?php

session_start();

if(!session_is_registered(hh374747838807479736408649630860846496782)) {
header("location:./");
}

if(!session_is_registered(username)) {
header("location:./");
}

require_once('config.php');
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

$qry="SELECT * FROM fuse_rights WHERE username='".$_SESSION['username']."'";
$result=mysql_query($qry);

if($result) {
	if(mysql_num_rows($result) == 1) {

		$checks = mysql_fetch_assoc($result);
		$hk = $checks['housekeeping'];
		$comp = $checks['competitions'];
		$news = $checks['news'];
		$events = $checks['events'];
		$twitter = $checks['twitter'];
		$forum = $checks['forum_admin'];
		$pages = $checks['pages'];
		$users = $checks['users'];
		$settings = $checks['settings'];
		$bans = $checks['bans'];			
		}
		}

if(isset($_SESSION['username']) && $hk == 0)
{ $errflag = true;
	$errmsg_arr[] = 'You do not have access to the Intra.';
	if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: ./error");
}
}
if(isset($_SESSION['username']) && $users == 0)
{ header("location: ./dash");
}

$username=$_GET['username'];

$sql="DELETE FROM users WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM badges WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM profiles WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM fuse_rights WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM coins WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM characters WHERE owner='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM bans WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM alerts WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM achs WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$errflag = true;
	$errmsg_arr[] = '<div id="message-success" class="message message-success">
							<div class="image">
								<img src="resources/images/icons/success.png" alt="Success" height="32" />
							</div>
							<div class="text">
								<h6>Success</h6>
								<span>User removed.</span>
							</div>
							<div class="dismiss">
								<a href="#message-success"></a>
							</div>
						</div>';
	if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: ./user_browser");
}
}
}
}
}
}
}
}
}
}
?>

 

It removes the user, etc, from the database, however, even though the 'hh374747838807479736408649630860846496782' and 'username' sessions haven't been set, I was still able to run the script. :S

 

Any ideas?

Thank you.

Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect.

 

See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html

 

Also, session_is_registered() only works when register_globals are ON (they were turned off by default in php4.2 in April of the year 2002.) You should use isset($_SESSION[...]) like you are using later in the same code.

Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect.

 

See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html

 

Ahh, thankyou! I never realised this :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.