Jump to content

Massive security issues!

hoponhiggo

By hoponhiggo
in PHP Coding Help

 Share

Recommended Posts

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The section of code you just changed, for registering, doesn't originally have a $password variable in it. Did you add a $password variable (the one that is in your code is inside the login logic and doesn't exist when the registering code executes.)

 

You also have the logic that defines the GetSQLValueString() function in your code THREE times. Delete the second two occurrences.

hoponhiggo Member

hoponhiggo

Posted
  • Author
Posted

look forward to you reposting in 5 mins then!! lol  :P

 

Wait no more haha

 

changed my login code to:

 

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

$salt="Any random gobbldy-gook";
$password=md5( md5($salt.$password));
$sql="SELECT uid FROM users WHERE username='$username' AND password='$password'";

if (isset($_POST['Username'])) {
  $loginUsername=$username;
  $password=$password;
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "loginsignup.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  
   $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
  if(isset($_POST['checkcookie'])){
	  setcookie("cookname",
	  $loginUsername, time()+60*60*24*100, "/");
	  setcookie("cookpass", $password,
	  time()+60*60*24*100, "/");
  }
     $loginStrGroup = "";
     $pullID = mysql_fetch_assoc($LoginRS);
     $usrID = $pullID['uid'];
    
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;
    $_SESSION['MM_userid'] = $usrID;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

 

but as you can guess, no joy!

Nodral Regular Member

Nodral

Posted
Posted

Ok

 

Somewhere along the line, you have to change $_POST['password'] into $password.

 

If we refer back to code in previous posts, this line has got distorted.  What you acteully are trying to do is take $_POST['password'] hash it and salt it and then call it $password to be used when interacting with your DB

 

change

$salt="Any random gobbldy-gook";
$password=md5( md5($salt.$password));

 

to

$salt="Any random gobbldy-gook";
$password=md5( md5($salt.$_POST['password']));

 

 

This needs to be the same wherever you refer to $password or $_POST['password']

 

hoponhiggo Member

hoponhiggo

Posted
  • Author
Posted

ok, my code is now

 

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
$salt="Any random gobbldy-gook";
$password=md5( md5($salt.$_POST['password']));

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_Post['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "loginsignup.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  
   $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
  if(isset($_POST['checkcookie'])){
	  setcookie("cookname",
	  $loginUsername, time()+60*60*24*100, "/");
	  setcookie("cookpass", $password,
	  time()+60*60*24*100, "/");
  }
     $loginStrGroup = "";
     $pullID = mysql_fetch_assoc($LoginRS);
     $usrID = $pullID['uid'];
    
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;
    $_SESSION['MM_userid'] = $usrID;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

 

Still not working. Do you think the fact that even before i started changing any code, there was already a $password variable? ($password=$password=$_Post['Password'];) already existed?

 

Is the $password in the the  

$password=md5( md5($salt.$_POST['password']));

overiding the $password in 

$password=$password=$_Post['Password'];

?

Nodral Regular Member

Nodral

Posted
Posted

Whichever appears latter in the code will override the others.

 

Your process should be something like

if (isset($_POST['password'])){
.
.
.
.
.
.
$password=md5( md5($salt.$_POST['password']));
.
.
.
.
.
.
.
either INSERT or SELECT with DB using $password
.
.
.
.
.
.
.
<form method="post" >
<input type="password" name="password">

You shouldn't need to define it any more times than this really.

 

Your user will input in either a reg form or login form

This is then returned to the script as $_POST['password']

This will then be hashed and salted to $password

Which is then either written to DB or used as part of a SELECT statement to get existing user details.

 

Have a scan through your code and see if it fits to this, if you've got other complications in there (except the bit to prevent numeric SQL injection) you may want to remove them.

 

Hope this makes sense

 

hoponhiggo Member

hoponhiggo

Posted
  • Author
Posted

I have tried to go through the whole login/signup code and remove what i can.

 

I am left with

 

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}


if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $salt="anything here";
$password=md5( md5($salt.$_POST['Password']));
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "loginsignup.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  
   $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {

     $loginStrGroup = "";
     $pullID = mysql_fetch_assoc($LoginRS);
     $usrID = $pullID['uid'];
    
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;
    $_SESSION['MM_userid'] = $usrID;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if(isset($_POST['username'])){
if($_POST['username'] == ""){
//username empty
die("You must enter a username");
}
} else {
//username not set
} 



if(isset($_POST['password'])){
if($_POST['password'] == ""){
//username empty
die("You must enter a password");
}
} else {
//password not set
} 

$salt="anything here";
$password=md5( md5($salt.$password));

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (username, password, email, fname, sname) VALUES (%s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString($password, "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['fname'], "text"),
                       GetSQLValueString($_POST['sname'], "text"));
				   


  mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  $Result1 = mysql_query($insertSQL, $pwnedbookv4) or die(mysql_error());

  $insertGoTo = "loginsignup.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}

//send mail
$to = $_POST['email'];
$subject = "Welcome to ...";
$message = "
<html>
<head>
  <title>Welcome to ...</title>
</head>
<body>
<p>Welcome to ...</p>
<p>Thank you for registering</p>
<p>Hoponhiggo (admin)</p>
</body>
</html>
";


// To send HTML mail, the Content-type header must be set
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: pwnedbookv4@hoponhiggo.co.uk' . "\r\n";

preg_match('/^([0-9a-zA-Z]([-\.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/i');


mail($to,$subject,$message,$headers);
?>

 

Using dreamweaver, it says i have two log in actions as server behaviours.

 

Whenever i try to ammend: 

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $salt="anything here";
$password=md5( md5($salt.$_POST['Password']));

 

both of these server behaviors dissapear. Alot of this code has been automatically created by dreamweaver so im not to sure what can stay and what can go to try and make this work

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Here's a time saving tip - you need to have error_reporting set to E_ALL (or ever better a -1) and display_errors set to ON in your master php.ini so that php will report and display all the errors it detects. Restart your web server to get any changes made to your master php.ini to take effect and confirm that those two settings got changed in case the php.ini that you changed is not the one that php is using.

hoponhiggo Member

hoponhiggo

Posted
  • Author
Posted

Finally sorted this now. I have posted the code for reference:

 

$salt="asifiwouldtellyou";
$userpass=$_POST['Password'];
$md5pass = md5($salt . $userpass);

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$md5pass;
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "loginsignup.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  
   $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"))

 

Nodral, PFMaBiSmAd and Muddy_Funster: Thank you all very much for your contributions - especially Nodral. Top Guy!

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.