Jump to content

Flaw in scrip to authenticate access

swatisonee

By swatisonee
in PHP Coding Help

 Share

Recommended Posts

swatisonee Regular Member

swatisonee

Posted
Posted

Discovered a major flaw. And need help in setting it right please !

 

The header of each page starts as below.

 

<?
include ("session.php);
//session.php is 

session_start();

$_SESSION['id']=session_id();
$_SESSION['userid']=$userid;
$_SESSION['usertype']=$usertype;

include ("../log.php"); //db info for DB

if(!isset($_SESSION['userid'])  ){
echo "<center><font face='Calibri' size='2' color=red>Sorry, Please login and use this page </font></center>";
exit;}

//log.php also checks 
$sql = "SELECT * FROM Users WHERE Userid= '$_SESSION[userid]' AND  UTID = '$_SESSION[usertype]' ";

if ($result = mysql_query($sql) )
{ 
       $sql2= "insert into Log (Sessionid,Userid,IP,Date,File, Status) values('$_SESSION[id]','$_SESSION[userid]','$ip','$tm', '$url', 'On')";
       $result2 = mysql_query($sql2) or die  ('no access to database: ' . mysql_error());
}
else 
{
       $failureMessage = 'Login Not Permitted.  You are not authorised to access this database .';
       print $failureMessage;
       exit;
}

?>

 

 

But a user can simply change the name of the php file in the addressbar and enter someone else's page without the session dying or even needing a pw because log.php only checks if the userid and usertype tally with the relevant record of a user. It doesnt check if usertype has access to other scripts.

 

ex: userid E001 can supposedly only access sales.php.  But if he changes sales.php to hr.php in the addressbar , he can access all the data of the user to whom hr.php is assigned !

 

allowed : 

http://www.example.com/DBS/sales.php?Userid=E001

 

not allowed but accesses 

http://www.example.com/DBS/HR/feef2.php?Userid=E001

 

How do I amend access to other pages please ?

 

Thanks:Swati

Link to comment
https://forums.phpfreaks.com/topic/243899-flaw-in-scrip-to-authenticate-access/
Share on other sites
swatisonee Regular Member

swatisonee

Posted
  • Author
Posted

I modified the header as under. *But* it doesnt look like a global solution because it requires usertype to be specified as 1 or 2 or 8 etc ... can anyone suggest more secure options ? Thanks.

 

if(!isset($_SESSION['userid']))
{
echo "Sorry, Please login and use this page ";
exit;
}

if(isset($_SESSION['userid']) AND ($_SESSION['usertype']) !=8 )
{
echo You are not authorised to access this page ";
exit;
}

phpSensei Advanced Member

phpSensei

Posted
Posted

You still havn't answered my question. The userid is only a session at this point, it CAN'T be modified by a user under normal circumstances.

 

I still don't understand your concerns for

 

http://www.example.com/DBS/sales.php?Userid=E001

 

Your not even utilizing that http var anywhere under your code you posted. Your new solution above this post just checks if the user is logged in or not.

 

and this needs to be under the correct parenthesis

 

if(isset($_SESSION['userid']) AND ($_SESSION['usertype']) !=8 )

swatisonee Regular Member

swatisonee

Posted
  • Author
Posted

Ok let me see if i can explain this better. Net net i'm missing the point and dont know how to set it right .

 

a. User logs in with un, pw as per a script login.php.

 

b. This scrip also contains the foll. code where he is directed to a page (sales.php or hr.php) based on usertype. - as per code snippet below

 

c. If say, usertype is 8, he get directed to sales.php which should as per modified code check that the user is indeed of type 8.

 

d. Now what was happening earlier was that by simply changing sales.php to hr.php in the browser address bar , he could access the latter page.

 

e. The problem that i find with the modification made above is for scripts that are a common feature to both sales.php and hr.php. Say for example checking of individial leave records where the script is common to users of both sales and hr have  .  Trying something like this code doesnt work

if (

(isset($_SESSION['userid']) && (($_SESSION['usertype']) !=8  ) ) 
OR  
(isset($_SESSION['userid']) && (($_SESSION['usertype']) !=3 ))  
) 

{
echo "You are not authorised to access this page 
exit;}
//it rejects both usertypes 8 and 3

 

Code for login.php

if($_POST['submit'])
{
session_start();

blah blah ...

$sql = "SELECT * FROM Users WHERE .........";
$result = mysql_query($sql);
if  ($myrow = mysql_fetch_array($result))
{
      
$login_success = 'Yes'; 
$userid = $myrow["Userid"];
$usertype = $myrow["UTID"];
$status = "On";
$_SESSION['id']=session_id();

       $sql2= "insert into Log (Sessionid,Userid,IP,Date,File, Status) values('$_SESSION[id]','$userid','$ip','$tm', '$url', '$status')";
$result2 = mysql_query($sql2) or die  ('no access to database: ' . mysql_error());

if ($usertype =='5'	) { $userFile = 'hr.php';   }
if ($usertype =='8'	) { $userFile = 'sales.php';   }
if ($usertype =='9'	) { $userFile = 'head.php';   }
}
}
$_SESSION['userid']=$userid;
$_SESSION['usertype']=$usertype;

some html stuff and then 

$successMessage .= 'Click <a href="'.$userFile.'?Userid='.$userid.'"> here </a>to proceed to your options';

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.