scott.timlock Posted September 23, 2013 Share Posted September 23, 2013 Hello, I have this registration script in php... and was recently compromised. I was hoping for some help in identifying any potential security issues that would allow a person to get userid, email, and password hash's from it. <?php define('NO_INCLUDE', 1); $phpEx = "php"; $php_root_path = "./"; include($php_root_path . 'includes/common.'.$phpEx); if ( isset($HTTP_POST_VARS['mode']) ) $mode = $HTTP_POST_VARS['mode']; elseif ( isset($HTTP_GET_VARS['mode']) ) $mode = $HTTP_GET_VARS['mode']; else $mode = 'register'; function show_coppa() { global $template, $php_root_path, $phpEx; $template->set_filenames(array( 'body' => 'agreement_body.tpl') ); $template->pparse('body'); } $error = FALSE; $error_msg = ''; $page_title = ( $mode == 'register' ) ? "Register" : "Activate"; session_start(); if ( $mode == 'activate' ) { if( ( isset($HTTP_POST_VARS['activate']) || isset($HTTP_GET_VARS['activate']) ) && !$_SESSION['logged_in'] ) { $username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : ''; $activation_code = isset($HTTP_POST_VARS['activation_code']) ? $HTTP_POST_VARS['activation_code'] : $HTTP_GET_VARS['act_code']; $sql = "SELECT JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { if( md5($password) == $row['password'] ) { if( $activation_code == $row['activation_code'] ) { if($row['certificate_num'] != "") $row['certificate_num'] = "'".$row['certificate_num']."'"; else $row['certificate_num'] = "NULL"; if($row['address'] != "") $row['address'] = "'".$row['address']."'"; else $row['address'] = "NULL"; if($row['postcode'] != "") $row['postcode'] = "'".$row['postcode']."'"; else $row['postcode'] = "NULL"; if($row['phone'] != "") $row['phone'] = "'".$row['phone']."'"; else $row['phone'] = "NULL"; if($row['mobile'] != "") $row['mobile'] = "'".$row['mobile']."'"; else $row['mobile'] = "NULL"; $sql = "INSERT INTO TB_User (StrUserID, password, Status, GMrank, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, Time_log, sec_primary, sec_content) VALUES ('" . $row['StrUserID'] . "', '" . $row['password'] . "', '1', '0', '" . $row['Name'] . "', '" . $row['Email'] . "', '" . $row['sex'] . "', " . $row['certificate_num'] . ", " . $row['address'] . ", " . $row['postcode'] . ", " . $row['phone'] . ", " . $row['mobile'] . ", '" . $row['regtime'] . "', '" . $row['reg_ip'] . "', NULL, '3', '3') "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into users table<br />'.$sql); } else { $message = 'Congratulations!!! Your account has successfuly been activated!<br /><br />You are now logged into the website and you can use your account information to login to any of our servers!<br /><br />Now would be a good time to visit our <a href="viewforum.php?f=12">Introduction & Recruitment Section</a> on our Community page and introduce yourself!<br /><br />We hope you enjoy your time with us at Silkroad Universe!'; $sql = "DELETE FROM TB_User_Info WHERE JID = ".$row['JID']; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not delete temp activation data'); } $sql = "SELECT JID, StrUserID, Name, Email, Status, sec_content FROM TB_User WHERE StrUserID = '" . $row['StrUserID'] . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } $new_user = $db_account->sql_fetchrow($result); $_SESSION['JID'] = $new_user['JID']; $_SESSION['StrUserID'] = $new_user['StrUserID']; $_SESSION['Name'] = $new_user['Name']; $_SESSION['Email'] = $new_user['Email']; $_SESSION['Status'] = $new_user['Status']; $_SESSION['sec_content'] = $new_user['sec_content']; $_SESSION['session_id'] = session_id(); $_SESSION['tracking_topics'] = array(); $_SESSION['tracking_forums'] = array(); $_SESSION['last_visit'] = ($_SESSION['last_pagevisit']+10800)<=time()?time():$_SESSION['last_visit']; $_SESSION['last_pagevisit'] = time(); $_SESSION['logged_in'] = TRUE; } $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message_title = 'Your activation code did not match our records.'; } } else { $message_title = 'You have specified an incorrect password.'; } } else { $message_title = 'You have specified an incorrect username.'; } $page_title = "Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { if ( empty($_SESSION['logged_in']) ) { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_body.tpl') ); if( isset($HTTP_POST_VARS['act_code']) || isset($HTTP_GET_VARS['act_code']) ) { $activation_code = isset($HTTP_GET_VARS['act_code']) ? $HTTP_GET_VARS['act_code'] : $HTTP_POST_VARS['act_code']; $s_hidden_fields = '<input type="hidden" name="activation_code" value="' . $activation_code . '" />'; } else { $template->assign_block_vars('switch_enter_activation_code', array()); } if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $page_title = "Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_title = 'You must log out to activate your account'; $message_text = sprintf('Click %sHere%s to log out', '<a href="login.'.$phpEx.'?logout=true'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } } elseif ( $mode == 'resend' ) { if( isset($HTTP_POST_VARS['resend']) || isset($HTTP_GET_VARS['resend']) ) { $user_email = isset($HTTP_POST_VARS['user_email']) ? $HTTP_POST_VARS['user_email'] : ''; $sql = "SELECT JID, StrUserID, Email, activation_code FROM TB_User_Info WHERE StrUserID = '" . $user_email . "' OR Email = '" . $user_email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { $message = 'Your activation code has been resent to the account email you specified.'; include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('no-reply@sro-underground.com'); $emailer->replyto('no-reply@sro-underground.com'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($row['Email']); $emailer->set_subject('Resend Activation'); $emailer->assign_vars(array( 'USERNAME' => $row['StrUserID'], 'PASSWORD' => '************', 'ACTIVATION_CODE' => $row['activation_code'], 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code']) ); $emailer->send(); $emailer->reset(); $message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />'; $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Activation Resend Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message_title = 'You have specified an incorrect username or email.'; } $page_title = "Resend Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_resend.tpl') ); if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } elseif ( $mode == 'bademail' ) { if( isset($HTTP_POST_VARS['bademail']) || isset($HTTP_GET_VARS['bademail']) ) { $Email = isset($HTTP_POST_VARS['Email']) ? $HTTP_POST_VARS['Email'] : ''; $Email_new = isset($HTTP_POST_VARS['Email_new']) ? $HTTP_POST_VARS['Email_new'] : ''; $Email_con = isset($HTTP_POST_VARS['Email_con']) ? $HTTP_POST_VARS['Email_con'] : ''; $username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : ''; $sql = "SELECT JID, StrUserID, Name, Email, password, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { if( md5($password) == $row['password'] ) { if( $Email == $row['Email'] && $Email_new == $Email_con ) { $sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining email data'); } if( $row = $db_account->sql_fetchrow($result) ) { $message_title = 'The new email you entered is taken, please enter a new email.'; } else { $message = 'Your activation code has been resent to the new email you specified and your old email has been updated.'; $sql = "SELECT JID, StrUserID, Name, Email, password, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; $sql = "UPDATE TB_User_Info SET Email = '".$Email_new."' WHERE StrUserID = '".$username."' AND Email = '".$Email."' AND password = '".md5($password)."'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in updating user data'); } include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('no-reply@sro-underground.com'); $emailer->replyto('no-reply@sro-underground.com'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($Email_new); $emailer->set_subject('Resend Activation'); $emailer->assign_vars(array( 'USERNAME' => $row['StrUserID'], 'PASSWORD' => '************', 'ACTIVATION_CODE' => $row['activation_code'], 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code']) ); $emailer->send(); $emailer->reset(); $message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />'; $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Activation Resend Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } else { $message_title = 'The old email you entered does not match the one we have on record, or your new emails did not match.'; } } else { $message_title = 'You have specified an incorrect password, or your account has been blocked.'; } } else { $message_title = 'You have specified an incorrect user name, or that account does not exist.'; } $page_title = "Update Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=bademail'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_bademail.tpl') ); if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } if ( $mode == 'register' && !isset($HTTP_POST_VARS['agreed']) && !isset($HTTP_GET_VARS['agreed']) ) { include($php_root_path . 'includes/page_header.'.$phpEx); show_coppa(); include($php_root_path . 'includes/page_footer.'.$phpEx); } $coppa = ( empty($HTTP_POST_VARS['coppa']) && empty($HTTP_GET_VARS['coppa']) ) ? 0 : TRUE; if ($mode == 'register') { $username = ( !empty($HTTP_POST_VARS['StrUserID']) ) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = ( !empty($HTTP_POST_VARS['password']) ) ? $HTTP_POST_VARS['password'] : ''; $password_confirm = ( !empty($HTTP_POST_VARS['password_confirm']) ) ? $HTTP_POST_VARS['password_confirm'] : ''; $Email = ( !empty($HTTP_POST_VARS['Email']) ) ? $HTTP_POST_VARS['Email'] : ''; $Email_confirm = ( !empty($HTTP_POST_VARS['Email_confirm']) ) ? $HTTP_POST_VARS['Email_confirm'] : ''; $Name = ( !empty($HTTP_POST_VARS['Name']) ) ? $HTTP_POST_VARS['Name'] : ''; $sex = ( !empty($HTTP_POST_VARS['sex']) ) ? $HTTP_POST_VARS['sex'] : ''; $certificate_num = ( !empty($HTTP_POST_VARS['certificate_num']) ) ? $HTTP_POST_VARS['certificate_num'] : "NULL"; $address = ( !empty($HTTP_POST_VARS['address']) ) ? $HTTP_POST_VARS['address'] : "NULL"; $postcode = ( !empty($HTTP_POST_VARS['postcode']) ) ? $HTTP_POST_VARS['postcode'] : "NULL"; $phone = ( !empty($HTTP_POST_VARS['phone']) ) ? $HTTP_POST_VARS['phone'] : "NULL"; $mobile = ( !empty($HTTP_POST_VARS['mobile']) ) ? $HTTP_POST_VARS['mobile'] : "NULL"; } if ($mode == 'register' && $_SESSION['logged_in'] && $username == $_SESSION['StrUserID']) { die("That username has already been taken"); } if ( isset($HTTP_POST_VARS['submit']) && $registration_enabled ) { if ( $mode == 'register' ) { if ( getenv("REMOTE_ADDR") == "84.25.0.224" || getenv("REMOTE_ADDR") == "95.154.230.191" || getenv("REMOTE_ADDR") == "66.90.101.217" || strpos("tunay", strtolower($Email)) != false || strpos("tunay", strtolower($Name)) != false ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You have been banned from this website.'; } } $passwd_sql = ''; if ( $mode == 'register' ) { if ( empty($username) || empty($password) || empty($password_confirm) || empty($Email) || empty($Email_confirm) || empty($Name) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You must fill in all the required fields.'; } } $passwd_sql = ''; if ( !empty($password) && !empty($password_confirm) ) { if ( $password != $password_confirm ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.'; } elseif ( strlen($password_confirm) < 6 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no less than 6 characters.'; } elseif ( strlen($password_confirm) > 32 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no more than 32 characters.'; } elseif(!ctype_alnum($password)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password should be characters and numbers only.'; } else { if ( !$error ) { $password = md5($password); $passwd_sql = "password = '$password', "; } } } else if ( ( empty($password) && !empty($password_confirm) ) || ( !empty($password) && empty($password_confirm) ) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.'; } $username_sql = ''; $email_sql = ''; if ( $mode == 'register' ) { if ( empty($username) ) { $error = TRUE; } else if ( $username != $_SESSION['StrUserID'] || $mode == 'register') { $sql = "SELECT StrUserID FROM TB_User WHERE StrUserID = '" . $username . "' UNION ALL SELECT StrUserID FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining username data'); } if( $row = $db_account->sql_fetchrow($result) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please pick another username, that username has already been taken.'; } elseif ( strlen($username) < 6 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no less than 6 characters.'; } elseif ( strlen($username) > 32 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no more than 32 characters.'; } elseif(!ctype_alnum($username)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username should be characters and numbers only.'; } if (!$error) { $username_sql = "StrUserID = '" . $username . "', "; } } if ( empty($Email) || empty($Email_confirm) ) { $error = TRUE; } elseif ( $Email != $_SESSION['Email'] || $mode == 'register' ) { $sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining email data'); } if( $row = $db_account->sql_fetchrow($result) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please use another email, that email has already been taken.'; } elseif(!filter_var($Email, FILTER_VALIDATE_EMAIL) || !filter_var($Email_confirm, FILTER_VALIDATE_EMAIL)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The email you entered is not a valid format.'; } elseif( $Email != $Email_confirm ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The emails you entered did not match.'; } elseif( strpos($Email, '@walla.com') ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'invalid email address.'; } if (!$error) { $email_sql = "Email = '" . $Email . "', "; } } if ( $mode == 'register' ) { $sql = "SELECT COUNT(reg_ip) AS Cnt FROM TB_User WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "' UNION ALL SELECT COUNT(reg_ip) AS Cnt FROM TB_User_Info WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining reg_ip data'); } $row = $db_account->sql_fetchrow($result); if( $row['Cnt'] > 2 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The account limit has been reached for this IP address.'; } } if ( empty($Name) ) { $error = TRUE; } elseif ( $Name != $_SESSION['Name'] || $mode == 'register' ) { if(substr_count($Name, ' ') > 1) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name can contain only 1 space.'; } if(!ctype_alnum(str_replace(' ','x', $Name))) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name should be characters and numbers only.'; } if (!$error) { $name_sql = "Name = '" . $Name . "', "; } } } if ( !$error ) { if($email_activation_enabled && $mode == 'register') { $sql = "SELECT MAX(JID) AS total FROM TB_User_Info"; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not obtain next user_id information'); } $row = $db_account->sql_fetchrow($result); $user_id = $row['total'] + 1; $activation_code = sha1("" . getenv("REMOTE_ADDR") . $Email . ""); if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'"; if($address != "NULL") $address = "'".$address."'"; if($postcode != "NULL") $postcode = "'".$postcode."'"; if($phone != "NULL") $phone = "'".$phone."'"; if($mobile != "NULL") $mobile = "'".$mobile."'"; $sql = "INSERT INTO TB_User_Info (JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code) VALUES ('" . $user_id . "', '" . $username . "', '" . $password . "', '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', '" . $activation_code . "') "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into temp users table<br /><br />' . $sql); } $message = 'Your account has been created. However, this site requires account activation. An activation key has been sent to the e-mail address you provided.<br />Please check your e-mail for further information'; include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('no-reply@sro-underground.com'); $emailer->replyto('no-reply@sro-underground.com'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($Email); $emailer->set_subject('Welcome to Silkroad Underground'); $emailer->assign_vars(array( 'USERNAME' => $username, 'PASSWORD' => $password_confirm, 'ACTIVATION_CODE' => $activation_code, 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $activation_code) ); $emailer->send(); $emailer->reset(); } elseif ($mode == 'register') { if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'"; if($address != "NULL") $address = "'".$address."'"; if($postcode != "NULL") $postcode = "'".$postcode."'"; if($phone != "NULL") $phone = "'".$phone."'"; if($mobile != "NULL") $mobile = "'".$mobile."'"; $sql = "INSERT INTO TB_User (StrUserID, password, Status,GMrank,Name,Email,sex,certificate_num,address,postcode,phone,mobile ,regtime,reg_ip,sec_primary,sec_content,AccPlayTime,LatestUpdateTime_ToPlayTime) VALUES ('" . $username . "', '" . $password . "', 1, 0, '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', 3, 3, 0, 0) "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into users table<br /><br />' . $sql); } $message = 'Your account has been created.'; } $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } if ( $error ) { $password = ''; $password_confirm = ''; } if ( $registration_enabled ) { include($php_root_path . 'includes/page_header.'.$phpEx); if ( !isset($coppa) ) { $coppa = FALSE; } $s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />'; if ( $error ) { $template->set_filenames(array( 'reg_header' => 'error_body.tpl') ); $template->assign_vars(array( 'ERROR_MESSAGE' => $error_msg) ); $template->assign_var_from_handle('ERROR_BOX', 'reg_header'); } $template->set_filenames(array( 'body' => 'register_body.tpl') ); $template->assign_vars(array( 'USERNAME' => isset($username) ? $username : '', 'PASSWORD' => isset($password) ? $password : '', 'PASSWORD_CONFIRM' => isset($password_confirm) ? $password_confirm : '', 'NAME' => isset($Name) ? $Name : '', 'EMAIL' => isset($Email) ? $Email : '', 'EMAIL_CONFIRM' => isset($Email_confirm) ? $Email_confirm : '', 'SEX_M' => ( $sex=="M" ) ? '<option value="M" selected="selected">Male</option>' : '<option value="M">Male</option>', 'SEX_F' => ( $sex=="F" ) ? '<option value="F" selected="selected">Female</option>' : '<option value="F">Female</option>', 'ADDRESS' => $address!="NULL" ? $address : '', 'POSTCODE' => $postcode!="NULL" ? $postcode : '', 'PHONE' => $phone!="NULL" ? $phone : '', 'MOBILE' => $mobile!="NULL" ? $mobile : '', 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message = '<br /><br />' . sprintf('Click %sHere%s to return to the Index<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration is Closed", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/282387-help-in-registration-security/ Share on other sites More sharing options...
Ch0cu3r Posted September 23, 2013 Share Posted September 23, 2013 How long have you had this script? Did you write it yourself? I'm not surprised you have been compromised. It is using old out dated code. The first thing I noticed is there is hardly any validation/sanitation of user input, unless this happening somewhere else. Â Imo, this script will require a complete re-write. If you can't do this yourself then you're better of hiring someone to do this for you. Â However looking at the code I expect this is from some form of third party CMS. You're better of seeing if there is an updated version or converting your site to some other third party CMS like wordpress, joomla which more up to date. Quote Link to comment https://forums.phpfreaks.com/topic/282387-help-in-registration-security/#findComment-1450885 Share on other sites More sharing options...
vinny42 Posted September 23, 2013 Share Posted September 23, 2013 The biggest threat is SQL-injection. The script takes data from the POST vars and puts it directly into the query, which means that a hacker can literally put anythng he wants into the query. That incluses subqueries that do nasty things like create new admin accounts, drop the entire database, etc. Â Like Ch0cu3r says: this script is old (http_post_bars has been removed from PHP for years) and needs to be re-written with security in mind. Quote Link to comment https://forums.phpfreaks.com/topic/282387-help-in-registration-security/#findComment-1450889 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.