Jump to content

Help in registration security.

scott.timlock

By scott.timlock
in PHP Coding Help

 Share

Recommended Posts

scott.timlock Newbie

scott.timlock

Posted
Posted

Hello, I have this registration script in php... and was recently compromised. I was hoping for some help in identifying any potential security issues that would allow a person to get userid, email, and password hash's from it.

<?php

define('NO_INCLUDE', 1);

$phpEx = "php";
$php_root_path = "./";
	
include($php_root_path . 'includes/common.'.$phpEx);

if ( isset($HTTP_POST_VARS['mode']) ) 
	$mode = $HTTP_POST_VARS['mode'];
elseif ( isset($HTTP_GET_VARS['mode']) )
	$mode = $HTTP_GET_VARS['mode'];
else $mode = 'register';

function show_coppa()
{
	global $template, $php_root_path, $phpEx;

	$template->set_filenames(array(
		'body' => 'agreement_body.tpl')
	);

	$template->pparse('body');
}

$error = FALSE;
$error_msg = '';
$page_title = ( $mode == 'register' ) ? "Register" : "Activate";
session_start();

if ( $mode == 'activate' )
{
	if( ( isset($HTTP_POST_VARS['activate']) || isset($HTTP_GET_VARS['activate']) ) && !$_SESSION['logged_in'] )
	{
		$username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : '';
		$password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : '';
		
		$activation_code = isset($HTTP_POST_VARS['activation_code']) ? $HTTP_POST_VARS['activation_code'] : $HTTP_GET_VARS['act_code'];

		$sql = "SELECT JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'";
		if ( !($result = $db_account->sql_query($sql)) )
		{
			die('Error in obtaining user data');
		}

		if( $row = $db_account->sql_fetchrow($result) )
		{
			if( md5($password) == $row['password'] )
			{
				if( $activation_code == $row['activation_code'] )
				{
					if($row['certificate_num'] != "") $row['certificate_num'] = "'".$row['certificate_num']."'"; else $row['certificate_num'] = "NULL";
					if($row['address'] != "") $row['address'] = "'".$row['address']."'"; else $row['address'] = "NULL";
					if($row['postcode'] != "") $row['postcode'] = "'".$row['postcode']."'"; else $row['postcode'] = "NULL";
					if($row['phone'] != "") $row['phone'] = "'".$row['phone']."'"; else $row['phone'] = "NULL";
					if($row['mobile'] != "") $row['mobile'] = "'".$row['mobile']."'"; else $row['mobile'] = "NULL";
					$sql = "INSERT INTO TB_User (StrUserID, password, Status, GMrank, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, Time_log, sec_primary, sec_content)
							VALUES ('" . $row['StrUserID'] . "', '" . $row['password'] . "', '1', '0', '" . $row['Name'] . "', '" . $row['Email'] . "', '" . $row['sex'] . "', " . $row['certificate_num'] . ", " . $row['address'] . ", " . $row['postcode'] . ", " . $row['phone'] . ", " . $row['mobile'] . ", '" . $row['regtime'] . "', '" . $row['reg_ip'] . "', NULL, '3', '3') ";
					if ( !($result = $db_account->sql_query($sql)) )
					{
						die('Could not insert data into users table<br />'.$sql);
					}
					else
					{
						$message = 'Congratulations!!! Your account has successfuly been activated!<br /><br />You are now logged into the website and you can use your account information to login to any of our servers!<br /><br />Now would be a good time to visit our <a href="viewforum.php?f=12">Introduction & Recruitment Section</a> on our Community page and introduce yourself!<br /><br />We hope you enjoy your time with us at Silkroad Universe!';
					
						$sql = "DELETE FROM TB_User_Info WHERE JID = ".$row['JID'];
						if ( !($result = $db_account->sql_query($sql)) )
						{
							die('Could not delete temp activation data');
						}
						
						$sql = "SELECT JID, StrUserID, Name, Email, Status, sec_content FROM TB_User WHERE StrUserID = '" . $row['StrUserID'] . "'";
						if ( !($result = $db_account->sql_query($sql)) )
						{
							die('Error in obtaining user data');
						}
						$new_user = $db_account->sql_fetchrow($result);
						
						$_SESSION['JID'] = $new_user['JID'];
						$_SESSION['StrUserID'] = $new_user['StrUserID'];
						$_SESSION['Name'] = $new_user['Name'];
						$_SESSION['Email'] = $new_user['Email'];
						$_SESSION['Status'] = $new_user['Status'];
						$_SESSION['sec_content'] = $new_user['sec_content'];
						$_SESSION['session_id'] = session_id();
						$_SESSION['tracking_topics'] = array();
						$_SESSION['tracking_forums'] = array();
						$_SESSION['last_visit'] = ($_SESSION['last_pagevisit']+10800)<=time()?time():$_SESSION['last_visit'];
						$_SESSION['last_pagevisit'] = time();
						$_SESSION['logged_in'] = TRUE;
					}

					$message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

					include($php_root_path . 'includes/page_header.'.$phpEx);

					$template->set_filenames(array(
						'body' => 'message_body.tpl')
					);
					
					$template->assign_vars(array(
						'MESSAGE_TITLE' => "Registration Successful",
						'MESSAGE_TEXT' => $message)
					);

					$template->pparse('body');

					include($php_root_path . 'includes/page_footer.'.$phpEx);
				}
				else
				{
					$message_title = 'Your activation code did not match our records.';
				}
			}
			else
			{
				$message_title = 'You have specified an incorrect password.';
			}
		}
		else
		{
			$message_title = 'You have specified an incorrect username.';
		}
		
		$page_title = "Activation Error";
		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'message_body.tpl')
		);

		if( isset($HTTP_POST_VARS['redirect']) ) 
			$redir = '&redirect='.$HTTP_POST_VARS['redirect'];
		else
			$redir = '';
			
		$message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' 
			. sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

		$template->assign_vars(array(
			'MESSAGE_TITLE' => $message_title,
			'MESSAGE_TEXT' => $message_text)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
	else
	{
		if ( empty($_SESSION['logged_in']) )
		{
			include($php_root_path . 'includes/page_header.'.$phpEx);

			$template->set_filenames(array(
				'body' => 'activate_body.tpl')
			);
			
			if( isset($HTTP_POST_VARS['act_code']) || isset($HTTP_GET_VARS['act_code']) )
			{
				$activation_code = isset($HTTP_GET_VARS['act_code']) ? $HTTP_GET_VARS['act_code'] : $HTTP_POST_VARS['act_code'];
				$s_hidden_fields = '<input type="hidden" name="activation_code" value="' . $activation_code . '" />';
			}
			else
			{
				$template->assign_block_vars('switch_enter_activation_code', array());
			}
			
			if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) 
			{
				$forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect'];
				$s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />';
			}

			$template->assign_vars(array(
				'S_HIDDEN_FIELDS' => $s_hidden_fields)
			);

			$template->pparse('body');

			include($php_root_path . 'includes/page_footer.'.$phpEx);
		}
		else
		{
			$page_title = "Activation Error";
			include($php_root_path . 'includes/page_header.'.$phpEx);

			$template->set_filenames(array(
				'body' => 'message_body.tpl')
			);

			if( isset($HTTP_POST_VARS['redirect']) ) 
				$redir = '&redirect='.$HTTP_POST_VARS['redirect'];
			else
				$redir = '';
			
			$message_title = 'You must log out to activate your account';
			$message_text = sprintf('Click %sHere%s to log out', '<a href="login.'.$phpEx.'?logout=true'.$redir.'">', '</a>') . '<br /><br />' 
				. sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

			$template->assign_vars(array(
				'MESSAGE_TITLE' => $message_title,
				'MESSAGE_TEXT' => $message_text)
			);

			$template->pparse('body');

			include($php_root_path . 'includes/page_footer.'.$phpEx);
		}
	}
}
elseif ( $mode == 'resend' )
{
	if( isset($HTTP_POST_VARS['resend']) || isset($HTTP_GET_VARS['resend']) )
	{
		$user_email = isset($HTTP_POST_VARS['user_email']) ? $HTTP_POST_VARS['user_email'] : '';

		$sql = "SELECT JID, StrUserID, Email, activation_code FROM TB_User_Info WHERE StrUserID = '" . $user_email . "' OR Email = '" . $user_email . "'";
		if ( !($result = $db_account->sql_query($sql)) )
		{
			die('Error in obtaining user data');
		}

		if( $row = $db_account->sql_fetchrow($result) )
		{
			$message = 'Your activation code has been resent to the account email you specified.';
		
			include($php_root_path . 'includes/emailer.'.$phpEx);
			$emailer = new emailer(true);

			$emailer->from('no-reply@sro-underground.com');
			$emailer->replyto('no-reply@sro-underground.com');

			$emailer->use_template('user_welcome_inactive');
			$emailer->email_address($row['Email']);
			$emailer->set_subject('Resend Activation');

			$emailer->assign_vars(array(
					'USERNAME' => $row['StrUserID'],
					'PASSWORD' => '************',
					'ACTIVATION_CODE' => $row['activation_code'],
					
					'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code'])
				);

			$emailer->send();
			$emailer->reset();

			$message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />';
			$message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

			include($php_root_path . 'includes/page_header.'.$phpEx);

			$template->set_filenames(array(
				'body' => 'message_body.tpl')
			);
			
			$template->assign_vars(array(
				'MESSAGE_TITLE' => "Activation Resend Successful",
				'MESSAGE_TEXT' => $message)
			);

			$template->pparse('body');

			include($php_root_path . 'includes/page_footer.'.$phpEx);
		}
		else
		{
			$message_title = 'You have specified an incorrect username or email.';
		}
		
		$page_title = "Resend Activation Error";
		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'message_body.tpl')
		);

		if( isset($HTTP_POST_VARS['redirect']) ) 
			$redir = '&redirect='.$HTTP_POST_VARS['redirect'];
		else
			$redir = '';
			
		$message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' 
			. sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

		$template->assign_vars(array(
			'MESSAGE_TITLE' => $message_title,
			'MESSAGE_TEXT' => $message_text)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
	else
	{
		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'activate_resend.tpl')
		);
		
		if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) 
		{
			$forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect'];
			$s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />';
		}

		$template->assign_vars(array(
			'S_HIDDEN_FIELDS' => $s_hidden_fields)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
}

elseif ( $mode == 'bademail' )
{
	if( isset($HTTP_POST_VARS['bademail']) || isset($HTTP_GET_VARS['bademail']) )
	{
		$Email = isset($HTTP_POST_VARS['Email']) ? $HTTP_POST_VARS['Email'] : '';
		$Email_new = isset($HTTP_POST_VARS['Email_new']) ? $HTTP_POST_VARS['Email_new'] : '';
		$Email_con = isset($HTTP_POST_VARS['Email_con']) ? $HTTP_POST_VARS['Email_con'] : '';
		$username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : '';
		$password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : '';

		$sql = "SELECT JID, StrUserID, Name, Email, password, activation_code
				FROM TB_User_Info WHERE StrUserID = '" . $username . "'";
		if ( !($result = $db_account->sql_query($sql)) )
		{
			die('Error in obtaining user data');
		}

		if( $row = $db_account->sql_fetchrow($result) )
		{
			if( md5($password) == $row['password'] )
			{
				if( $Email == $row['Email'] && $Email_new == $Email_con )
				{
					$sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'";
					if ( !($result = $db_account->sql_query($sql)) )
					{
						die('Error in obtaining email data');
					}
					if( $row = $db_account->sql_fetchrow($result) )
					{
						$message_title = 'The new email you entered is taken, please enter a new email.';
					}
					else
					{
						$message = 'Your activation code has been resent to the new email you specified and your old email has been updated.';
						
						$sql = "SELECT JID, StrUserID, Name, Email, password, activation_code
								FROM TB_User_Info WHERE StrUserID = '" . $username . "'";
						$sql = "UPDATE TB_User_Info SET Email = '".$Email_new."' WHERE StrUserID = '".$username."' AND Email = '".$Email."' AND password = '".md5($password)."'";
						if ( !($result = $db_account->sql_query($sql)) )
						{
							die('Error in updating user data');
						}
			
						include($php_root_path . 'includes/emailer.'.$phpEx);
						$emailer = new emailer(true);

						$emailer->from('no-reply@sro-underground.com');
						$emailer->replyto('no-reply@sro-underground.com');

						$emailer->use_template('user_welcome_inactive');
						$emailer->email_address($Email_new);
						$emailer->set_subject('Resend Activation');

						$emailer->assign_vars(array(
								'USERNAME' => $row['StrUserID'],
								'PASSWORD' => '************',
								'ACTIVATION_CODE' => $row['activation_code'],
								
								'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code'])
							);

						$emailer->send();
						$emailer->reset();

						
						$message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />';
						$message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

						include($php_root_path . 'includes/page_header.'.$phpEx);

						$template->set_filenames(array(
							'body' => 'message_body.tpl')
						);
						
						$template->assign_vars(array(
							'MESSAGE_TITLE' => "Activation Resend Successful",
							'MESSAGE_TEXT' => $message)
						);

						$template->pparse('body');

						include($php_root_path . 'includes/page_footer.'.$phpEx);
					}
				}
				else
				{
					$message_title = 'The old email you entered does not match the one we have on record, or your new emails did not match.';
				}
			}
			else
			{
				$message_title = 'You have specified an incorrect password, or your account has been blocked.';
			}
		}
		else
		{
			$message_title = 'You have specified an incorrect user name, or that account does not exist.';
		}
		
		$page_title = "Update Activation Error";
		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'message_body.tpl')
		);

		if( isset($HTTP_POST_VARS['redirect']) ) 
			$redir = '&redirect='.$HTTP_POST_VARS['redirect'];
		else
			$redir = '';
			
		$message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=bademail'.$redir.'">', '</a>') . '<br /><br />' 
			. sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

		$template->assign_vars(array(
			'MESSAGE_TITLE' => $message_title,
			'MESSAGE_TEXT' => $message_text)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
	else
	{
		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'activate_bademail.tpl')
		);
		
		if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) 
		{
			$forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect'];
			$s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />';
		}

		$template->assign_vars(array(
			'S_HIDDEN_FIELDS' => $s_hidden_fields)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
}

if ( $mode == 'register' && !isset($HTTP_POST_VARS['agreed']) && !isset($HTTP_GET_VARS['agreed']) )
{
	include($php_root_path . 'includes/page_header.'.$phpEx);

	show_coppa();

	include($php_root_path . 'includes/page_footer.'.$phpEx);
}

$coppa = ( empty($HTTP_POST_VARS['coppa']) && empty($HTTP_GET_VARS['coppa']) ) ? 0 : TRUE;

if ($mode == 'register')
{
	$username = ( !empty($HTTP_POST_VARS['StrUserID']) ) ? $HTTP_POST_VARS['StrUserID'] : '';
	
	$password = ( !empty($HTTP_POST_VARS['password']) ) ? $HTTP_POST_VARS['password'] : '';
	$password_confirm = ( !empty($HTTP_POST_VARS['password_confirm']) ) ? $HTTP_POST_VARS['password_confirm'] : '';
	
	$Email = ( !empty($HTTP_POST_VARS['Email']) ) ? $HTTP_POST_VARS['Email'] : '';
	$Email_confirm = ( !empty($HTTP_POST_VARS['Email_confirm']) ) ? $HTTP_POST_VARS['Email_confirm'] : '';
	$Name = ( !empty($HTTP_POST_VARS['Name']) ) ? $HTTP_POST_VARS['Name'] : '';
	$sex = ( !empty($HTTP_POST_VARS['sex']) ) ? $HTTP_POST_VARS['sex'] : '';
	$certificate_num = ( !empty($HTTP_POST_VARS['certificate_num']) ) ? $HTTP_POST_VARS['certificate_num'] : "NULL";
	$address = ( !empty($HTTP_POST_VARS['address']) ) ? $HTTP_POST_VARS['address'] : "NULL";
	$postcode = ( !empty($HTTP_POST_VARS['postcode']) ) ? $HTTP_POST_VARS['postcode'] : "NULL";
	$phone = ( !empty($HTTP_POST_VARS['phone']) ) ? $HTTP_POST_VARS['phone'] : "NULL";
	$mobile = ( !empty($HTTP_POST_VARS['mobile']) ) ? $HTTP_POST_VARS['mobile'] : "NULL";
}

if ($mode == 'register' && $_SESSION['logged_in'] && $username == $_SESSION['StrUserID'])
{
	die("That username has already been taken");
}

if ( isset($HTTP_POST_VARS['submit']) && $registration_enabled )
{
	if ( $mode == 'register' )
	{
		if ( getenv("REMOTE_ADDR") == "84.25.0.224" || getenv("REMOTE_ADDR") == "95.154.230.191" || getenv("REMOTE_ADDR") == "66.90.101.217" || strpos("tunay", strtolower($Email)) != false || strpos("tunay", strtolower($Name)) != false )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You have been banned from this website.';
		}
	}
	
	$passwd_sql = '';
	if ( $mode == 'register' )
	{
		if ( empty($username) || empty($password) || empty($password_confirm) || empty($Email) || empty($Email_confirm) || empty($Name) )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You must fill in all the required fields.';
		}
	}

	$passwd_sql = '';
	if ( !empty($password) && !empty($password_confirm) )
	{
		if ( $password != $password_confirm )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.';
		}
		elseif ( strlen($password_confirm) < 6 )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no less than 6 characters.';
		}
		elseif ( strlen($password_confirm) > 32 )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no more than 32 characters.';
		}
		elseif(!ctype_alnum($password))
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password should be characters and numbers only.';
		}
		else
		{
			if ( !$error )
			{
				$password = md5($password);
				$passwd_sql = "password = '$password', ";
			}
		}
	}
	else if ( ( empty($password) && !empty($password_confirm) ) || ( !empty($password) && empty($password_confirm) ) )
	{
		$error = TRUE;
		$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.';
	}
	
	$username_sql = ''; $email_sql = '';
	if ( $mode == 'register' )
	{
		if ( empty($username) )
		{
			$error = TRUE;
		}
		else if ( $username != $_SESSION['StrUserID'] || $mode == 'register')
		{
			$sql = "SELECT StrUserID FROM TB_User WHERE StrUserID = '" . $username . "' UNION ALL SELECT StrUserID FROM TB_User_Info WHERE StrUserID = '" . $username . "'";
			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Error in obtaining username data');
			}
			if( $row = $db_account->sql_fetchrow($result) )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please pick another username, that username has already been taken.';
			}
			elseif ( strlen($username) < 6 )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no less than 6 characters.';
			}
			elseif ( strlen($username) > 32 )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no more than 32 characters.';
			}
			elseif(!ctype_alnum($username))
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username should be characters and numbers only.';
			}
			if (!$error)
			{
				$username_sql = "StrUserID = '" . $username . "', ";
			}
		}
		
		if ( empty($Email) || empty($Email_confirm) )
		{
			$error = TRUE;
		}
		elseif ( $Email != $_SESSION['Email'] || $mode == 'register' )
		{
			$sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'";
			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Error in obtaining email data');
			}
			if( $row = $db_account->sql_fetchrow($result) )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please use another email, that email has already been taken.';
			}
			elseif(!filter_var($Email, FILTER_VALIDATE_EMAIL) || !filter_var($Email_confirm, FILTER_VALIDATE_EMAIL))
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The email you entered is not a valid format.';
			}
			elseif( $Email != $Email_confirm )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The emails you entered did not match.';
			}
			elseif( strpos($Email, '@walla.com') )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'invalid email address.';
			}
			if (!$error)
			{
				$email_sql = "Email = '" . $Email . "', ";
			}
		}
		
		if ( $mode == 'register' )
		{
			$sql = "SELECT COUNT(reg_ip) AS Cnt FROM TB_User WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "' UNION ALL SELECT COUNT(reg_ip) AS Cnt FROM TB_User_Info WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "'";
			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Error in obtaining reg_ip data');
			}
			$row = $db_account->sql_fetchrow($result);
			if( $row['Cnt'] > 2 )
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The account limit has been reached for this IP address.';
			}
		}
		
		if ( empty($Name) )
		{
			$error = TRUE;
		}
		elseif ( $Name != $_SESSION['Name'] || $mode == 'register' )
		{
			if(substr_count($Name, ' ') > 1)
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name can contain only 1 space.';
			}
			if(!ctype_alnum(str_replace(' ','x', $Name)))
			{
				$error = TRUE;
				$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name should be characters and numbers only.';
			}
			if (!$error)
			{
				$name_sql = "Name = '" . $Name . "', ";
			}
		}
	}

	if ( !$error )
	{
		if($email_activation_enabled && $mode == 'register')
		{
			$sql = "SELECT MAX(JID) AS total
				FROM TB_User_Info";
			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Could not obtain next user_id information');
			}
			$row = $db_account->sql_fetchrow($result);
			$user_id = $row['total'] + 1;
			
			$activation_code = sha1("" . getenv("REMOTE_ADDR") . $Email . "");
			
			if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'";
			if($address != "NULL") $address = "'".$address."'";
			if($postcode != "NULL") $postcode = "'".$postcode."'";
			if($phone != "NULL") $phone = "'".$phone."'";
			if($mobile != "NULL") $mobile = "'".$mobile."'";
			$sql = "INSERT INTO TB_User_Info (JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code)
				VALUES ('" . $user_id . "', '" . $username . "', '" . $password . "', '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', '" . $activation_code . "') ";

			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Could not insert data into temp users table<br /><br />' . $sql);
			}

			$message = 'Your account has been created. However, this site requires account activation. An activation key has been sent to the e-mail address you provided.<br />Please check your e-mail for further information';
			
			include($php_root_path . 'includes/emailer.'.$phpEx);
			$emailer = new emailer(true);

			$emailer->from('no-reply@sro-underground.com');
			$emailer->replyto('no-reply@sro-underground.com');

			$emailer->use_template('user_welcome_inactive');
			$emailer->email_address($Email);
			$emailer->set_subject('Welcome to Silkroad Underground');

			$emailer->assign_vars(array(
					'USERNAME' => $username,
					'PASSWORD' => $password_confirm,
					'ACTIVATION_CODE' => $activation_code,
					
					'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $activation_code)
				);

			$emailer->send();
			$emailer->reset();
		}
		elseif ($mode == 'register')
		{
			if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'";
			if($address != "NULL") $address = "'".$address."'";
			if($postcode != "NULL") $postcode = "'".$postcode."'";
			if($phone != "NULL") $phone = "'".$phone."'";
			if($mobile != "NULL") $mobile = "'".$mobile."'";
			$sql = "INSERT INTO TB_User (StrUserID, password, Status,GMrank,Name,Email,sex,certificate_num,address,postcode,phone,mobile ,regtime,reg_ip,sec_primary,sec_content,AccPlayTime,LatestUpdateTime_ToPlayTime)
				VALUES ('" . $username . "', '" . $password . "', 1, 0, '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', 3, 3, 0, 0) ";

			if ( !($result = $db_account->sql_query($sql)) )
			{
				die('Could not insert data into users table<br /><br />' . $sql);
			}

			$message = 'Your account has been created.';
		}

		$message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>');

		include($php_root_path . 'includes/page_header.'.$phpEx);

		$template->set_filenames(array(
			'body' => 'message_body.tpl')
		);
		
		$template->assign_vars(array(
			'MESSAGE_TITLE' => "Registration Successful",
			'MESSAGE_TEXT' => $message)
		);

		$template->pparse('body');

		include($php_root_path . 'includes/page_footer.'.$phpEx);
	}
}

if ( $error )
{
	$password = '';
	$password_confirm = '';
}

if ( $registration_enabled )
{
	include($php_root_path . 'includes/page_header.'.$phpEx);

	if ( !isset($coppa) )
	{
		$coppa = FALSE;
	}

	$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';

	
	if ( $error )
	{
		$template->set_filenames(array(
			'reg_header' => 'error_body.tpl')
		);
		$template->assign_vars(array(
			'ERROR_MESSAGE' => $error_msg)
		);
		$template->assign_var_from_handle('ERROR_BOX', 'reg_header');
	}

	$template->set_filenames(array(
		'body' => 'register_body.tpl')
	);

	$template->assign_vars(array(
		'USERNAME' => isset($username) ? $username : '',
		'PASSWORD' => isset($password) ? $password : '',
		'PASSWORD_CONFIRM' => isset($password_confirm) ? $password_confirm : '',
		'NAME' => isset($Name) ? $Name : '',
		'EMAIL' => isset($Email) ? $Email : '',
		'EMAIL_CONFIRM' => isset($Email_confirm) ? $Email_confirm : '',
		'SEX_M' => ( $sex=="M" ) ? '<option value="M" selected="selected">Male</option>' : '<option value="M">Male</option>',
		'SEX_F' => ( $sex=="F" ) ? '<option value="F" selected="selected">Female</option>' : '<option value="F">Female</option>',
		'ADDRESS' => $address!="NULL" ? $address : '',
		'POSTCODE' => $postcode!="NULL" ? $postcode : '',
		'PHONE' => $phone!="NULL" ? $phone : '',
		'MOBILE' => $mobile!="NULL" ? $mobile : '',
		'S_HIDDEN_FIELDS' => $s_hidden_fields)
	);

	$template->pparse('body');

	include($php_root_path . 'includes/page_footer.'.$phpEx);
}
else
{
	$message = '<br /><br />' . sprintf('Click %sHere%s to return to the Index<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />', '<a href="index.'.$phpEx.'">', '</a>');

	include($php_root_path . 'includes/page_header.'.$phpEx);

	$template->set_filenames(array(
		'body' => 'message_body.tpl')
	);
	
	$template->assign_vars(array(
		'MESSAGE_TITLE' => "Registration is Closed",
		'MESSAGE_TEXT' => $message)
	);

	$template->pparse('body');

	include($php_root_path . 'includes/page_footer.'.$phpEx);
}

?>
Link to comment
Share on other sites
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

How long have you had this script? Did you write it yourself? I'm not surprised you have been compromised. It is using old out dated code. The first thing I noticed is there is hardly any validation/sanitation of user input, unless this happening somewhere else.

 

Imo, this script will require a complete re-write. If you can't do this yourself then you're better of hiring someone to do this for you.

 

However looking at the code I expect this is from some form of third party CMS. You're better of seeing if there is an updated version or converting your site to some other third party CMS like wordpress, joomla which more up to date.

Link to comment
Share on other sites
vinny42 Newbie

vinny42

Posted
Posted

The biggest threat is SQL-injection. The script takes data from the POST vars and puts it directly into the query, which means that a hacker can literally put anythng he wants into the query. That incluses subqueries that do nasty things like create new admin accounts, drop the entire database, etc.

 

Like Ch0cu3r says: this script is old (http_post_bars has been removed from PHP for years) and needs to be re-written with security in mind.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.