Security problems?

darkfreaks · February 9, 2008

my signup form and class willl let people signup without verification. and allows blank usernames. anyone know why and how to fix?

registerform.php:

<?php
/* DO NOT REMOVE */
if (!defined('QUADODO_IN_SYSTEM')) {
exit;
}
/*****************/
?>
<fieldset>
<legend>
	<?php echo REGISTER_LABEL; ?>
</legend>
<form action="register.php<?php if (isset($_GET['code']))) { ?>?code=<?php echo htmlentities($_GET['code']); } ?>" method="post">
	<input type="hidden" name="process" value="true" />
	<input type="hidden" name="random_id" value="<?php echo $random_id; ?>" />
                <input type="hidden" name="ip" value="<?php echo $ip; ?>">
	<table>
		<tr>
			<td>
				<?php echo USERNAME_LABEL; ?>

			</td>
			<td>
				<input type="text" name="username" maxlength="<?php echo $qls->config['max_username']; ?>" />

<?php
$username= $_GET['username'];
if(empty($username)){ echo "Please Insert a Username!";}
?>

			</td>
		</tr>
		<tr>
			<td>
				<?php echo PASSWORD_LABEL; ?>

			</td>
			<td>
				<input type="password" name="password" maxlength="<?php echo $qls->config['max_password']; ?>" />
			</td>
		</tr>
		<tr>
			<td>
				<?php echo PASSWORD_CONFIRM_LABEL; ?>

			</td>
			<td>
				<input type="password" name="password_c" maxlength="<?php echo $qls->config['max_password']; ?>" />
<?php 
$password= $_GET['password'];

if(empty($password)){ echo "Please Insert a Password!";}
?>
			</td>
		</tr>
		<tr>
			<td>
				<?php echo EMAIL_LABEL; ?>

			</td>
			<td>
				<input type="text" name="email" maxlength="100" />
                                        <?php  $email= $_GET['email'];

if(empty($email)){ echo "Please Insert an email!";} ?>
			</td>
		</tr>
		<tr>
			<td>
				<?php echo EMAIL_CONFIRM_LABEL; ?>

			</td>
			<td>
				<input type="text" name="email_c" maxlength="100" />                                     <?php 
$emailconfirm=$_GET['email_c'];
if(empty($emailconfirm)){ echo "Please Insert an email!";} ?>
			</td>
		</tr>
<?php
/* START SECURITY IMAGE */
if ($qls->config['security_image'] == 'yes') {
?>
		<tr>
			<td colspan="2" align="center">
				<img src="security_image.php?id=<?php echo $random_id; ?>" border="0" alt="Security Image" />
			</td>
		</tr>
		<tr>
			<td>
				<?php echo SECURITY_CODE_LABEL; ?>
			</td>
			<td>
				<input type="text" name="security_code" maxlength="8" />
			</td>
		</tr>
<?php
}
/* END SECURITY IMAGE */
?>
		<tr>
			<td>
				 
			</td>
			<td>
				<input type="submit" value="<?php echo REGISTER_SUBMIT_LABEL; ?>" />
			</td>
		</tr>
	</table>
</form>
By Clicking on Submit you agree to <a href="therules.php">The Rules</a> of this site<br>
Your IP has also been recorded
</fieldset>

register.php:

<?php
define('QUADODO_IN_SYSTEM', true);
require_once('includes/header2.php');
$qls->Security->check_auth_registration();
?>



<?php
/*** *** *** *** *** ***
* @package Quadodo Login Script
* @file    register.php
* @start   July 25th, 2007
* @author  Douglas Rennehan
* @license http://www.opensource.org/licenses/gpl-license.php
* @version 1.0.1
* @link    http://webhelp.pcriot.com
*** *** *** *** *** ***
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*** *** *** *** *** ***
* Comments are always before the code they are commenting.
*** *** *** *** *** ***/

// Is the user logged in already?
if ($qls->user_info['username'] == '') {
if (isset($_POST['process'])) {
	// Try to register the user
	if ($qls->User->register_user()) {
		switch ($qls->config['activation_type']) {
			default:
			echo REGISTER_SUCCESS_NO_ACTIVATION;
			break;
			case 1:
			echo REGISTER_SUCCESS_USER_ACTIVATION;
			break;
			case 2:
			echo REGISTER_SUCCESS_ADMIN_ACTIVATION;
			break;
		}
	}
	else {
	// Output register error
	echo $qls->User->register_error . REGISTER_TRY_AGAIN;
	}
}
else {
// Get the random id for use in the form
$random_id = $qls->Security->generate_random_id();
require_once('html/register_form.php');
}
}
else {
echo REGISTER_ALREADY_LOGGED;
}
?>

Security.php (check_auth function):

function check_auth_registration() {
	if ($this->qls->config['auth_registration'] == 0) {
	// See if the code is set
	$code = (isset($_GET['code']) && strlen($_GET['code']) == 40 && preg_match('/^[a-fA-F0-9]{40}$/', $_GET['code'])) ? $this->make_safe($_GET['code']) : false;
	$result = $this->qls->SQL->query("SELECT `used` FROM `{$this->qls->config['sql_prefix']}invitations` WHERE `code`='{$code}'");
	$row = $this->qls->SQL->fetch_array($result);
		if ($row['used'] == 1 || $row['used'] == '') {
		die(REGISTER_CODE_INVALID);
		}
	}
}

kts · February 9, 2008

for starters you need method="get" if thats what you want to use in the <form> tag

darkfreaks · February 9, 2008

also i pulled more code from classusers.php

<?php
function check_password_code() {
$code = $this->qls->Security->make_safe($_GET['code']);
$result = $this->qls->SQL->select('*',
	'password_requests',
	array('code' =>
		array(
			'=',
			$code
		)
	)
);
$row = $this->qls->SQL->fetch_array($result);
	if ($row['id'] != '' && $row['used'] != 1) {
	return true;
	}
	else {
	return false;
	}
}
?>

darkfreaks · February 9, 2008

sorry this is the right user class function not the password one:

function check_activated_accounts() {
$groups_result = $this->qls->SQL->query("SELECT * FROM `{$this->qls->config['sql_prefix']}groups` WHERE `expiration_date`<>0");
	// Get the groups and put them into a variable
	while ($groups_row = $this->qls->SQL->fetch_array($groups_result)) {
	// Find the amount of seconds the admin entered
	$in_seconds = time() - ($groups_row['expiration_date'] * 86400);
	$users_result = $this->qls->SQL->query("SELECT * FROM `{$this->qls->config['sql_prefix']}users` WHERE `group_id`={$groups_row['id']} AND `activation_time`<{$in_seconds} AND `active`='yes'");
		while ($users_row = $this->qls->SQL->fetch_array($users_result)) {
		// Un-activate them
		$this->qls->SQL->update('users',
			array(
				'active' => 'no'
			),
			array('id' =>
				array(
					'=',
					$users_row['id']
				)
			)
		);
		}
	}
}

/**
 * Checks the password code via the GET method
 * @return true if valid false if not
 */
function check_password_code() {
$code = $this->qls->Security->make_safe($_GET['code']);
$result = $this->qls->SQL->select('*',
	'password_requests',
	array('code' =>
		array(
			'=',
			$code
		)
	)
);
$row = $this->qls->SQL->fetch_array($result);
	if ($row['id'] != '' && $row['used'] != 1) {
	return true;
	}
	else {
	return false;
	}
}

darkfreaks · February 9, 2008

anyone ???

darkfreaks · February 9, 2008

if i need to paste the whole securityand user class someone let me know i just want to get this exploit fixed :-[

trq · February 9, 2008

The problem isn't likely to be that your not posting enough code, but too much. Narrow your problem down to the relevent parts only. I for one am not going to sift through a hundred odd lines.

Sign In

Security problems?

Recommended Posts

darkfreaks

Link to comment

Share on other sites

kts

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information