| Author |
 Topic  |
|
acemi
Starting Member
16 Posts |
 Posted - 17 May 2002 : 19:21:39
|
All forums/topics (include private forums) can be read by an attacker using an attacker-made cookie. It's enough to change the username in the cookie with an administrator's name.
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 18 May 2002 : 03:51:38
|
you would still need the admins password, just having the username would not let you in.
|
 |
|
|
acemi
Starting Member
16 Posts |
Posted - 18 May 2002 : 05:05:13
|
quote:
you would still need the admins password, just having the username would not let you in.
Right, to post a message or to view admin options pages, I need to log in but to view private/hidden forums/topics, it's enough to change cookie.
This vurnerability effects the MOD too. For example, someone can view all private messages using this vurnerability.
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 05:58:16
|
| So you think you can just edit a cookie and change the username and you'll be able to do things as that username? Just tried it, doesn't work. |
|
|
|
acemi
Starting Member
16 Posts |
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 18 May 2002 : 07:05:01
|
quote:
For example, I can see last message of Reinsnitz in topic New version suggesting to Admins in forum Ze Admin Discussions (General) in category Ze Moderator/Admin Forums
Hrm... looks like you've had some interesting posts lately :)...
Note: Sorry for the example :(
possibly it's correct especially for the "selected-user spesicified" forums.
I think, it just look for the member name, whether it's on the list.
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 07:21:52
|
acemi,
Why don't you send me an e-mail detailing exactly what you are doing, because I still can't duplicate it.
also, I've tried to reply to the e-mail you sent me last night twice now, but I get this back after a few hours:
The following message, addressed to:
acemi_5@yahoo.com
is still undelivered after 5 attempts,
and will be deleted from message queue. |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 18 May 2002 : 07:30:42
|
OK. I'll send you an e-mail in a few minutes.
|
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 18 May 2002 : 07:34:44
|
Richard,
I think his ayings about the mods also seems correct.
this what many mods have for user verification,
<% if strDBNTUserName = "" Then
Response.Redirect "default.asp"
Response.End
else
and
strDBNTUserName =
in inc_top.asp
strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 09:20:52
|
acemi, I e-mailed you back, but it bounced again.
Can you try using that hack again? It should not work anymore. |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 18 May 2002 : 09:44:34
|
quote:
Can you try using that hack again? It should not work anymore.
Great  It doesn't work now.
I'm waiting for the fix now (for my forum)
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 09:49:50
|
What? You don't already know the fix?  |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 18 May 2002 : 10:02:39
|
An official fix will be better. I can fix this but maybe this can affect the other parts badly because I don't know very well Snitz forum's code.
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 10:06:40
|
inc_top.asp was easy, just had to replace some code. inc_top_short.asp is a little harder because inc_functions.asp isn't always available as an include. I just added the needed functions from inc_functions.asp to the bottom of inc_top_short.asp and changed the function names just a little bit.
Here is the fix for inc_top.asp:
find this section of code:
strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")
strDBNTFUserName = Request.Form("Name")
if strAuthType = "nt" then
strDBNTUserName = Session(strCookieURL & "userID")
strDBNTFUserName = Session(strCookieURL & "userID")
end if
and replace it with this:
if strAuthType = "db" then
if (Request.Cookies(strUniqueID & "User")("Name") <> "" and Request.Cookies(strUniqueID & "User")("PWord") <> "") then
'## Forum_SQL
strSql = "SELECT MEMBER_ID, M_NAME, M_PASSWORD "
strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(Request.Cookies(strUniqueID & "User")("Name"), "SQLString") & "' "
strSql = strSql & " AND M_PASSWORD = '" & ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString") &"'"
Set rsCheck = my_Conn.Execute(strSql)
if rsCheck.BOF or rsCheck.EOF then
Call ClearCookies()
strDBNTUserName = ""
else
strDBNTUserName = rsCheck("M_NAME")
end if
rsCheck.close
set rsCheck = nothing
else
strDBNTUserName = ""
end if
end if
strDBNTFUserName = Request.Form("Name")
if strAuthType = "nt" then
strDBNTUserName = Session(strCookieURL & "userID")
strDBNTFUserName = Session(strCookieURL & "userID")
end if |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 18 May 2002 : 10:22:53
|
And here is the fixed inc_top_short.asp file:
see below for new links |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 18 May 2002 : 10:25:37
|
acemi, isn't it so much better for everyone to handle this here than in bugtrack?
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 18 May 2002 10:27:06 |
|
|
|
Topic |
|
Topic Locked
