Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 (v3.1SR4)&(v3.3.xx) security related bug - cookie
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 4

acemi
Starting Member

16 Posts

Posted - 17 May 2002 :  19:21:39  Show Profile
All forums/topics (include private forums) can be read by an attacker using an attacker-made cookie. It's enough to change the username in the cookie with an administrator's name.

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 18 May 2002 :  03:51:38  Show Profile  Visit HuwR's Homepage
you would still need the admins password, just having the username would not let you in.

Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 18 May 2002 :  05:05:13  Show Profile
quote:
you would still need the admins password, just having the username would not let you in.


Right, to post a message or to view admin options pages, I need to log in but to view private/hidden forums/topics, it's enough to change cookie.

This vurnerability effects the MOD too. For example, someone can view all private messages using this vurnerability.

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  05:58:16  Show Profile
So you think you can just edit a cookie and change the username and you'll be able to do things as that username? Just tried it, doesn't work.
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 18 May 2002 :  06:16:27  Show Profile
For example, I can see last message of Reinsnitz in topic New version suggesting to Admins in forum Ze Admin Discussions (General) in category Ze Moderator/Admin Forums

Hrm... looks like you've had some interesting posts lately :)...


Note: Sorry for the example :(

Go to Top of Page

blackinwhite
Average Member

Turkey
657 Posts

Posted - 18 May 2002 :  07:05:01  Show Profile
quote:

For example, I can see last message of Reinsnitz in topic New version suggesting to Admins in forum Ze Admin Discussions (General) in category Ze Moderator/Admin Forums

Hrm... looks like you've had some interesting posts lately :)...


Note: Sorry for the example :(






possibly it's correct especially for the "selected-user spesicified" forums.

I think, it just look for the member name, whether it's on the list.

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  07:21:52  Show Profile
acemi,

Why don't you send me an e-mail detailing exactly what you are doing, because I still can't duplicate it.

also, I've tried to reply to the e-mail you sent me last night twice now, but I get this back after a few hours:


The following message, addressed to:
acemi_5@yahoo.com
is still undelivered after 5 attempts,
and will be deleted from message queue.
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 18 May 2002 :  07:30:42  Show Profile
OK. I'll send you an e-mail in a few minutes.

Go to Top of Page

blackinwhite
Average Member

Turkey
657 Posts

Posted - 18 May 2002 :  07:34:44  Show Profile
Richard,

I think his ayings about the mods also seems correct.

this what many mods have for user verification,

<% if strDBNTUserName = "" Then
Response.Redirect "default.asp"
Response.End
else

and

strDBNTUserName =

in inc_top.asp

strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  09:20:52  Show Profile
acemi, I e-mailed you back, but it bounced again.

Can you try using that hack again? It should not work anymore.
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 18 May 2002 :  09:44:34  Show Profile
quote:
Can you try using that hack again? It should not work anymore.


Great It doesn't work now.

I'm waiting for the fix now (for my forum)

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  09:49:50  Show Profile
What? You don't already know the fix?
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 18 May 2002 :  10:02:39  Show Profile
An official fix will be better. I can fix this but maybe this can affect the other parts badly because I don't know very well Snitz forum's code.

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  10:06:40  Show Profile
inc_top.asp was easy, just had to replace some code. inc_top_short.asp is a little harder because inc_functions.asp isn't always available as an include. I just added the needed functions from inc_functions.asp to the bottom of inc_top_short.asp and changed the function names just a little bit.

Here is the fix for inc_top.asp:


find this section of code:

strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")
strDBNTFUserName = Request.Form("Name")
if strAuthType = "nt" then
strDBNTUserName = Session(strCookieURL & "userID")
strDBNTFUserName = Session(strCookieURL & "userID")
end if



and replace it with this:

if strAuthType = "db" then
if (Request.Cookies(strUniqueID & "User")("Name") <> "" and Request.Cookies(strUniqueID & "User")("PWord") <> "") then
'## Forum_SQL
strSql = "SELECT MEMBER_ID, M_NAME, M_PASSWORD "
strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(Request.Cookies(strUniqueID & "User")("Name"), "SQLString") & "' "
strSql = strSql & " AND M_PASSWORD = '" & ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString") &"'"
Set rsCheck = my_Conn.Execute(strSql)
if rsCheck.BOF or rsCheck.EOF then
Call ClearCookies()
strDBNTUserName = ""
else
strDBNTUserName = rsCheck("M_NAME")
end if
rsCheck.close
set rsCheck = nothing
else
strDBNTUserName = ""
end if
end if
strDBNTFUserName = Request.Form("Name")
if strAuthType = "nt" then
strDBNTUserName = Session(strCookieURL & "userID")
strDBNTFUserName = Session(strCookieURL & "userID")
end if
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  10:22:53  Show Profile
And here is the fixed inc_top_short.asp file:

see below for new links
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 18 May 2002 :  10:25:37  Show Profile  Send ruirib a Yahoo! Message
acemi, isn't it so much better for everyone to handle this here than in bugtrack?

-------------------------------------------------
Installation Guide | Do's and Dont's | MODs


Edited by - ruirib on 18 May 2002 10:27:06
Go to Top of Page
Page: of 4 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000 Version 3.4.07