Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 (v3.1SR4)&(v3.3.xx) security related bug - cookie
 New Topic  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 4

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  10:45:42  Show Profile
I have updated the inc_top_short.asp file, if you have already downloaded it, please re-download it:

For v3.3.xx: http://forum.snitz.com/download/inc_top_short_v33xx.zip

For v3.1SR4: http://forum.snitz.com/download/inc_top_short_v31SR4.zip
Go to Top of Page

Deleted
deleted

4116 Posts

Posted - 18 May 2002 :  11:18:08  Show Profile
For v4b03 users: Updated the patch004 to include this security fix. See here: ===== POST V40B03 PATCHES =====


Think Pink
==> Start Internationalization Here

Edited by - bozden on 18 May 2002 11:32:29
Go to Top of Page

Roland
Advanced Member

Netherlands
9335 Posts

Posted - 18 May 2002 :  11:46:23  Show Profile
quote:

I have updated the inc_top_short.asp file, if you have already downloaded it, please re-download it:

For v3.3.xx: http://forum.snitz.com/download/inc_top_short_v33xx.zip

For v3.1SR4: http://forum.snitz.com/download/inc_top_short_v31SR4.zip



The only update in that file for 3.3.xx is the bottom part, right? I can't just upload that file because I have CSS-ed the original file.




http://www.frutzle.com

Snitz Exchange | Do's and Dont's
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  11:54:59  Show Profile
for inc_top_short.asp,

The 3 functions at the bottom of the file are added,

This section is moved up to the top:

set my_Conn= Server.CreateObject("ADODB.Connection")
my_Conn.Open strConnString



and this:

strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")



is replaced with this (which is a little bit different than the same section that was added to inc_top.asp):

if strAuthType = "db" then
if (Request.Cookies(strUniqueID & "User")("Name") <> "" and Request.Cookies(strUniqueID & "User")("PWord") <> "") then
'## Forum_SQL
strSql = "SELECT MEMBER_ID, M_NAME, M_PASSWORD "
strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkStrings(Request.Cookies(strUniqueID & "User")("Name"),"SQLString") & "'"
strSql = strSql & " AND M_PASSWORD = '" & ChkStrings(Request.Cookies(strUniqueID & "User")("Pword"),"SQLString") & "'"
Set rsCheck = my_Conn.Execute(strSql)
if rsCheck.BOF or rsCheck.EOF then
Call ClearCookiess()
strDBNTUserName = ""
else
strDBNTUserName = rsCheck("M_NAME")
end if
rsCheck.close
set rsCheck = nothing
else
strDBNTUserName = ""
end if
end if


Go to Top of Page

snaayk
Senior Member

USA
1061 Posts

Posted - 18 May 2002 :  13:15:07  Show Profile  Visit snaayk's Homepage  Send snaayk an AOL message  Send snaayk an ICQ Message  Send snaayk a Yahoo! Message
Isn't this funny. I had always assumed that there was a check somewhere in the code that would verify that the cookie was in fact correct. In fact, I posted this topic a few days ago http://forum.snitz.com/forum/topic.asp?TOPIC_ID=28105
I was working on a site and wanted to find out what function was used to accomplish what I thought was already happening here.

I guess, my thought, to verify against the db is/was the best solution.

hmm...coincedence??

Go to Top of Page

_barbara
Junior Member

Germany
123 Posts

Posted - 18 May 2002 :  15:32:49  Show Profile
Richard,

Thanks for the quick bugfix. However, I noticed that in the updated version of inc_top_short you have added a sub ClearCookiess() (line 148). But ClearCookiess() isn't called anywhere in the file. I suppose that line 53 should be
Call ClearCookiess()?

Barbara



Edited by - _barbara on 18 May 2002 15:49:56
Go to Top of Page

AGlossop
Starting Member

United Kingdom
15 Posts

Posted - 18 May 2002 :  18:18:23  Show Profile
This code would seem to be executed every time a page is displayed. If so, is there a penalty in accessing the DB so much. Could this slow down a site. If so, should it first check the variable strDBNTUserName to see if it's null. This would then only require DB authentication once in a session. Is this secure, or is there a way of modifying variables in session.

What if you call the forum from another frame, is this the same session or not.

I'm certainly far from being expert at ASP and web stuff in general. Please let me know if I'm talking crap, but explain where I'm wrong so that I learn.

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  21:05:24  Show Profile
quote:
Richard,

Thanks for the quick bugfix. However, I noticed that in the updated version of inc_top_short you have added a sub ClearCookiess() (line 148). But ClearCookiess() isn't called anywhere in the file. I suppose that line 53 should be
Call ClearCookiess()?

Barbara
Edited by - _barbara on 18 May 2002 15:49:56


Yes, you are correct. I have updated both files.
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 18 May 2002 :  21:09:36  Show Profile
quote:
This code would seem to be executed every time a page is displayed. If so, is there a penalty in accessing the DB so much. Could this slow down a site. If so, should it first check the variable strDBNTUserName to see if it's null. This would then only require DB authentication once in a session. Is this secure, or is there a way of modifying variables in session.

What if you call the forum from another frame, is this the same session or not.

I'm certainly far from being expert at ASP and web stuff in general. Please let me know if I'm talking crap, but explain where I'm wrong so that I learn.


Yes, it checks the database on every page view unless the person doesn't have a cookie set for this site. This was a quick fix for our current version. We will look for a better solution to include in v3.4
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 19 May 2002 :  07:27:44  Show Profile
Before this cookie fix, an attacker-made cookie allowed to inject SQL query and to view users'/admins' passwords if it's used with getMemberNumber() function. Although this bug is fixed, it'll be better to make the following replacements too:

In inc_functions.asp

  • In function getMemberNumber(fUser_Name)
    Find this:
    strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & fUser_Name & "'"


    and replace it with this:
    strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(fUser_Name, "SQLString") & "'"


  • In function getMemberName(fUser_Number)
    Find this:
    strSql = strSql & " WHERE MEMBER_ID = " & ChkString(fUser_Number, "SQLString")

    and replace it with this:
    strSql = strSql & " WHERE MEMBER_ID = " & Clng(fUser_Number)





Edited by - acemi on 19 May 2002 09:24:24
Go to Top of Page

itsme_rick
Starting Member

USA
14 Posts

Posted - 19 May 2002 :  20:33:15  Show Profile  Visit itsme_rick's Homepage  Send itsme_rick an ICQ Message
My forum is not going online just yet, so would it just be best to wait for 3.3.5 release?

That way we can get all these fixes on the cookie issue done correctly, seems to me alot of changes to make in 1 go around.

I have downloaded the 3.3.4 release this morning, the 19th of may. Aplied the ckeck ID patch and thats it for now.

Should we wait for the rest?

Thanks guys, great job on these fixes....security will be an issue when I go online.

Best Regards,
Rick Parker
IT Manager
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts

Posted - 20 May 2002 :  05:08:31  Show Profile  Visit crash's Homepage
you guys know that locking a topic is impossible with this fix?



Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 May 2002 :  05:10:03  Show Profile
Really? Then why was I able to lock this topic and then unlock it with no problems at all?
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts

Posted - 20 May 2002 :  05:19:48  Show Profile  Visit crash's Homepage
that i don't know. but a lot of my members were suddenly complaining about not being able to lock/unlock a topic. and when they replaced their inc_top_short.asp with an earlier version (before the fix), all was well...

but if you say that is has nothing to do with the fix...



Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 May 2002 :  05:21:45  Show Profile
Could have something to do with the fix, but probably due to something being different in your files than the original files.
Go to Top of Page
Page: of 4 Previous Topic Topic Next Topic  
Previous Page | Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07