Author |
Topic  |
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
|
Deleted
deleted
    
4116 Posts |
|
Roland
Advanced Member
    
Netherlands
9335 Posts |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 11:54:59
|
for inc_top_short.asp,
The 3 functions at the bottom of the file are added,
This section is moved up to the top:
set my_Conn= Server.CreateObject("ADODB.Connection") my_Conn.Open strConnString
and this:
strDBNTUserName = Request.Cookies(strUniqueID & "User")("Name")
is replaced with this (which is a little bit different than the same section that was added to inc_top.asp):
if strAuthType = "db" then if (Request.Cookies(strUniqueID & "User")("Name") <> "" and Request.Cookies(strUniqueID & "User")("PWord") <> "") then '## Forum_SQL strSql = "SELECT MEMBER_ID, M_NAME, M_PASSWORD " strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS " strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkStrings(Request.Cookies(strUniqueID & "User")("Name"),"SQLString") & "'" strSql = strSql & " AND M_PASSWORD = '" & ChkStrings(Request.Cookies(strUniqueID & "User")("Pword"),"SQLString") & "'" Set rsCheck = my_Conn.Execute(strSql) if rsCheck.BOF or rsCheck.EOF then Call ClearCookiess() strDBNTUserName = "" else strDBNTUserName = rsCheck("M_NAME") end if rsCheck.close set rsCheck = nothing else strDBNTUserName = "" end if end if
|
 |
|
snaayk
Senior Member
   
USA
1061 Posts |
Posted - 18 May 2002 : 13:15:07
|
Isn't this funny. I had always assumed that there was a check somewhere in the code that would verify that the cookie was in fact correct. In fact, I posted this topic a few days ago http://forum.snitz.com/forum/topic.asp?TOPIC_ID=28105 I was working on a site and wanted to find out what function was used to accomplish what I thought was already happening here.
I guess, my thought, to verify against the db is/was the best solution.
hmm...coincedence??
|
 |
|
_barbara
Junior Member
 
Germany
123 Posts |
Posted - 18 May 2002 : 15:32:49
|
Richard,
Thanks for the quick bugfix. However, I noticed that in the updated version of inc_top_short you have added a sub ClearCookiess() (line 148). But ClearCookiess() isn't called anywhere in the file. I suppose that line 53 should be Call ClearCookiess()?
Barbara
Edited by - _barbara on 18 May 2002 15:49:56 |
 |
|
AGlossop
Starting Member
United Kingdom
15 Posts |
Posted - 18 May 2002 : 18:18:23
|
This code would seem to be executed every time a page is displayed. If so, is there a penalty in accessing the DB so much. Could this slow down a site. If so, should it first check the variable strDBNTUserName to see if it's null. This would then only require DB authentication once in a session. Is this secure, or is there a way of modifying variables in session.
What if you call the forum from another frame, is this the same session or not.
I'm certainly far from being expert at ASP and web stuff in general. Please let me know if I'm talking crap, but explain where I'm wrong so that I learn.
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 21:05:24
|
quote: Richard,
Thanks for the quick bugfix. However, I noticed that in the updated version of inc_top_short you have added a sub ClearCookiess() (line 148). But ClearCookiess() isn't called anywhere in the file. I suppose that line 53 should be Call ClearCookiess()?
Barbara Edited by - _barbara on 18 May 2002 15:49:56
Yes, you are correct. I have updated both files. |
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 21:09:36
|
quote: This code would seem to be executed every time a page is displayed. If so, is there a penalty in accessing the DB so much. Could this slow down a site. If so, should it first check the variable strDBNTUserName to see if it's null. This would then only require DB authentication once in a session. Is this secure, or is there a way of modifying variables in session.
What if you call the forum from another frame, is this the same session or not.
I'm certainly far from being expert at ASP and web stuff in general. Please let me know if I'm talking crap, but explain where I'm wrong so that I learn.
Yes, it checks the database on every page view unless the person doesn't have a cookie set for this site. This was a quick fix for our current version. We will look for a better solution to include in v3.4 |
 |
|
acemi
Starting Member
16 Posts |
Posted - 19 May 2002 : 07:27:44
|
Before this cookie fix, an attacker-made cookie allowed to inject SQL query and to view users'/admins' passwords if it's used with getMemberNumber() function. Although this bug is fixed, it'll be better to make the following replacements too:
In inc_functions.asp
- In function getMemberNumber(fUser_Name)
Find this: strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & fUser_Name & "'"
and replace it with this: strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(fUser_Name, "SQLString") & "'"
- In function getMemberName(fUser_Number)
Find this: strSql = strSql & " WHERE MEMBER_ID = " & ChkString(fUser_Number, "SQLString")
and replace it with this: strSql = strSql & " WHERE MEMBER_ID = " & Clng(fUser_Number)
Edited by - acemi on 19 May 2002 09:24:24 |
 |
|
itsme_rick
Starting Member
USA
14 Posts |
Posted - 19 May 2002 : 20:33:15
|
My forum is not going online just yet, so would it just be best to wait for 3.3.5 release?
That way we can get all these fixes on the cookie issue done correctly, seems to me alot of changes to make in 1 go around.
I have downloaded the 3.3.4 release this morning, the 19th of may. Aplied the ckeck ID patch and thats it for now.
Should we wait for the rest?
Thanks guys, great job on these fixes....security will be an issue when I go online.
Best Regards, Rick Parker IT Manager |
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:08:31
|
you guys know that locking a topic is impossible with this fix?
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 20 May 2002 : 05:10:03
|
Really? Then why was I able to lock this topic and then unlock it with no problems at all? |
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 20 May 2002 : 05:19:48
|
that i don't know. but a lot of my members were suddenly complaining about not being able to lock/unlock a topic. and when they replaced their inc_top_short.asp with an earlier version (before the fix), all was well...
but if you say that is has nothing to do with the fix...
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 20 May 2002 : 05:21:45
|
Could have something to do with the fix, but probably due to something being different in your files than the original files. |
 |
|
Topic  |
|