Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 (v3.1SR4)&(v3.3.xx) Security related bug - profile		  New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

acemi
Starting Member

16 Posts
Posted - 17 May 2002 :  11:43:54  Show Profile
In pop_profile.asp, Request.QueryString("id") is not checked correctly. As a result, an attacker can collect so many info about users' passwords and he/she can easily guess the password.

To fix the bug, change following line:
strSql = strSql & " WHERE MEMBER_ID=" & ChkString(Request.QueryString("id"), "SQLString")

with this:
strSql = strSql & " WHERE MEMBER_ID=" & clng(ChkString(Request.QueryString("id"), "SQLString"))

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 18 May 2002 :  12:16:29  Show Profile
actually here is what we recommend:

This affects 3.1sr4 through v3.3.04 (and maybe versions earlier than v3.1sr4 as well)

in pop_profile.asp replace all instances of either:

Request.QueryString("id")


or:

ChkString(Request.QueryString("id"), "SQLString")



with this:

cLng(Request.QueryString("id"))
Go to Top of Page

Deleted
deleted

4116 Posts
Posted - 18 May 2002 :  12:51:13  Show Profile
This makes 6 replacements.

Think Pink
==> Start Internationalization Here
Go to Top of Page

blackinwhite
Average Member

Turkey
657 Posts
Posted - 18 May 2002 :  13:07:52  Show Profile
there are some Mods as well, that uses MEMBERS table, and pass the MEMBER_ID or some other value related to MEMBERS table in query string.

Davio's was one of them, and it was updated.



Edited by - blackinwhite on 18 May 2002 13:08:56
Go to Top of Page

Tmpj
Junior Member

Denmark
467 Posts
Posted - 18 May 2002 :  15:46:33  Show Profile
Should I replace both

Request.QueryString("id")

And

ChkString(Request.QueryString("id"), "SQLString")

???


------------------------------
Magic is an Orange
http://www.magicorange.tk
Go to Top of Page

RadioNostalgia
Starting Member

Italy
3 Posts
Posted - 18 May 2002 :  16:58:03  Show Profile  Visit RadioNostalgia's Homepage  Send RadioNostalgia an ICQ Message
Richard,

can you post an UPDATED (at TODAY) pack with ALL security bugfix ??

TIA
Go to Top of Page

Kenno
Average Member

Cambodia
846 Posts
Posted - 18 May 2002 :  18:33:45  Show Profile  Visit Kenno's Homepage
I just wanna be clear, do we need to replace 

ChkString(Request.QueryString("id"), "SQLString")


with just this:

cLng(Request.QueryString("id") ,"SQLString" )
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts
Posted - 18 May 2002 :  18:39:09  Show Profile  Visit crash's Homepage
when i applied those new lines of code, it resulted in this error:
Microsoft VBScript runtime error '800a000d' 
Type mismatch: 'cLng' 
/pop_profile.asp, line 1016

the line number points to this: 
<form action="pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>" method="Post" id=Form1 name=Form1>

shouldn't i have updated that string with the fix you describe here?

bozden said that there were 6 replacements, but i got more... although this is probably so because i use a modded file...

any ideas on the error? thanks guys!



Crash's Site | Crash is from


Edited by - crash on 18 May 2002 18:41:31
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 18 May 2002 :  20:57:36  Show Profile
quote:

Should I replace both

Request.QueryString("id")

And

ChkString(Request.QueryString("id"), "SQLString")

???


That is what I posted right?
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 18 May 2002 :  20:58:28  Show Profile
quote:
Richard,

can you post an UPDATED (at TODAY) pack with ALL security bugfix ??

TIA


We will be release v3.3.05, just want to make sure there isn't something else major that we should fix first.
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 18 May 2002 :  20:59:44  Show Profile
quote:

I just wanna be clear, do we need to replace 

ChkString(Request.QueryString("id"), "SQLString")


with just this:

cLng(Request.QueryString("id") ,"SQLString" )


Yes, since Request.QueryString("id") should ALWAYS be a number, there is not reason to run it through ChkString to check for quotes.
Go to Top of Page

Deleted
deleted

4116 Posts
Posted - 18 May 2002 :  22:41:01  Show Profile
quote:

bozden said that there were 6 replacements, but i got more... although this is probably so because i use a modded file...


Recounted against base v3.3.03 code and found 6. Make sure that you do not replace already replaced ones globally.

Think Pink
==> Start Internationalization Here
Go to Top of Page

blackinwhite
Average Member

Turkey
657 Posts
Posted - 19 May 2002 :  07:07:14  Show Profile
there are nine occurances as far as I found.

2 in active topics (last messages)

1 is
pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>


1 is
<form action="pop_profile.asp?mode=goModify" method=post id=Form1 name=Form1>
<input type=hidden name="Method_Type" value="<% =Request.QueryString("mode") %>">
<input type=hidden name="MEMBER_ID" value="<% =cLng(Request.QueryString("id")) %>">


3 are

if Request.QueryString("mode") = "Moderator" then
	select case Request.QueryString("action")
	case "del"
		strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
		strSql = strSql & " SET M_LEVEL = 1 "
		strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.QueryString("id"))
		my_Conn.Execute(strsql)
		strSQL = "DELETE FROM " & strTablePrefix & "MODERATOR WHERE MEMBER_ID = " & cLng(Request.QueryString("id"))
		my_Conn.Execute(strSQL)
	case "add"
		strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
		strSql = strSql & " SET M_LEVEL = 2 "
		strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.QueryString("id"))
		my_Conn.Execute(strsql)
	end select
	Response.write "<meta http-equiv='Refresh' content='2; URL=members.asp'>"
end if


1 is (in case=display part)

		strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_OCCUPATION"
		strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_SIG"
		strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_PHOTOID"
		strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_HOBBIES"
		strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_QUOTE"
		strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_BIO"
		strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_LNEWS"  
		strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS "
		strSql = strSql & " WHERE MEMBER_ID=" & cLng(Request.QueryString("id"))


1 is
<form action="profile.asp?mode=goEdit&id=<% =cLng(Request.QueryString("id"))%>" method="post">
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts
Posted - 19 May 2002 :  07:21:20  Show Profile  Visit crash's Homepage
got those nine too, but htey result in the above posted error
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cLng' 
/pop_profile.asp, line 1016


which points to this:
<form action="pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>" method="Post" id=Form1 name=Form1>




Crash's Site | Crash is from
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 19 May 2002 :  07:27:03  Show Profile
what are you doing when you get the error?
Go to Top of Page

crash
Advanced Member

Netherlands
2064 Posts
Posted - 19 May 2002 :  07:35:48  Show Profile  Visit crash's Homepage
i try to edit a profile (the admin profile to be exact)



Crash's Site | Crash is from
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.23 seconds. Powered By: Snitz Forums 2000 Version 3.4.07