Author |
Topic  |
acemi
Starting Member
16 Posts |
Posted - 17 May 2002 : 11:43:54
|
In pop_profile.asp, Request.QueryString("id") is not checked correctly. As a result, an attacker can collect so many info about users' passwords and he/she can easily guess the password.
To fix the bug, change following line: strSql = strSql & " WHERE MEMBER_ID=" & ChkString(Request.QueryString("id"), "SQLString")
with this: strSql = strSql & " WHERE MEMBER_ID=" & clng(ChkString(Request.QueryString("id"), "SQLString")) |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 12:16:29
|
actually here is what we recommend:
This affects 3.1sr4 through v3.3.04 (and maybe versions earlier than v3.1sr4 as well)
in pop_profile.asp replace all instances of either:
Request.QueryString("id")
or:
ChkString(Request.QueryString("id"), "SQLString")
with this:
cLng(Request.QueryString("id")) |
 |
|
Deleted
deleted
    
4116 Posts |
|
blackinwhite
Average Member
  
Turkey
657 Posts |
Posted - 18 May 2002 : 13:07:52
|
there are some Mods as well, that uses MEMBERS table, and pass the MEMBER_ID or some other value related to MEMBERS table in query string.
Davio's was one of them, and it was updated.
Edited by - blackinwhite on 18 May 2002 13:08:56 |
 |
|
Tmpj
Junior Member
 
Denmark
467 Posts |
Posted - 18 May 2002 : 15:46:33
|
Should I replace both
Request.QueryString("id")
And
ChkString(Request.QueryString("id"), "SQLString")
???
 ------------------------------ Magic is an Orange http://www.magicorange.tk |
 |
|
RadioNostalgia
Starting Member
Italy
3 Posts |
Posted - 18 May 2002 : 16:58:03
|
Richard,
can you post an UPDATED (at TODAY) pack with ALL security bugfix ??
TIA
|
 |
|
Kenno
Average Member
  
Cambodia
846 Posts |
Posted - 18 May 2002 : 18:33:45
|
I just wanna be clear, do we need to replace
ChkString(Request.QueryString("id"), "SQLString")
with just this:
cLng(Request.QueryString("id") ,"SQLString" )
|
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 18 May 2002 : 18:39:09
|
when i applied those new lines of code, it resulted in this error: Microsoft VBScript runtime error '800a000d' Type mismatch: 'cLng' /pop_profile.asp, line 1016
the line number points to this: <form action="pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>" method="Post" id=Form1 name=Form1> shouldn't i have updated that string with the fix you describe here?
bozden said that there were 6 replacements, but i got more... although this is probably so because i use a modded file...
any ideas on the error? thanks guys!
 Crash's Site | Crash is from 
Edited by - crash on 18 May 2002 18:41:31 |
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 20:57:36
|
quote:
Should I replace both
Request.QueryString("id")
And
ChkString(Request.QueryString("id"), "SQLString")
???
That is what I posted right? |
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 20:58:28
|
quote: Richard,
can you post an UPDATED (at TODAY) pack with ALL security bugfix ??
TIA
We will be release v3.3.05, just want to make sure there isn't something else major that we should fix first. |
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 18 May 2002 : 20:59:44
|
quote:
I just wanna be clear, do we need to replace
ChkString(Request.QueryString("id"), "SQLString")
with just this:
cLng(Request.QueryString("id") ,"SQLString" )
Yes, since Request.QueryString("id") should ALWAYS be a number, there is not reason to run it through ChkString to check for quotes. |
 |
|
Deleted
deleted
    
4116 Posts |
Posted - 18 May 2002 : 22:41:01
|
quote:
bozden said that there were 6 replacements, but i got more... although this is probably so because i use a modded file...
Recounted against base v3.3.03 code and found 6. Make sure that you do not replace already replaced ones globally.
Think Pink ==> Start Internationalization Here |
 |
|
blackinwhite
Average Member
  
Turkey
657 Posts |
Posted - 19 May 2002 : 07:07:14
|
there are nine occurances as far as I found.
2 in active topics (last messages)
1 is
pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>
1 is
<form action="pop_profile.asp?mode=goModify" method=post id=Form1 name=Form1> <input type=hidden name="Method_Type" value="<% =Request.QueryString("mode") %>"> <input type=hidden name="MEMBER_ID" value="<% =cLng(Request.QueryString("id")) %>">
3 are
if Request.QueryString("mode") = "Moderator" then select case Request.QueryString("action") case "del" strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS " strSql = strSql & " SET M_LEVEL = 1 " strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.QueryString("id")) my_Conn.Execute(strsql) strSQL = "DELETE FROM " & strTablePrefix & "MODERATOR WHERE MEMBER_ID = " & cLng(Request.QueryString("id")) my_Conn.Execute(strSQL) case "add" strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS " strSql = strSql & " SET M_LEVEL = 2 " strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.QueryString("id")) my_Conn.Execute(strsql) end select Response.write "<meta http-equiv='Refresh' content='2; URL=members.asp'>" end if
1 is (in case=display part)
strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_OCCUPATION" strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_SIG" strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_PHOTOID" strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_HOBBIES" strsql = strsql & ", " & strMemberTablePrefix & "MEMBERS.M_QUOTE" strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_BIO" strSql = strSql & ", " & strMemberTablePrefix & "MEMBERS.M_LNEWS" strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS " strSql = strSql & " WHERE MEMBER_ID=" & cLng(Request.QueryString("id"))
1 is
<form action="profile.asp?mode=goEdit&id=<% =cLng(Request.QueryString("id"))%>" method="post">
|
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 19 May 2002 : 07:21:20
|
got those nine too, but htey result in the above posted error Microsoft VBScript runtime error '800a000d' Type mismatch: 'cLng' /pop_profile.asp, line 1016
which points to this: <form action="pop_profile.asp?mode=EditIt&id=<% =cLng(Request.QueryString("id"))%>" method="Post" id=Form1 name=Form1>
 Crash's Site | Crash is from 
|
 |
|
RichardKinser
Snitz Forums Admin
    
USA
16655 Posts |
Posted - 19 May 2002 : 07:27:03
|
what are you doing when you get the error? |
 |
|
crash
Advanced Member
    
Netherlands
2064 Posts |
Posted - 19 May 2002 : 07:35:48
|
i try to edit a profile (the admin profile to be exact)
 Crash's Site | Crash is from 
|
 |
|
Topic  |
|