| Author |
 Topic  |
|
MFHOWLAND
Starting Member
6 Posts |
 Posted - 22 May 2002 : 12:19:45
|
The values for FORUM_ID, and CAT_ID are not properly tested as numeric. So, by passing an URL string I can create the following SQL statement:
SELECT FORUM_CATEGORY.CAT_STATUS, FORUM_FORUM.F_STATUS FROM FORUM_CATEGORY, FORUM_FORUM WHERE FORUM_CATEGORY.CAT_ID = FORUM_FORUM.CAT_ID AND FORUM_FORUM.FORUM_ID = 1 DROP TABLE MEMBERS
I beleive these need to be checked in POST.ASP and POST_INFO.ASP, as well as probably other area's.
I can send you the URL if you need to recreate this. On a SQL Server implimentation this would cause some real problems. I could also Union to your password file fairly easily using this hole and instead of listing forums potentially list passwords. (I have not tried this, but it sounds like fun.. will try it after lunch).
Thanks,
Marshall
********************************************************************
Note: Lunch was tasty.. and yes, I can get every password and user name from a Snitz system using this method. I will send the URL used to the creator of the site if he wants.
********************************************************************
Edited by - MFHOWLAND on 22 May 2002 13:43:43 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 May 2002 : 17:56:12
|
in post.asp replace this:
'#################################################################################
'## Initialise variables
'#################################################################################
strSelectSize = Request.Form("SelectSize")
strRqMethod = Request.QueryString("method")
strRqTopicID = Request.QueryString("TOPIC_ID")
strRqForumID = Request.QueryString("FORUM_ID")
strRqCatID = Request.QueryString("CAT_ID")
strCkPassWord = Request.Cookies(strUniqueID & "User")("Pword")
'#################################################################################
'## Page-code start
'#################################################################################
with this:
'#################################################################################
'## Initialise variables
'#################################################################################
strSelectSize = Request.Form("SelectSize")
strRqMethod = chkString(Request.QueryString("method"), "SQLString")
if Request.QueryString("TOPIC_ID") <> "" then
if IsNumeric(Request.QueryString("TOPIC_ID")) = True then
strRqTopicID = cLng(Request.QueryString("TOPIC_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.QueryString("FORUM_ID") <> "" then
if IsNumeric(Request.QueryString("FORUM_ID")) = True then
strRqForumID = cLng(Request.QueryString("FORUM_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.QueryString("CAT_ID") <> "" then
if IsNumeric(Request.QueryString("CAT_ID")) = True then
strRqCatID = cLng(Request.QueryString("CAT_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.QueryString("REPLY_ID") <> "" then
if IsNumeric(Request.QueryString("REPLY_ID")) = True then
strRqReplyID = cLng(Request.QueryString("REPLY_ID"))
else
Response.Redirect("default.asp")
end if
end if
strCkPassWord = chkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString")
'#################################################################################
'## Page-code start
'#################################################################################
Then you will need to do a search for: (starting after the code you just replaced)
Request.QueryString("REPLY_ID")
and replace all instances with:
strRqReplyID
in an unmodified v3.3.05 version of post.asp there are 4 instances. |
 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 May 2002 : 18:01:49
|
In post_info.asp replace this:
MethodType = Request.Form("Method_Type")
Cat_ID = Chkstring(Request("CAT_ID"), "SQLString")
Forum_ID = ChkString(Request("FORUM_ID"), "SQLString")
Topic_ID = ChkString(Request("TOPIC_ID"), "SQLString")
Reply_ID = ChkString(Request("REPLY_ID"), "SQLString")
with this:
MethodType = chkString(Request.Form("Method_Type"),"SQLString")
if Request.Form("CAT_ID") <> "" then
if IsNumeric(Request.Form("CAT_ID")) = True then
Cat_ID = cLng(Request.Form("CAT_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.Form("FORUM_ID") <> "" then
if IsNumeric(Request.Form("FORUM_ID")) = True then
Forum_ID = cLng(Request.Form("FORUM_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.Form("TOPIC_ID") <> "" then
if IsNumeric(Request.Form("TOPIC_ID")) = True then
Topic_ID = cLng(Request.Form("TOPIC_ID"))
else
Response.Redirect("default.asp")
end if
end if
if Request.Form("REPLY_ID") <> "" then
if IsNumeric(Request.Form("REPLY_ID")) = True then
Reply_ID = cLng(Request.Form("REPLY_ID"))
else
Response.Redirect("default.asp")
end if
end if |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 22 May 2002 : 18:11:30
|
Richard,
Shouldn't strCkPassWord = Request.Cookies(strUniqueID & "User")("Pword") be
strCkPassWord = ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString")
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 May 2002 : 18:14:59
|
We can do that. But, the only way there is going to be a password in the cookie, is if it's a valid password for the user.
made the change above.. |
|
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 22 May 2002 : 18:35:17
|
is it imperative to apply those updates?
Crash's Site | Crash is from 
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 May 2002 : 18:42:45
|
| I would say yes, I am not at the point that I would announce it to everyone, want to make sure that the above changes handle everything first. |
|
|
|
Aaron S.
Average Member
USA
985 Posts |
Posted - 22 May 2002 : 19:25:02
|
Thanks for the fix!
It seems like every page is going to need this kind of change... and just about every MOD will also have this vunerability.
Is it too late in the process to remove all querystring variables?
--Aaron
DOWNLOAD GREAT NEW MODS HERE |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 May 2002 : 19:30:04
|
| We've pretty much addressed all of these type of situations in v3.4 already. The code I posted above was taken from the v3.4 versions of post.asp and post_info.asp. |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
|
|
MFHOWLAND
Starting Member
6 Posts |
Posted - 22 May 2002 : 19:40:06
|
Hey,
Can I help you beta test 3.4? Might be fun. (heh).
Thanks,
Marshall
BTW - The person who wants the querystrings removed.. the other way to pass variables is by POST, which doesnt help because you can create a form to post whatever you want to. The real solution (possibly) is to use an ADODB.COMMAND object and Parameter fields. This will make sure that only valid types are allowed, and they are treated correctly.
|
|
|
|
Aaron S.
Average Member
USA
985 Posts |
Posted - 22 May 2002 : 22:21:26
|
You can use POST and check that the POST came from the same domain (using server variables).
I do this on all my other webpages.
--Aaron
DOWNLOAD GREAT NEW MODS HERE |
|
|
|
work mule
Senior Member
USA
1358 Posts |
Posted - 23 May 2002 : 00:19:45
|
quote:
You can use POST and check that the POST came from the same domain (using server variables).
Well...the problem is that the refer is optional and originates from the client. You can't trust it since the refer can be modified/hardcoded into the client to be whatever they want it to be.
More information on this can be found here:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26952
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 May 2002 : 05:04:52
|
OK, never mind, my bad, got it sorted now!
c ya in the funny books 
MeTV - tvthemetunes.net
House of Design - Graphic Design Consultants
"Wise men make proverbs, but fools repeat them."
Edited by - MeTV on 23 May 2002 05:23:19 |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 23 May 2002 : 06:36:43
|
quote:
in post.asp replace this:
....
....
....
if Request.QueryString("CAT_ID") <> "" then
if IsNumeric(Request.QueryString("FORUM_ID")) = True then
strRqCatID = cLng(Request.QueryString("CAT_ID"))
else
Response.Redirect("default.asp")
end if
end if
....
FORUM_ID should be CAT_ID
|
|
|
|
acemi
Starting Member
16 Posts |
Posted - 23 May 2002 : 06:58:34
|
quote:
The real solution (possibly) is to use an ADODB.COMMAND object and Parameter fields. This will make sure that only valid types are allowed, and they are treated correctly.
This will cause that Snitz Forum 2000 will be database-depend and some problem with mySQL. I think that using a function to check the variable type will be better.
Something like this:
if ChkType(VariableName, "Integer") then ...
if ChkType(VariableName, "Boolean") then ...
|
|
|
|
Topic |
|
Forum Locked
Topic Locked
