| Author |
 Topic  |
|
Deleted
deleted
4116 Posts |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
 Posted - 23 May 2002 : 09:15:17
|
quote:
FORUM_ID should be CAT_ID
fixed in post above. |
 |
|
|
bjlt
Senior Member
1144 Posts |
Posted - 23 May 2002 : 09:46:39
|
Strange,
I use v31sr4 and found that I need to add something like and Request.Form("TOPIC_ID") <> "+" for the code in post_info.asp to work. Why Request.Form("TOPIC_ID")) = "+" or Request.Form("REPLY_ID")) = "+" ?
|
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 23 May 2002 : 10:48:13
|
quote:
Richard,
Shouldn't strCkPassWord = Request.Cookies(strUniqueID & "User")("Pword") be
strCkPassWord = ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString")
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
after this change, the code below stop working
if (lcase(strNoCookies) = "1") or _
(strDBNTUserName = "" or _
strCkPassWord = "") then
%>
<tr>
<td bgColor="<% =strPopUpTableColor %>" noWrap vAlign="top" align="right"><font face="<% =strDefaultFontFace %>" size="<% =strDefaultFontSize %>"><b>UserName:</b></font></td>
<td bgColor="<% =strPopUpTableColor %>"><input name="UserName" tabindex="1" maxLength="25" size="25" type="text" value="<%=Request.Form("UserName")%>"></td>
</tr>
......
I wonder why.
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 23 May 2002 : 10:56:44
|
ChkString() always returns a space if no value was sent to the function. So you would probably need to trim strChkPassword.
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 23 May 2002 : 11:08:28
|
you can change this:
strCkPassWord = ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString")
to this:
strCkPassWord = trim(ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString")) |
|
|
|
pweighill
Junior Member
United Kingdom
453 Posts |
Posted - 23 May 2002 : 16:35:39
|
quote:
The values for FORUM_ID, and CAT_ID are not properly tested as numeric. So, by passing an URL string I can create the following SQL statement:
SELECT FORUM_CATEGORY.CAT_STATUS, FORUM_FORUM.F_STATUS FROM FORUM_CATEGORY, FORUM_FORUM WHERE FORUM_CATEGORY.CAT_ID = FORUM_FORUM.CAT_ID AND FORUM_FORUM.FORUM_ID = 1 DROP TABLE MEMBERS
Here's a useful tip after you have installed your forums, don't connect to the database using the "sa" usercode. Instead, create a new usercode with limited permissions and connect with that instead.
I know that wouldn't fix the problem totally, as other SQL statements could be constructed, but it would stop any DROP TABLE statements ever working.
|
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 24 May 2002 : 12:09:55
|
quote:
Strange,
I use v31sr4 and found that I need to add something like and Request.Form("TOPIC_ID") <> "+" for the code in post_info.asp to work. Why Request.Form("TOPIC_ID")= "+" or Request.Form("REPLY_ID") = "+" ?
anybody would like to tell me why Request.Form("TOPIC_ID") = "+" ?
|
|
|
|
JohnC
Junior Member
215 Posts |
Posted - 26 May 2002 : 14:04:02
|
| So if I read this correctly, we don't need to worry about this if we are running the Access DB version? |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 26 May 2002 : 15:01:48
|
| No, this will probably affect all Databases, better to go ahead and apply the fix. |
|
|
|
msperry
Starting Member
USA
48 Posts |
Posted - 28 May 2002 : 13:22:00
|
can someone email me with an example so I can test this.
I put the fix in but I want to run this through my test site to see the results.
email me at m.sperry@excite.com
|
|
|
|
MFHOWLAND
Starting Member
6 Posts |
Posted - 29 May 2002 : 13:23:43
|
JohnC -- The bug I found with finding peoples passwords will definatly work with MSAccess (I tried it) and any other type of database because they all support UNION's. So apply the patch!
Thanks,
Marshall
|
|
|
|
GTEUK
Starting Member
7 Posts |
Posted - 04 June 2002 : 08:15:50
|
Since most of these bugs are through the address bar would it not be a good idea to have a bit of code in the inc_top that says if you are not refered from within the site then goto default
<%
If Instr(request.ServerVariables("HTTP_REFERER"), "yourdomain.com")=0 And Instr(Request.ServerVariables("SCRIPT_NAME"), "default.asp")=0 Then
Response.Redirect "default.asp"
End If
%>
The post_info would also have to get rid of the meta refresh and add a little bit of script but far more effective an would cure most of the exploits.. I think
|
|
|
|
Slaid99
New Member
Canada
67 Posts |
Posted - 09 June 2002 : 03:33:55
|
I downloaded the zip files mentioned in this topic for post.asp and post_info.asp, and just overwrote a perfectly clean version of 3.3.05. Is that all I have to do? Or is there more changes still?
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 09 June 2002 : 03:39:27
|
| Just replacing the 2 files should take care of it. |
|
|
|
Topic |
|
Forum Locked
Topic Locked
