| Author |
 Topic  |
|
Kevo
Starting Member
USA
26 Posts |
 Posted - 27 December 2000 : 14:12:30
|
The snitz forum which is entirely ASP uses several ID's to view and change parts of the forum. The forum is basid on the presumption that if the icon isn't there to do something, it can't be done, that is not true. Since all a person has to do is change those IDs and they can do lots of thing that shouldn't be allowed. Some of the things I will mention should be taking into consideration by those of you who work on the Snitz forums as they are great forums... Changes I talk will mean putting something in the address bar of your browser.
To begin locking topics does not prevent the changing of a topic, mearly removes the GUI interface to editing. Lets say this topic is locked, here is it's ID(the titles won't matter): topic.asp?TOPIC_ID=129&FORUM_ID=9&CAT_ID=3
Ok, we can't post or edit. We go to another topic and retrive the reply code:post.asp?method=Reply&TOPIC_ID=128&FORUM_ID=9&CAT_ID=3
Ok, all I see different is TOPIC_ID? why thats simple enough, just change the TOPIC_ID to 129. I put that in the address bar and a screen comes up to reply, and to be sure the previous posts are there. TO delete a post you would need the REPLY_ID which can be very hard to obtain since the topic is locked and there can be thousands of REPLY_IDs. But by guess and check it can be done. To delete a post would require that as well. Editing your topic post to a topic(first one if I'm not clear) is easy since the you really don't need the reply _id to edit, just the topic ID. So you can edit the title of a locked topic as well.
If you know the TOPIC_ID of a private or restriced forum you can post in it by post.asp?method=Topic&FORUM_ID=9&CAT_ID=1&Forum_Title=Restricted
changing the FORUM_ID to that of the restriced forum and you may make a post in there. Though I have seen a fix to this.
If you think you know the TOPIC_ID of a topic inside a restricted forum you can view it by taking what it would normally be and changing the FORUM_ID to something else say 2. Since that forum isn't restricted you are free to view it as far as the forum is concerned. A guess and check method of cycleing though posts with the TOPIC_ID moveing incriments of one can also be used. "link.asp?TOPIC_ID=???" to topic ID you think is in a restriced forum will automaticly add the appropriate data and link you, but if the forum is restriced you will be denied.
That's it, if you are a devoloper, please take this security problem and try, if possible to fix them in the future versions.
Edited by - Kevo on 28 December 2000 09:34:15
Changed topic title...
Edited by - Davio on 08 December 2001 20:38:41 |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 27 December 2000 : 19:37:50
|
What version of the software are you using, you should not be able to post to a restricted forum in the way you describe if you have the latest forum code.
'Resistance is futile' |
 |
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 27 December 2000 : 20:43:14
|
Kevo.... ugh....
Using my forums :) I upgraded and fixed it kev...
Da_Stimulator
Stimmy's Forums - Using 3.1 SR3
"We all die someday, but your goin down before I do" - Me |
|
|
|
Kevo
Starting Member
USA
26 Posts |
Posted - 28 December 2000 : 09:42:56
|
Ahem, read it again.... I made one little edit by adding some Forum Code only.
It should clear things up a little bit.
The Snitz forum is great! It's such a shame to see these things, but it took me about 1 hour in total time(over about 4 days) to figure this out. And I did not know the inner workings of the forums.
And yes, in the previous version it was, but no longer, you get a You don't have permission. And one line is a red text. Same style as when you try to edit someone else's post.
Now I'm certain about some of this 'cause I just found a loser's ASP (yes, it was stitz) forum and did all of this (got kicked too), but New Topic in a restriced forum no longer works so I didn't even try it. I'm pretty sure it's the latest version cause the idiot said so... That was two days ago.
I'm sure fixing some of these things are possibe because link.asp can identify if a topic is in a private forum while topic.asp cannot. So there must be some comparison of records in topic.asp that says it's in a private forum. If it is added to topic.asp then it would work. (That's just my opinion)
BTW-I would consider these things HACKS. But it's better than the UBB's hack to release all the IDs and passes to an e-mail address!
Edited by - Kevo on 29 December 2000 14:57:40 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 28 December 2000 : 13:11:48
|
Kevo, could you give specifics of the forum types, or would you be prepared to work with me on my test forum so we can establish which need fixing, I can setup a forum of each type for you to test the spamming, rather than trying it on other peoples sites, it is not very polite.
'Resistance is futile' |
|
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 28 December 2000 : 13:36:40
|
Kevo... How would you know if you can still reply? You cant even get in, let alone post, let alone reply. I've tested this thoroughly.
Huw the Only private/hidden forum on mine is 'allowed members list/hidden'.
Da_Stimulator
Stimmy's Forums - Using 3.1 SR3
"We all die someday, but your goin down before I do" - Me |
|
|
|
Kevo
Starting Member
USA
26 Posts |
Posted - 29 December 2000 : 10:52:16
|
Hmmm... This is exactly the kind of solution needed... Related record checking... But I can sill edit locked topics... When was this fixed???? Or is it just a side effect of preventing a topic in a restriced forum... In the latest version because I remember the Jake fellow replied to the topic he created in a restriced forum.
Microsoft JET Database
Engine error '80004005'
You cannot add or change a record because a related record is required in table 'FORUM_TOPICS'.
/post_info.asp, line 578
Now how about preventing the display of topics in a locked forum.
Edited by - Kevo on 29 December 2000 14:58:25 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 29 December 2000 : 11:39:35
|
Kevo,
I have re-read your first post, and now understand what you mean.
basically what Kevo is saying is that if you look at a link like this
http://myforum.com/topic.asp?TOPIC_ID=999&FORUM_ID=20&CAT_ID=3&Forum_Title=....
where FORUM_ID 20 is a "private" forum, if you change FORUM_ID=20 to say FORUM_ID=2 where 2 is not a private forum, you can view all the messages in topic 999 which you should not, the code does not verify that the topic and forum are related.
Am looking at a fix
Edited by - Huwr on 29 December 2000 11:45:27 |
|
|
|
Kevo
Starting Member
USA
26 Posts |
Posted - 29 December 2000 : 12:13:13
|
Yes, that is right...
At one point, a person could also reply to that topic, but now as I put post_info.asp relates and says that there must be a topic in the forum_id with that name. I tried creating a topic with the same name but the error changed to exception insted of non-relation.
Work as well as for editing a locked (topic)/(reply in a locked topic).
This was the entire basis of that bug, IDs are not related enough...
The funny thing is that link.asp can relate them while forum.asp & topic.asp cannot!!
I some questions huwr. Could the same be true of forums? If I knew the code, would the edit or delete of a forum be sucessful by a normal user? And last, is there any check in the Admin Option that, if I knew the URL, I could gain access. Say I theroretically typed something like www....com/forum/adminoptions.asp would it come up if I had the correct name for it?!
Edited by - Kevo on 29 December 2000 14:56:26 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 29 December 2000 : 13:19:58
|
quote:
Yes, that is right...
At one point, a person could also reply to that topic, but now as I put post_info.asp relates and says that there must be a topic in the forum_id with that name. I tried creating a topic with the same name but the error changed to exception insted of non-relation.
Work as well as for editing a locked (topic)/(reply in a locked topic).
This was the entire basis of that bug, IDs are not related enough...
The funny thing is that link.asp can relate them while forum.asp & topic.asp cannot!!
I will look at forum/topic.asp etc, and work out where to put a check.
quote:
I some questions huwr. Could the same be true of forums? If I knew the code, would the edit or delete of a forum be sucessful by a normal user? And last, is there any check in the Admin Option that, if I knew the URL, I could gain access. Say I theroretically typed something like www....com/forum/adminoptions.asp would it come up if I had the correct name for it?!
Edited by - Kevo on 29 December 2000 12:21:11
Theoretically, you should not be able to delete forums, topics etc, or get into the admin options, because these require a second login before allowing the relevant action, so unless you knew the username and password
Incidentally,
Thanks Kevo for pointing out the problems,but,
You should inform the admin of what you are doing if you want to test their security, it is not very nice to find someone has hacked your forum. 
I know you may have upset Stimmo and some of his forum users slightly, so please try to inform them next time, nobody is going to get angry if they know someone is constructively testing their security.
'Resistance is futile' |
|
|
|
Kevo
Starting Member
USA
26 Posts |
Posted - 29 December 2000 : 14:55:31
|
Well I usually undo everything I do, the Administrator another site just spotted it before I undid it... And I haven't tried the quoted questions before, I meant it hypothetically.... So no, I have really done anything!!! I didn't do anything noticable on Stimmo's forum. Just looked...
OK? 
One more thing, the "REPLY_ID"s needs to be related as well. That will prevent editing of locked topics (and anything inside locked forums like DEV Bug Reports (Closed)). |
|
|
|
kjohn
Starting Member
6 Posts |
Posted - 31 December 2000 : 02:44:56
|
You might encrypt the querystrings, which would solve these security problems. There's an article on this at 4 Guys From Rolla which is worth a look. Full source is included.
Edited by - kjohn on 31 December 2000 02:46:00 |
|
|
|
slemieux
Junior Member
USA
234 Posts |
Posted - 31 December 2000 : 16:59:49
|
http://209.35.175.12/snitz/
Test away!!!! I can even set up FTP access if needed. Feel free to do whatever (add forums, delete categories, etc...) you want with this forum. I simpy use it to test mods on a live server.
It might be a good idea to create a private forum somewhere where security leaks can be posted. And if one is found, rather than posting it here on forum.snitz.com, e-mail it to Mike or Gor. I personally don't want someone with too much time on their hands taking this info and trying to crack my forums!!!
AND Everyone here should understand that if a topic is posted about a possible security leak and it is moved or deleted, nothing is being hidden! But being worked out! I know the last time there was a security leak, people got upset because it appeared as if it was being hidden from everyone.
Scott LeMieux
Ready... Fire... Aim!!  |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 02 January 2001 : 21:44:58
|
Huw,
How is this looking?
Reinsnitz (Mike)
><)))'>
"The glory of young men is their strength, and the honor of old men is their gray hair." - Proverbs 20:29
|
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
|
|
Jeepaholic
Average Member
USA
697 Posts |
Posted - 15 June 2001 : 01:25:48
|
Hate to revive a really old topic, but was there a fix to this released? I can't seem to find one. I've got someone who's figured it out and is posting in locked topics. Thanks...
Al Bsharah
Jeepaholics Anonymous |
|
|
|
Topic |
|
Topic Locked
