Snitz Forums 2000 - Security hole for Private Messages Mod

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Help Groups for Snitz Forums 2000 Users

Help: MOD Implementation

Security hole for Private Messages Mod

New Topic

Topic Locked

Printer Friendly

Author

Topic

SiSL
Average Member

Turkey
671 Posts

Posted - 25 September 2005 : 12:48:31

Since you can type many names, side to side on 'Send to' box, you can as well override limit of PM's per person...

For example, SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL,SiSL

will kinda override (eg.10) pm limit and can also cause mayhem in users pm's or your database sending thousands of messages to single person.

First Sento box is limited with maxlength property. However that does not stop 'problem users' to override code as well.

Best solution will be in codes, checking duplicate entries recreating another sendto list:

Here is code

Find below line in privatesend_info.asp:

			'############## End PM all members ###################
			arrNames = split(Request.Form("sendto"), ",")
			'############### PM all members one line ###################

Just Type following below this line before 'end if':

			' ############# CHECK SAME MEMBER FOR SECURITY #################
		
			NewCleanNameList = ""
			for i=0 to ubound(arrNames)
		 		if InStr((lcase(NewCleanNameList)& ","),(lcase(trim(arrNames(i)))&",")) Then
		 				' DoNothing
		 		Else
		 			if NewCleanNameList <> "" Then 
		 					NewCleanNameList = NewCleanNameList & ","
		 			End If
		 			
		 		  NewCleanNameList = NewCleanNameList & trim(arrNames(i)) 
		 		End If
			next
		
			set arrNames = nothing
			arrNames = split(NewCleanNameList, ",")
			' #################################################

Hope it helps..

Edited by - SiSL on 25 September 2005 13:46:32

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 25 September 2005 : 12:56:44

Have you actually tried doing that?

Snitz 3.4 Readme | Like the support? Support Snitz too

SiSL
Average Member

Turkey
671 Posts

Posted - 25 September 2005 : 12:57:33

Reached to 195 message over 50 message limit with "," ofcourse. Simply need a check code over array.

Edited by - SiSL on 25 September 2005 12:58:24

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 25 September 2005 : 12:58:23

Were they sent, or did it fail?

Snitz 3.4 Readme | Like the support? Support Snitz too

SiSL
Average Member

Turkey
671 Posts

Posted - 25 September 2005 : 12:58:58

All sent, you can try as well, try sending yourself ;)

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 25 September 2005 : 13:03:28

I understand your concern, but we never had such a situation being reported.

Snitz 3.4 Readme | Like the support? Support Snitz too

SiSL
Average Member

Turkey
671 Posts

Posted - 25 September 2005 : 13:15:30

Yes, I found it after asking my users to fill their PM boxes with messages to test PM pages performance. Still does not hurt to make a self-check code cleaning names from duplicates.