Snitz Forums 2000 - Hardening UpdateLastHereDate

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Closed)

Hardening UpdateLastHereDate

Forum Locked

Printer Friendly

Author

Topic

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 18 December 2007 : 18:15:19

With the active.asp bug, came to light that UpdateLastHereDate will accept whatever you want to throw at it and will write it to the DB. I think we should strengthen it, so that it won't write bad values, no matter from where it is called.

In that light, I propose a new function to validate a string as a valid forum date string and a small modification to UpdateLastHereDate:


function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If UserIPAddress = "" or Left(UserIPAddress, 7) = "unknown" Then
		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	ElseIf InStr(UserIPAddress, ",") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	ElseIf InStr(UserIPAddress, ";") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	End If
	If InStr(UserIPAddress, ":") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
	End If
	
	If Not isValidForumDateString(fTime) Then
		fTime = DateToStr(strForumTimeAdjust)
	End If
	
	'## Forum_SQL - Do DB Update
	strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
	strSql = strSql & ",    M_LAST_IP = '" & UserIPAddress & "'"
	strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
 
	my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function


function isValidForumDateString(fDate)
	
	set regEx = New RegExp
	regEx.Global = true
	regEx.Pattern = "^[123][0-9]{13}$"

	retVal = regEx.Test(fDate)

	set regEx = nothing

	if Not retVal Then
           isValidForumDateString = false
	Else
           isValidForumDateString = true
	end if

end function

In red you have what's new. If you agree with this, I think it should be added to 3.4.07
<

Snitz 3.4 Readme | Like the support? Support Snitz too

Edited by - AnonJr on 17 March 2009 19:26:18

AnonJr
Moderator

United States
5768 Posts

Posted - 18 December 2007 : 19:53:55

Sounds like a good idea to me.<

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 19 December 2007 : 05:49:03

Hurray! I fully agree with this approach!<

portfolio - linkshrinker - oxle - twitter

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 06 January 2008 : 01:01:02

Added to version 3.4.07.

<

Support Snitz Forums

Edited by - Davio on 06 January 2008 17:15:41

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 06 January 2008 : 18:54:13

Indeed.<

Snitz 3.4 Readme | Like the support? Support Snitz too

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 06 January 2008 : 19:05:31

Good catch Marshal. Rui's getting old.

Support Snitz Forums

Edited by - Davio on 06 January 2008 19:05:53

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 06 January 2008 : 19:13:02

quote:
Originally posted by Davio

Good catch Marshal. Rui's getting old.

Ain't that the truth?!

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 08 April 2008 : 08:10:25

was this made public as we seem to be getting a lot of issues which relate to bad M_LASTHEREDATE<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 April 2008 : 08:26:50

This one is a public forum so, yes, it has been made public.<

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 08 April 2008 : 08:38:32

doh! didn't read the forum title, maybe we should add it to the bug fix/security forum since it seems to be a problem<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 April 2008 : 08:49:51

The problems with the bad dates are from the first solution and do not occur for all forums. I haven't figured out which ones are affected, though.

You are suggesting that the posted fix be replaced by this?<

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 08 April 2008 : 08:55:09

whatever works

obviuosly the current fix does not work in all cases as I have fixed 3 forums in the last week where the M_LASTHEREDATE was a problem<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 April 2008 : 09:09:49

Ok, will need to have a look at what is done with the session variables and will post an update to the fix, replacing the existing code.<

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 08 April 2008 : 09:24:00

obviously the original fix prevents them being hacked, but it is still causing junk to get injected into the M_LASTHEREDATE which affects other pages and prevents the bogus registration from being locked/deleted<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 April 2008 : 09:33:35

Yeah, it does affect some forums, but not all. It doesn't affect the members page in my local version of 3.4.06. Weird, but what really matters is to avoid it occurring in the forums currently being affected.<

Snitz 3.4 Readme | Like the support? Support Snitz too

Topic

Forum Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.15 seconds.