Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 Hardening UpdateLastHereDate
 Forum Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 18 December 2007 :  18:15:19  Show Profile  Send ruirib a Yahoo! Message
With the active.asp bug, came to light that UpdateLastHereDate will accept whatever you want to throw at it and will write it to the DB. I think we should strengthen it, so that it won't write bad values, no matter from where it is called.

In that light, I propose a new function to validate a string as a valid forum date string and a small modification to UpdateLastHereDate:


function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If UserIPAddress = "" or Left(UserIPAddress, 7) = "unknown" Then
		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	ElseIf InStr(UserIPAddress, ",") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	ElseIf InStr(UserIPAddress, ";") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	End If
	If InStr(UserIPAddress, ":") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
	End If
	
	If Not isValidForumDateString(fTime) Then
		fTime = DateToStr(strForumTimeAdjust)
	End If
	
	'## Forum_SQL - Do DB Update
	strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
	strSql = strSql & ",    M_LAST_IP = '" & UserIPAddress & "'"
	strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
 
	my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function


function isValidForumDateString(fDate)
	
	set regEx = New RegExp
	regEx.Global = true
	regEx.Pattern = "^[123][0-9]{13}$"

	retVal = regEx.Test(fDate)

	set regEx = nothing

	if Not retVal Then
           isValidForumDateString = false
	Else
           isValidForumDateString = true
	end if

end function


In red you have what's new. If you agree with this, I think it should be added to 3.4.07
<


Snitz 3.4 Readme | Like the support? Support Snitz too

Edited by - AnonJr on 17 March 2009 19:26:18

AnonJr
Moderator

United States
5765 Posts

Posted - 18 December 2007 :  19:53:55  Show Profile  Visit AnonJr's Homepage
Sounds like a good idea to me.<
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 19 December 2007 :  05:49:03  Show Profile  Visit MarcelG's Homepage
Hurray! I fully agree with this approach!<

portfolio - linkshrinker - oxle - twitter
Go to Top of Page

Davio
Development Team Member

Jamaica
12212 Posts

Posted - 06 January 2008 :  01:01:02  Show Profile
Added to version 3.4.07.

<

Support Snitz Forums

Edited by - Davio on 06 January 2008 17:15:41
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 06 January 2008 :  18:54:13  Show Profile  Send ruirib a Yahoo! Message
Indeed.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Davio
Development Team Member

Jamaica
12212 Posts

Posted - 06 January 2008 :  19:05:31  Show Profile
Good catch Marshal. Rui's getting old. <

Support Snitz Forums

Edited by - Davio on 06 January 2008 19:05:53
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 06 January 2008 :  19:13:02  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by Davio

Good catch Marshal. Rui's getting old.


Ain't that the truth?!<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 08 April 2008 :  08:10:25  Show Profile  Visit HuwR's Homepage
was this made public as we seem to be getting a lot of issues which relate to bad M_LASTHEREDATE<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 08 April 2008 :  08:26:50  Show Profile  Send ruirib a Yahoo! Message
This one is a public forum so, yes, it has been made public.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 08 April 2008 :  08:38:32  Show Profile  Visit HuwR's Homepage
doh! didn't read the forum title, maybe we should add it to the bug fix/security forum since it seems to be a problem<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 08 April 2008 :  08:49:51  Show Profile  Send ruirib a Yahoo! Message
The problems with the bad dates are from the first solution and do not occur for all forums. I haven't figured out which ones are affected, though.

You are suggesting that the posted fix be replaced by this?<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 08 April 2008 :  08:55:09  Show Profile  Visit HuwR's Homepage
whatever works obviuosly the current fix does not work in all cases as I have fixed 3 forums in the last week where the M_LASTHEREDATE was a problem<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 08 April 2008 :  09:09:49  Show Profile  Send ruirib a Yahoo! Message
Ok, will need to have a look at what is done with the session variables and will post an update to the fix, replacing the existing code.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 08 April 2008 :  09:24:00  Show Profile  Visit HuwR's Homepage
obviously the original fix prevents them being hacked, but it is still causing junk to get injected into the M_LASTHEREDATE which affects other pages and prevents the bogus registration from being locked/deleted<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 08 April 2008 :  09:33:35  Show Profile  Send ruirib a Yahoo! Message
Yeah, it does affect some forums, but not all. It doesn't affect the members page in my local version of 3.4.06. Weird, but what really matters is to avoid it occurring in the forums currently being affected.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2019 Snitz™ Communications Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000 Version 3.4.07