Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 BUG + FIX Insecure post.asp if App variables lost
 Forum Locked  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 4

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 20 July 2008 :  15:18:37  Show Profile  Visit HuwR's Homepage
Due to a rare sequence of events it may be possible for a Spammer to post messgaes to the forum without being authorised.

This can happen if your forum loses it's application variable collection (this manifests itself as looking like the forum has lost all it's formatting)

The situation is caused by a problem on both your webserver and database simultaneously, but can allow someone to post without authentication.

To prevent these unauthorised posts, add the following lines to the end of config.asp (before the closing %> line)


if Application(strCookieURL & "STRVERSION")= "" Or IsNull(Application(strCookieURL & "STRVERSION")) then
Response.Write("Server Error, The Application variables are not loaded. Please try again later.")
Response.End
end if


Additional note
You also need to make the changes described by ruirib in this reply
http://forum.snitz.com/forum/topic.asp?whichpage=2&TOPIC_ID=67497#383151

it should then autoreload the app variables correctly when it is able to, so hopefully the request.end will only happen on very very rare occasions
<

Edited by - AnonJr on 17 March 2009 18:50:35

richfed
Average Member

United States
995 Posts

Posted - 20 July 2008 :  18:13:25  Show Profile  Visit richfed's Homepage
Thanks for this, Huw ... I experienced this issue a couple of months back.<
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 21 July 2008 :  15:28:46  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
In the past I have had people report to me that some private forums were visible if this happened also. I was never able to reproduce it.<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 21 July 2008 :  15:32:51  Show Profile  Visit HuwR's Homepage
yes, that would also happen, the fix will also prevent that as it basically kills the request if the application variables are not valid<
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 22 July 2008 :  07:59:53  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
Forgive my ignorance but why don't you redirect to setup.asp or just load the application variables instead of killing the request?<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 22 July 2008 :  08:23:56  Show Profile  Visit HuwR's Homepage
quote:
Originally posted by Podge

Forgive my ignorance but why don't you redirect to setup.asp or just load the application variables instead of killing the request?



1) it is not generally recomended that setup.asp remain accessible to normal users, for security reasons.
2) reloading the app variables will only work if the situation that caused the problem has been rectified, if it hasn't it will put your browser into a continual redirect loop.

So, this is the best way to deal with the situation and prevent unwanted/unexpected problems<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 22 July 2008 :  08:48:06  Show Profile  Send ruirib a Yahoo! Message
The continual redirect loop is a serious concern, specially when the database, for some reason, is not available. You wouldn't be able to avoid the loop.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 22 July 2008 :  11:05:24  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
Not sure I understand. Surely the database would have to be available if the spammer is to post unwanted messages to the forum?

quote:
You wouldn't be able to avoid the loop.

You could try connecting to the database to see if was available before entering a continuous loop.<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 22 July 2008 :  11:16:04  Show Profile  Visit HuwR's Homepage
if you want to come up with a more elegant solution then feel free, this is after all a community project, howver this is the quickest and simplest solution to prevent issue that relate to unloading of application variables.

I would not recommend redirecting normal web request through your setup.asp script, just load it up and you will see why.


don't forget, the test I have done is pretty much telling you that your db connection ain't working, if it was then the app vriables would have loaded and you would not get trapped by the response.end<
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 22 July 2008 :  12:20:44  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
Huwr, I'm not trying to be awkward its just that using the solution above, every user will receive the error "Server Error, The Application variables are not loaded" until the admin goes to setup.asp to reload the variables.

It would be more convenient if the application variables were attempted to be loaded when the error is detected so that every subsequent request from visitors for the forum would attempt to reload the application variables until the problem was resolved.

Personally I don't see a problem redirecting to setup.asp but alternatively you could just include code similar to what is already in config.asp i.e. this code

	'## if the configvariables aren't loaded into the Application object
'## or after the admin has changed the configuration
'## the variables get (re)loaded

'## Forum_SQL
strSql = "SELECT * FROM " & strTablePrefix & "CONFIG_NEW "

set rsConfig = my_Conn.Execute (strSql)

for counter = 0 to my_conn.Errors.Count -1
ConnErrorNumber = Err.Number
If ConnErrorNumber <> 0 Then
If blnSetup <> "Y" Then
my_Conn.Errors.Clear
Err.Clear

strSql = "SELECT C_STRVERSION, C_STRSENDER "
strSql = strSql & " FROM " & strTablePrefix & "CONFIG "

set rsInfo = my_Conn.Execute (StrSql)
strVersion = rsInfo("C_STRVERSION")
strSender = rsInfo("C_STRSENDER")

rsInfo.Close
set rsInfo = nothing

if strVersion = "" then
strSql = "SELECT C_VALUE "
strSql = strSql & " FROM " & strTablePrefix & "CONFIG_NEW "
strSql = strSql & " WHERE C_VARIABLE = 'strVersion' "
set rsInfo = my_Conn.Execute (StrSql)
strVersion = rsInfo("C_VALUE")
rsInfo.Close
set rsInfo = nothing

strSql = "SELECT C_VALUE "
strSql = strSql & " FROM " & strTablePrefix & "CONFIG_NEW "
strSql = strSql & " WHERE C_VARIABLE = 'strSender' "
set rsInfo = my_Conn.Execute (StrSql)
strSender = rsInfo("C_VALUE")
rsInfo.Close
set rsInfo = nothing
end if

my_Conn.Close
set my_Conn = nothing

Response.Redirect "setup.asp?RC=2&MAIL=" & Server.UrlEncode(strSender) & "&VER=" & Server.URLEncode(strVersion) & "&strDBType="& strDBType & "&EC=" & ConnErrorNumber
else
my_Conn.Errors.Clear
blnLoadConfig = FALSE
end if

end if
next

my_Conn.Errors.Clear

if blnLoadConfig then
Application.Lock
do while not rsConfig.EOF
Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
rsConfig.MoveNext
loop
Application.UnLock
rsConfig.close
end if


In any event it will only ever affect a very small number of people. Do you have steps that can successfully recreate the problem ?<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 22 July 2008 :  12:44:42  Show Profile  Visit HuwR's Homepage
Podge,

config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 22 July 2008 :  13:59:36  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by HuwR

Podge,

config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.


I concur with Huw, here. As long as the Db is not available, every try to load app variables will fail and it's hard to avoid an endless loop.

The exact code you posted, Podge, will be executed every single time a user tries to access the forum.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Etymon
Advanced Member

United States
2297 Posts

Posted - 22 July 2008 :  14:41:54  Show Profile  Visit Etymon's Homepage
I'm going to work with writing and reading the loops to a text file on the server instead of to the database using the FSO. When the text file has been written and updated to a maximum specified number of times, then the user will be redirected to a custom error found in config.asp (where the "Server Error, The Application variables are not loaded" note is for this fix) ... as a note, config.asp is also used in setup.asp, so I am making a duplicate config.asp (with a different file name) and including that into setup.asp.

I am with Podge as far as trying to reload the variables, if at all possible, on a user by user basis instead of waiting on the administrator to login and run setup.asp. Also, as long as it is secure, it seems that a remote db, like an access db, on another server can serve as a data storage container to count the number of loops each user is encountering on the main site through the normal config.asp.

I am speculating on a lot of this since I have not written the code nor tested these things. Can you guys give me some pros and cons from your experience on this?
<

Snitz'in from 2002 - 2020 & I'm STILL lov'in it! -> My Snitz MODs || PM Search | Search Terms | Update Category Counts

Edited by - Etymon on 22 July 2008 15:17:31
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 22 July 2008 :  15:21:52  Show Profile
I suggest you also look at the last modified time on the file to put a reasonable amount of time between tries.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 22 July 2008 :  15:31:58  Show Profile  Send ruirib a Yahoo! Message
There are hosts who don't allow FSO on their servers (we have an alternate mod setup for a reason). How would you do handle it in that case?
Everyone is free to find an alternate solution. We need a solution that will work in the most general scenario.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 22 July 2008 :  16:24:17  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
quote:
The exact code you posted, Podge, will be executed every single time a user tries to access the forum.
Only if the database is available. There is a check at the very beginning. If the database is available then the application variables should be loaded without problem, no ?

Why would HuwR's code work above and not the check thats already there in config.asp ? Its basically the same check, just for a different application variable.

<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page
Page: of 4 Previous Topic Topic Next Topic  
Next Page
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2019 Snitz™ Communications Go To Top Of Page
This page was generated in 0.08 seconds. Powered By: Snitz Forums 2000 Version 3.4.07