| Author |
 Topic  |
|
Nam_Trung
Starting Member
22 Posts |
 Posted - 23 April 2001 : 17:26:37
|
Just wanna report this. I have mailed this to Gor providing the backdoor and the script against it. Also I gave to Alan (Aznknight).
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
|
|
babygate
Starting Member
32 Posts |
Posted - 23 April 2001 : 23:09:34
|
For those people who don't want to make all those code changes, I have a simply solution implemented in my forum that might prevent the problem with the post.asp. All I did is using a JavaScript function to prevent anyone access the post.asp page directly by including the follow code at the top of post.asp:
<script language="JavaScript">
<!--
//specify valid referrals for script to accept
var validreferrals=new Array()
validreferrals[0]="topic.asp"
validreferrals[1]="forum.asp"
var passed=0
for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}
if (passed==0){
alert("Direct Access to this page is denied! ")
history.go(-1)
}
//-->
</script>
This code will prevent anyone access the post.asp page directly. To limit additional referral page, simply add validreferrals[x]="xxx.asp" to the array.
This works for me so far. Of cause, this code will only work if the browser had JavaScript turned-on.
BabyGate
|
 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 23 April 2001 : 23:47:12
|
Just tried that function and it works great!  |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 24 April 2001 : 00:29:30
|
ooo nice one BabyGate :)
|
|
|
|
Nam_Trung
Starting Member
22 Posts |
Posted - 24 April 2001 : 01:03:18
|
Yes HuwR,
I think so.
Anyway babygate,
I think you also have to add the function in post_info.asp, otherwise you still be able to post.
|
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 24 April 2001 : 14:27:33
|
You can reply from active.asp too....mostly for moderators, but you can do it....
Dave Maxwell
--------------
Proud to be a "World Class" Knucklehead |
|
|
|
Nam_Trung
Starting Member
22 Posts |
Posted - 25 April 2001 : 06:24:19
|
Checking if the referrer is topic.asp/forum.asp/default.asp/active.asp isn't good. Since other can create a link in a page with that name.
The domain name should be in the checking too.
Also in post_info.asp should be the checking too, otherwise, just simple create a form to post.
Nam Trung
|
|
|
|
babygate
Starting Member
32 Posts |
Posted - 25 April 2001 : 21:26:38
|
quote:
Checking if the referrer is topic.asp/forum.asp/default.asp/active.asp isn't good. Since other can create a link in a page with that name.
The domain name should be in the checking too.
Also in post_info.asp should be the checking too, otherwise, just simple create a form to post.
Nam Trung
Yes..you are right..Just use the full url for the referrer. Something like this will do the trick:
validreferrals[0]="http://www.domain.com/topic.asp"
or
validreferrals[0]="<%= strHOMEURL %>topic.asp"
BabyGate
Remember to add the check in post_info.asp too if you want to...
Edited by - babygate on 25 April 2001 21:41:00 |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 April 2001 : 06:07:11
|
What about using this code:
<% if InstrRev(Request.ServerVariables("HTTP_REFERER"), strForumURL & "forum.asp") = 0 and InstrRev(Request.ServerVariables("HTTP_REFERER"), strForumURL & "topic.asp") = 0 and InstrRev(Request.ServerVariables("HTTP_REFERER"), strForumURL & "search.asp") = 0 and InstrRev(Request.ServerVariables("HTTP_REFERER"), strForumURL & "active.asp") = 0 and InstrRev(Request.ServerVariables("HTTP_REFERER"), strForumURL & "default.asp") = 0 then
Go_Result "You have attempted to post a message by tampering with the URL."
end if %>
added to post.asp between:
<!--#INCLUDE FILE="inc_top.asp" -->
<%
NEW CODE ADDED in RED above.
See new code below that works better. |
|
|
|
babygate
Starting Member
32 Posts |
Posted - 29 April 2001 : 07:04:35
|
That will be a better way of checking cuz it's using asp  .
BTW, what is the Go_Result?
BabyGate
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 April 2001 : 15:09:54
|
Go_Result is a sub that is included in the alpha version of post.asp and it's also in post_info.asp in v3.1 sr4.
Here is the Go_Result from the alpha version of post.asp, just add it to the very bottom of post.asp.
<%
sub Go_Result(str_err_Msg)
%>
<table border="0" width="100%">
<tr>
<td width="33%" align="left"><font face="<% =strDefaultFontFace %>" size="<% =strDefaultFontSize %>">
<img src="icon_folder_open.gif" height=15 width=15 border="0"> <a href="default.asp">All Forums</a><br>
<%
if strRqMethod = "Edit" or _
strRqMethod = "EditTopic" or _
strRqMethod = "Reply" or _
strRqMethod = "ReplyQuote" or _
strRqMethod = "TopicQuote" then
%>
<img src="icon_bar.gif" height=15 width=15 border="0"><img src="icon_folder_open.gif" height=15 width=15 border="0"> <a href="FORUM.asp?CAT_ID=<% =strRqCatID %>&FORUM_ID=<% =strRqForumId %>&Forum_Title=<% =ChkString(Request.QueryString("FORUM_Title"),"urlpath") %>"><% =ChkString(Request.QueryString("FORUM_Title"),"display") %></a><br>
<img src="icon_blank.gif" height=15 width=15 border="0"><img src="icon_bar.gif" height=15 width=15 border="0"><img src="icon_folder_open_topic.gif" height=15 width=15 border="0"> <a href="topic.asp?TOPIC_ID=<% =Request.QueryString("TOPIC_ID") %>&CAT_ID=<% =strRqCatID %>&FORUM_ID=<% =strRqForumId %>&Forum_Title=<% =ChkString(Request.QueryString("FORUM_Title"),"urlpath") %>&Topic_Title=<% =ChkString(left(Request.QueryString("Topic_title"), 50),"urlpath") %>"><% =ChkString(Request.QueryString("Topic_Title"),"title") %></a>
<%
end if
%>
</font></td>
</tr>
</table>
<p align="center"><font face="<% =strDefaultFontFace %>" size="<% =strHeaderFontSize %>">There has been a problem!</font></p>
<p align="center"><font color="red" size="<% =strHeaderFontSize %>"><% =str_err_Msg %></font></p>
<p align="center"><font face="<% =strDefaultFontFace %>" size="<% =strDefaultFontSize %>"><a href="JavaScript:history.go(-1)">Go back to correct the problem.</a></font></p>
<!--#INCLUDE FILE="inc_footer.asp" -->
<%
Response.End
end sub
%> |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 April 2001 : 22:48:43
|
Ok, does anyone want to try this out?
If you have v3.1 SR4 you will need to add Sub Go_Result that is shown in the post just above this one. If you have an Alpha version of the forum, you should already have Sub Go_Result in post.asp (it's at the very end of the file if you want to check for it)
The code is going to be inserted in the same place as the code I posted earlier.
In post.asp just after the following code:
<!--#INCLUDE FILE="inc_top.asp" -->
Add this:
<%
if strRqMethod = "Edit" or _
strRqMethod = "EditTopic" or _
strRqMethod = "Reply" or _
strRqMethod = "ReplyQuote" or _
strRqMethod = "Topic" or _
strRqMethod = "TopicQuote" then
'## Forum_SQL - Find out if the Category/Forum/Topic is Locked or Un-Locked and if it Exists
strSql = "SELECT " & strTablePrefix & "CATEGORY.CAT_STATUS, " & strTablePrefix & "FORUM.F_STATUS"
if strRqMethod <> "Topic" then
strSql = strSql & ", " & strTablePrefix & "TOPICS.T_STATUS "
end if
strSql = strSql & " FROM " & strTablePrefix & "CATEGORY, " & strTablePrefix & "FORUM"
if strRqMethod <> "Topic" then
strSql = strSql & ", " & strTablePrefix & "TOPICS "
end if
strSql = strSql & " WHERE " & strTablePrefix & "CATEGORY.CAT_ID = " & Request.QueryString("CAT_ID")
strSql = strSql & " AND " & strTablePrefix & "FORUM.FORUM_ID = " & Request.QueryString("FORUM_ID")
strSql = strSql & " AND " & strTablePrefix & "FORUM.CAT_ID = " & Request.QueryString("CAT_ID")
if strRqMethod <> "Topic" then
strSql = strSql & " AND " & strTablePrefix & "TOPICS.TOPIC_ID = " & Request.QueryString("TOPIC_ID")
strSql = strSql & " AND " & strTablePrefix & "TOPICS.FORUM_ID = " & Request.QueryString("FORUM_ID")
strSql = strSql & " AND " & strTablePrefix & "TOPICS.CAT_ID = " & Request.QueryString("CAT_ID")
end if
set rsStatus = my_Conn.Execute(strSql)
if rsStatus.EOF or rsStatus.BOF then
Go_Result "Please don't attempt to edit the URL<br>to gain access to locked Forums/Categories."
else
blnCStatus = rsStatus("CAT_STATUS")
blnFStatus = rsStatus("F_STATUS")
if strRqMethod <> "Topic" then
blnTStatus = rsStatus("T_STATUS")
end if
rsStatus.close
set rsStatus = nothing
end if
if (mLev = 4) or (chkForumModerator(Request.QueryString("FORUM_ID"), ChkString(strDBNTUserName, "decode"))= "1") or (lcase(strNoCookies) = "1") then
AdminAllowed = 1
else
AdminAllowed = 0
end if
select case strRqMethod
case "Topic"
if (blnCStatus = 0) and (AdminAllowed = 0) then
Go_Result "You have attempted to post a New Topic to a Locked Category"
end if
if (blnFStatus = 0) and (AdminAllowed = 0) then
Go_Result "You have attempted to post a New Topic to a Locked Forum"
end if
case "EditTopic"
if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
Go_Result "You have attempted to edit a Locked Topic"
end if
case "Reply"
if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
Go_Result "You have attempted to Reply to a Locked Topic"
end if
case "ReplyQuote"
if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
Go_Result "You have attempted to Reply to a Locked Topic"
end if
case "TopicQuote"
if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
Go_Result "You have attempted to Reply to a Locked Topic"
end if
case "Edit"
if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
Go_Result "You have attempted to Edit a Reply to a Locked Topic"
end if
end select
end if
%> |
|
|
|
babygate
Starting Member
32 Posts |
Posted - 03 May 2001 : 19:54:20
|
I added this code in topic.asp to prevent someone read posts under a private forum(smiliar backdoor problem with the post.asp):
'#### Forum_SQL - Find out if the Topic exists
strSql = "SELECT " & strTablePrefix & "TOPICS.T_STATUS "
strSql = strSql & " FROM " & strTablePrefix & "TOPICS "
strSql = strSql & " WHERE " & strTablePrefix & "TOPICS.TOPIC_ID = " & Request.QueryString("TOPIC_ID")
strSql = strSql & " AND " & strTablePrefix & "TOPICS.FORUM_ID = " & Request.QueryString("FORUM_ID")
strSql = strSql & " AND " & strTablePrefix & "TOPICS.CAT_ID = " & Request.QueryString("CAT_ID")
set rsStatus = my_Conn.Execute(strSql)
if rsStatus.EOF or rsStatus.BOF then
Go_Result "You have attempted to access a topic by tampering with the URL"
end if
'###########end check url tampering
Bascily, it denies access to read a post if the forum_id, topic_id, and cat_id of that post are not correct.
insert code to topic.asp right after this:
<!--#INCLUDE FILE="inc_top.asp" -->
Don't forget to add the Go_Result sub at the end of topic.asp
BabyGate
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 03 May 2001 : 23:08:50
|
| I made a few changes to the code above. The changes are noted in red |
|
|
|
paco
Junior Member
Spain
187 Posts |
Posted - 07 May 2001 : 11:16:46
|
Will the fix be included on the next release of the forum?
Regards,
Paco
|
|
|
|
Topic |
|
Forum Locked
Topic Locked
