Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: Security Related Bug Fixes
 New Security Fix, 1st December 2007		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 04 December 2007 :  09:17:36  Show Profile  Send ruirib a Yahoo! Message
There is a security related bug fix with active.asp. This is a serious fix that can allow someone to achieve admin role in a forum.

To addthe fix, in active.,asp, where you now have, in lines#123-130:



if Request.Form("AllRead") = "Y" then
	'## The redundant line below is necessary, don't delete it.
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	lastDate = Session(strCookieURL & "last_here_date")
	UpdateLastHereDate Request.Form("BuildTime"),strDBNTUserName
	ActiveSince = ""
end if


Replace them by


if Request.Form("AllRead") = "Y" then
	lastDate = Request.Form("BuildTime")

    If Not isValidForumDateString(lastDate) Then
        lastDate = DatetoStr(strForumTimeAdjust)
    End If

    '## The redundant line below is necessary, don't delete it.
    Session(strCookieURL & "last_here_date") = lastDate
    Session(strCookieURL & "last_here_date") = lastDate
    UpdateLastHereDate lastDate,strDBNTUserName
    ActiveSince = ""
end if

Then, in inc_func_common.asp, replace the code for the UpdateLastHereDate function (starting around line# 575) by the two functions below:


function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If UserIPAddress = "" or Left(UserIPAddress, 7) = "unknown" Then
		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	ElseIf InStr(UserIPAddress, ",") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	ElseIf InStr(UserIPAddress, ";") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	End If
	If InStr(UserIPAddress, ":") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
	End If
	
	If Not isValidForumDateString(fTime) Then
		fTime = DateToStr(strForumTimeAdjust)
	End If
	
	'## Forum_SQL - Do DB Update
	strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
	strSql = strSql & ",    M_LAST_IP = '" & UserIPAddress & "'"
	strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
 
	my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function


function isValidForumDateString(fDate)
	
	set regEx = New RegExp
	regEx.Global = true
	regEx.Pattern = "^[123][0-9]{13}$"

	retVal = regEx.Test(fDate)

	set regEx = nothing

	if Not retVal Then
           isValidForumDateString = false
	Else
           isValidForumDateString = true
	end if

end function


Fix updated by ruirib - 8th April, 2008<

Snitz 3.4 Readme | Like the support? Support Snitz too

gary b
Junior Member

USA
267 Posts
Posted - 04 December 2007 :  18:44:09  Show Profile  Visit gary b's Homepage
ruirib...

Snitz forum is available for download as a ZIP file. Is it standard procedure to modify this ZIP file so that all downloads (from then on) are up-to-date with bug fixes?

And thanks for the "Don't be dumb... subscribe to this forum" reminder!



gary b
<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 04 December 2007 :  18:53:00  Show Profile  Send ruirib a Yahoo! Message
It's not standard procedure to update the zip file with bug fixes. Usually the zip is updated only when a new version is released. However, given the seriousness of this flaw, we've already updated the zip file. If you download it, just make sure the date for active.asp is 2007-12-04.<

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

gary b
Junior Member

USA
267 Posts
Posted - 04 December 2007 :  19:10:26  Show Profile  Visit gary b's Homepage
Thank you, sir... and I already made the code changes!

gary b
<
Go to Top of Page

philsbbs
Junior Member

United Kingdom
397 Posts
Posted - 04 December 2007 :  19:11:06  Show Profile
Thank you for posting a solution RuiRib.

What would we do without you.<
Phil
Go to Top of Page

gpspassion
Junior Member

260 Posts
Posted - 04 December 2007 :  19:24:30  Show Profile  Visit gpspassion's Homepage
Yes, thanks, got hit tonight, now I'm subscribed here !<
Go to Top of Page

telecomputers
Starting Member

USA
28 Posts
Posted - 04 December 2007 :  22:04:44  Show Profile
Isn't there some way we could put the bug fix announcements into a separate forum?

I really appreciate getting the heads up when a bug fix is announced by subscribing to the board but really find it annoying to get a bunch more email notifications after the fact - every time someone says thank you or asks a question.

One post for the bug fix in a single closed board with all bug fixes would seem to be the way to go. Then discussion can take place in a separate forum - for those interested in that side of the conversation.

Thanks in advance for considering this -
<
j.squires
Go to Top of Page

gary b
Junior Member

USA
267 Posts
Posted - 04 December 2007 :  22:52:57  Show Profile  Visit gary b's Homepage
Good idea... Admin/Moderators can unlock to make new post... then locked so no replies. I like it.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 05 December 2007 :  02:31:41  Show Profile  Send ruirib a Yahoo! Message
If you need help with this issue, please post it here: http://forum.snitz.com/forum/topic.asp?whichpage=1&TOPIC_ID=66003<

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 08 April 2008 :  10:27:29  Show Profile  Send ruirib a Yahoo! Message
The fix code was updated to avoid problems in some forums, in which members.asp is broken when an hack attempt is made, trying to exploit the security issue that this fix solves.<

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 25 April 2008 :  13:23:44  Show Profile  Visit HuwR's Homepage
If you do have a problem with a broken members.asp page, you should do the following

1) Log in as Admin and go to Admin Options, then select (Alternate MOD Setup)

2) paste the following code into the box

[UPDATE]
MEMBERS
M_LASTHEREDATE#'20080414000000'#MEMBER_ID = IDOFDODGYUSER
[END]

Replace IDOFDODGYUSER with the id of the last user displayed in the broken list, this will be the attempted hacker.
The date/time is stored as a string, in YYYYMMDDHHMMSS format, just use the current date (example shows 14 April 2008)

3) press the submit button to and it should sort out the problem<
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.07 seconds. Powered By: Snitz Forums 2000 Version 3.4.07