Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 (v3.4.03) Security Related BUG+FIX: password.asp
 Forum Locked  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 16 June 2003 :  17:54:33  Show Profile

password.asp


around line #85 find the following:
elseif Request.Form("pwkey") <> "" and Request.Form("mode") = "UpdateIt" then
	key = chkString(Request.Form("pwkey"),"SQLString")

	'###Forum_SQL
	strSql = "SELECT M_PWKEY, MEMBER_ID, M_NAME, M_EMAIL "
	strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " WHERE M_PWKEY = '" & key & "'"
replace the red highlighted line of code with this:
	strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.Form("MEMBER_ID"))
	strSql = strSql & " AND M_PWKEY = '" & key & "'"

around line #117 find the following:
		if Err_Msg = "" then
			strEncodedPassword = sha256("" & Request.Form("Password"))
			pwkey = ""

			'Update the user's password
			strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
			strSql = strSql & " SET M_PASSWORD = '" & chkString(strEncodedPassword,"SQLString") & "'"
			strSql = strSql & ", M_PWKEY = '" & chkString(pwkey,"SQLString") & "'"
			strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.Form("MEMBER_ID"))
replace the red highlighted line of code with this:
			strSql = strSql & " WHERE MEMBER_ID = " & cLng(Request.Form("MEMBER_ID"))
			strSql = strSql & " AND M_PWKEY = '" & key & "'"

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 16 June 2003 :  18:57:36  Show Profile  Visit HuwR's Homepage
Will this stop it ? surely tey can just spoof the Request.Form("MEMBER_ID") as well

forget that, misread the second part
Go to Top of Page

rasure
Junior Member

289 Posts

Posted - 18 August 2003 :  02:25:04  Show Profile  Visit rasure's Homepage
Hi, after applying this update, I get this message when trying to use the forgot password feature...

Your password key did not match!

Your password key did not match the one that we have in our database.
Please try submitting your UserName and E-mail Address again by clicking the Forgot your Password? link from the Main page of this forum. If this problem persists, please contact the Administrator of the forums.

Psychic & Spiritual Development Resources
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 18 August 2003 :  04:53:35  Show Profile  Visit HuwR's Homepage
try redoing your code, I am sure you are not the first person to try this since June, so we would presumably have found out by now if it caused a problem.
Go to Top of Page

rasure
Junior Member

289 Posts

Posted - 18 August 2003 :  08:48:23  Show Profile  Visit rasure's Homepage
Not sure why that happened, I re downloaded the original snitz code and applied the update to password.asp in that one and all working ok now, thanks, sorry for the trouble

Psychic & Spiritual Development Resources
Go to Top of Page

tinem
Junior Member

Denmark
209 Posts

Posted - 19 August 2003 :  07:35:47  Show Profile  Send tinem an ICQ Message
I haven't made any bugfixes yet for 3.4.03 but have been told that this on is the most important but I can't see any explanation about what this do so how do I know if I have made the changes the right way?
And is there any other bugfixes that is of importance before I make my forum public?


This account was hacked by that very honest guy, Image. Better take care with your personal data, if you register to his forums or he will hack into your account here, as well.
Go to Top of Page

wii
Free ASP Hosts Moderator

Denmark
2632 Posts

Posted - 19 August 2003 :  15:03:24  Show Profile
tinem, just edit your file according to the first post in this topic, it will work!
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 05 September 2003 :  19:36:14  Show Profile
fixed in v3.4.04
Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000 Version 3.4.07