Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: Security Related Bug Fixes
 New Security Fix, Snitz 3.4.07		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 29 July 2009 :  07:05:37  Show Profile  Send ruirib a Yahoo! Message
There is a security related bug fix with register.asp. The issue is serious enough to compromise the security of a board. It affects version 3.4.07 only, since previous versions don't use the code with the security problem,

To fix the issue issue, in register.asp, replace lines#391-433:

              If strAutoLogon <> 1 then
			if Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else
				'Comment out down to the next comment to let it take me@example.com and/or .ex as well
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & chkString(Request.Form("Email"),"sqlstring") & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with '" & chkString(Request.Form("Email"),"sqlstring") & "'.</li>"
				'End If 
				
				'Dim strMailTLD : strMailTLD = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),".")))
				
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailTLD & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with a '" & strMailTLD & "' email address.</li>"
				'End If 
				'Comment out up to the previous comment to let it take me@example.com and/or .ex as well
				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if

			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			end if
		end if

with


             If strAutoLogon <> 1 Then
			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			elseif Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if


		end if

Any questions about this issue, please post at the General Help, Current version forum.

Snitz 3.4 Readme | Like the support? Support Snitz too
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000 Version 3.4.07