New Security Fix, 1st December 2007 - Posted (31751 Views)
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
There is a security related bug fix with active.asp. This is a serious fix that can allow someone to achieve admin role in a forum.

To addthe fix, in active.,asp, where you now have, in lines#123-130:

Code:


if Request.Form("AllRead") = "Y" then
	'## The redundant line below is necessary, don't delete it.
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	lastDate = Session(strCookieURL & "last_here_date")
	UpdateLastHereDate Request.Form("BuildTime"),strDBNTUserName
	ActiveSince = ""
end if

Replace them by

Code:

if Request.Form("AllRead") = "Y" then
	lastDate = Request.Form("BuildTime")

    If Not isValidForumDateString(lastDate) Then
        lastDate = DatetoStr(strForumTimeAdjust)
    End If

    '## The redundant line below is necessary, don't delete it.
    Session(strCookieURL & "last_here_date") = lastDate
    Session(strCookieURL & "last_here_date") = lastDate
    UpdateLastHereDate lastDate,strDBNTUserName
    ActiveSince = ""
end if
Then, in inc_func_common.asp, replace the code for the UpdateLastHereDate function (starting around line# 575) by the two functions below:
Code:

[code]
function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If UserIPAddress = "" or Left(UserIPAddress, 7) = "unknown" Then
		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	ElseIf InStr(UserIPAddress, ",") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	ElseIf InStr(UserIPAddress, ";") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	End If
	If InStr(UserIPAddress, ":") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
	End If
	
	If Not isValidForumDateString(fTime) Then
		fTime = DateToStr(strForumTimeAdjust)
	End If
	
	'## Forum_SQL - Do DB Update
	strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
	strSql = strSql & ",    M_LAST_IP = '" & UserIPAddress & "'"
	strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
 
	my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function


function isValidForumDateString(fDate)
	
	set regEx = New RegExp
	regEx.Global = true
	regEx.Pattern = "^[123][0-9]{13}$"

	retVal = regEx.Test(fDate)

	set regEx = nothing

	if Not retVal Then
           isValidForumDateString = false
	Else
           isValidForumDateString = true
	end if

end function

Fix updated by ruirib - 8th April, 2008<
Snitz 3.4 Readme | Like the support? Support Snitz too
 Sort direction, for dates DESC means newest first  
 Page size 
Posted
gary b
Junior Member
gary b
Posts: 267
267
ruirib...
Snitz forum is available for download as a ZIP file. Is it standard procedure to modify this ZIP file so that all downloads (from then on) are up-to-date with bug fixes?
And thanks for the "Don't be dumb... subscribe to this forum" reminder!

blush
gary b
<
Posted
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
It's not standard procedure to update the zip file with bug fixes. Usually the zip is updated only when a new version is released. However, given the seriousness of this flaw, we've already updated the zip file. If you download it, just make sure the date for active.asp is 2007-12-04.<
Snitz 3.4 Readme | Like the support? Support Snitz too
Posted
gary b
Junior Member
gary b
Posts: 267
267
Thank you, sir... and I already made the code changes!

gary b
<
Posted
philsbbs
Member Locked
philsbbs
Posts: 397
397
Thank you for posting a solution RuiRib.
What would we do without you.<
Phil
Posted
gpspassion
Junior Member
gpspassion
Posts: 260
260
Yes, thanks, got hit tonight, now I'm subscribed here !<
Posted
telecomputers
Starting Member
telecomputers
Posts: 28
28
Isn't there some way we could put the bug fix announcements into a separate forum?

I really appreciate getting the heads up when a bug fix is announced by subscribing to the board but really find it annoying to get a bunch more email notifications after the fact - every time someone says thank you or asks a question.

One post for the bug fix in a single closed board with all bug fixes would seem to be the way to go. Then discussion can take place in a separate forum - for those interested in that side of the conversation.

Thanks in advance for considering this -
<
j.squires
Posted
gary b
Junior Member
gary b
Posts: 267
267
Good idea... Admin/Moderators can unlock to make new post... then locked so no replies. I like it.<
Posted
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
If you need help with this issue, please post it here: http://forum.snitz.com/forum/topic.asp?whichpage=1&TOPIC_ID=66003<
Snitz 3.4 Readme | Like the support? Support Snitz too
Posted
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
The fix code was updated to avoid problems in some forums, in which members.asp is broken when an hack attempt is made, trying to exploit the security issue that this fix solves.<
Snitz 3.4 Readme | Like the support? Support Snitz too
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
If you do have a problem with a broken members.asp page, you should do the following

1) Log in as Admin and go to Admin Options, then select (Alternate MOD Setup)

2) paste the following code into the box

[UPDATE] MEMBERS
M_LASTHEREDATE#'20080414000000'#MEMBER_ID = IDOFDODGYUSER
[END]
Replace IDOFDODGYUSER with the id of the last user displayed in the broken list, this will be the attempted hacker.
The date/time is stored as a string, in YYYYMMDDHHMMSS format, just use the current date (example shows 14 April 2008)

3) press the submit button to and it should sort out the problem<