New Security Fix, Snitz 3.4.07 - Snitz™ Forums 2000

The Forum has been Updated

The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.

New Security Fix, Snitz 3.4.07 - Posted 29 Jul 2009 07:05 (7732 Views)

ruirib

Snitz Forums Admin

Posts: 26364

26364

There is a security related bug fix with register.asp. The issue is serious enough to compromise the security of a board. It affects version 3.4.07 only, since previous versions don't use the code with the security problem,

To fix the issue issue, in register.asp, replace lines#391-433:

Code:


              If strAutoLogon <> 1 then
			if Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else
				'Comment out down to the next comment to let it take me@example.com and/or .ex as well
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & chkString(Request.Form("Email"),"sqlstring") & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with '" & chkString(Request.Form("Email"),"sqlstring") & "'.</li>"
				'End If 
				
				'Dim strMailTLD : strMailTLD = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),".")))
				
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailTLD & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with a '" & strMailTLD & "' email address.</li>"
				'End If 
				'Comment out up to the previous comment to let it take me@example.com and/or .ex as well
				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if

			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			end if
		end if

with

Code:


             If strAutoLogon <> 1 Then
			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			elseif Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if


		end if

Any questions about this issue, please post at the General Help, Current version forum.

Snitz 3.4 Readme | Like the support? Support Snitz too