New Security Fix, 1st December 2007

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/66005?pagenum=1
04 November 2025, 05:02

Topic

ruirib
New Security Fix, 1st December 2007
04 December 2007, 09:17


There is a security related bug fix with active.asp. This is a serious fix that can allow someone to achieve admin role in a forum.

To addthe fix, in active.,asp, where you now have, in lines#123-130:

Code:


if Request.Form("AllRead") = "Y" then
	'## The redundant line below is necessary, don't delete it.
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
	lastDate = Session(strCookieURL & "last_here_date")
	UpdateLastHereDate Request.Form("BuildTime"),strDBNTUserName
	ActiveSince = ""
end if

Replace them by

Code:

if Request.Form("AllRead") = "Y" then
	lastDate = Request.Form("BuildTime")

    If Not isValidForumDateString(lastDate) Then
        lastDate = DatetoStr(strForumTimeAdjust)
    End If

    '## The redundant line below is necessary, don't delete it.
    Session(strCookieURL & "last_here_date") = lastDate
    Session(strCookieURL & "last_here_date") = lastDate
    UpdateLastHereDate lastDate,strDBNTUserName
    ActiveSince = ""
end if
Then, in inc_func_common.asp, replace the code for the UpdateLastHereDate function (starting around line# 575) by the two functions below:
Code:

[code]
function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If UserIPAddress = "" or Left(UserIPAddress, 7) = "unknown" Then
		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	ElseIf InStr(UserIPAddress, ",") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	ElseIf InStr(UserIPAddress, ";") > 0 Then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	End If
	If InStr(UserIPAddress, ":") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
	End If
	
	If Not isValidForumDateString(fTime) Then
		fTime = DateToStr(strForumTimeAdjust)
	End If
	
	'## Forum_SQL - Do DB Update
	strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
	strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
	strSql = strSql & ",    M_LAST_IP = '" & UserIPAddress & "'"
	strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
 
	my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function


function isValidForumDateString(fDate)
	
	set regEx = New RegExp
	regEx.Global = true
	regEx.Pattern = "^[123][0-9]{13}$"

	retVal = regEx.Test(fDate)

	set regEx = nothing

	if Not retVal Then
           isValidForumDateString = false
	Else
           isValidForumDateString = true
	end if

end function

Fix updated by ruirib - 8th April, 2008<

 

Replies ...

gary b
04 December 2007, 18:44


ruirib...
Snitz forum is available for download as a ZIP file. Is it standard procedure to modify this ZIP file so that all downloads (from then on) are up-to-date with bug fixes?
And thanks for the "Don't be dumb... subscribe to this forum" reminder!

blush
gary b
<
ruirib
04 December 2007, 18:53


It's not standard procedure to update the zip file with bug fixes. Usually the zip is updated only when a new version is released. However, given the seriousness of this flaw, we've already updated the zip file. If you download it, just make sure the date for active.asp is 2007-12-04.<
gary b
04 December 2007, 19:10


Thank you, sir... and I already made the code changes!

gary b
<
philsbbs
04 December 2007, 19:11


Thank you for posting a solution RuiRib.
What would we do without you.<
gpspassion
04 December 2007, 19:24


Yes, thanks, got hit tonight, now I'm subscribed here !<
telecomputers
04 December 2007, 22:04


Isn't there some way we could put the bug fix announcements into a separate forum?

I really appreciate getting the heads up when a bug fix is announced by subscribing to the board but really find it annoying to get a bunch more email notifications after the fact - every time someone says thank you or asks a question.

One post for the bug fix in a single closed board with all bug fixes would seem to be the way to go. Then discussion can take place in a separate forum - for those interested in that side of the conversation.

Thanks in advance for considering this -
<
gary b
04 December 2007, 22:52


Good idea... Admin/Moderators can unlock to make new post... then locked so no replies. I like it.<
ruirib
05 December 2007, 02:31


If you need help with this issue, please post it here: http://forum.snitz.com/forum/topic.asp?whichpage=1&TOPIC_ID=66003<
ruirib
08 April 2008, 10:27


The fix code was updated to avoid problems in some forums, in which members.asp is broken when an hack attempt is made, trying to exploit the security issue that this fix solves.<
HuwR
25 April 2008, 13:23


If you do have a problem with a broken members.asp page, you should do the following

1) Log in as Admin and go to Admin Options, then select (Alternate MOD Setup)

2) paste the following code into the box

[UPDATE] MEMBERS
M_LASTHEREDATE#'20080414000000'#MEMBER_ID = IDOFDODGYUSER
[END]
Replace IDOFDODGYUSER with the id of the last user displayed in the broken list, this will be the attempted hacker.
The date/time is stored as a string, in YYYYMMDDHHMMSS format, just use the current date (example shows 14 April 2008)

3) press the submit button to and it should sort out the problem<
© 2000-2021 Snitz™ Communications