SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    SitePoint Addict -Ice-php's Avatar
    Join Date
    May 2002
    Location
    UK
    Posts
    260
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Highly Unusual BUT - Testing Hacking

    Hey
    i dont know if this is appropriate for this forum or anywhere for that matter but i need to know if anyone could hack through my login script
    i need to know how secure it is
    I have made it so that their name gets MD5ed and if they change the
    user.php?name=Different
    different bit then the MD5 of the name will not be the same.

    If anyone wants to try and see if they can then the url is http://tfolympics.com/webleague/login.php
    (the layout is not quite finished yet though)
    If you do find any bugs etc.. please inform me
    Thanks
    -Ice

  2. #2
    SitePoint Wizard silver trophy redemption's Avatar
    Join Date
    Sep 2001
    Location
    Singapore
    Posts
    5,269
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not really hacked thru but I managed to login. With the userid and password you have as an account there. You shouldn't have test accounts like that unless it's OK for people to mess around with that.

  3. #3
    + platinum's Avatar
    Join Date
    Jun 2001
    Location
    Adelaide, Australia
    Posts
    6,441
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I managed to login as well... you should make sure you don't have any obvious user/pass combinations still in there

  4. #4
    SitePoint Addict -Ice-php's Avatar
    Join Date
    May 2002
    Location
    UK
    Posts
    260
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey
    did you just guess them login names/passes
    or did you get them from somewhere
    and also the site is being developed atm so i just use them for testing

    Thanks
    -Ice

  5. #5
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK - think I'm half way there to a real hack.

    If I enter the following in the username field;

    Code:
    ' OR 1=1 '
    Rather than telling me incorrect username / password it tells me "an error has occurred" and more interestingly, it gives me a URL like;

    Code:
    /webleague/user.php?name=&encryptid=d41d8cd98f00b204e9800998ecf8427e
    I'm not going to spend more time on this but my guess is rather than storing the username and password in session variables, and re-verifying on each page, you only check against your database once then encrypt the id. Then if anyone has that ID, they get access to your site.

    Particularily bad is putting the encryptid in the URL - if anyone clicks on a link to another site while logged in, that URL will show up in the other sites web log. Start off by storing it in a session variable.

    Next eliminate the storing of an id and simply re-check the username / password for every page they view. I know it means another query but it won't fail you.

    PS - use addslashes or mysql_real_escape_string on the incoming data to prevent that SQL injection attack I used at the start.

  6. #6
    SitePoint Addict -Ice-php's Avatar
    Join Date
    May 2002
    Location
    UK
    Posts
    260
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What i do is
    verify username against password on login.php
    if there ok then i send the pass,username and the encrypid into the database
    on user.php i then MD5 the name and check it against encryptid so a user cant change the name
    becasuse they would have to get an MD5ed version of their username
    The database just helps me pass along variables !
    This system i use, does anyone think its an OK idea, or not very good at all ?
    Thanks
    -Ice

  7. #7
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No - it's a terrible idea. For example you just relocated to Irak ...

    From what I discovered, your encyrpt ID is a simple md5() - you haven't created your own "private key" for the encryption.

    PHP Code:

    echo ( md5(null) ); 
    Matches that encrypt ID I got - so now I know what you're doing.

    When using md5 - insert a "private key" at least, like;

    PHP Code:

    $privateKey
    ='secret';
    echo ( 
    md5($privateKey.$valueToEncrypt) ); 
    Better yet is to use md5 twice...

    You've helpfully put up your player list here: http://www.tfolympics.com/webleague/...rt=0&finish=30

    That means I simply need to md5() the names there then I've got everything I need...
    Last edited by HarryF; Mar 16, 2003 at 11:45.

  8. #8
    SitePoint Addict -Ice-php's Avatar
    Join Date
    May 2002
    Location
    UK
    Posts
    260
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for bringing that to my attention
    LOL about the Iraq thing
    funnier still - i thought my method was secure
    Thanks again !
    -Ice

  9. #9
    SitePoint Enthusiast Patrick Lucas's Avatar
    Join Date
    Dec 2001
    Location
    Ohio
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://www.hudson.edu/hcsd/admin/
    Can somebody check out my login thing? I use magic_quotes and don't use md5 or sessions.

    I read in another thread that I should use addslashes()... Should I use that for every variable that gets put into a query? And if then if I ever echo it out of a database use stripslashes()? Is that how it works? Sorry, I'm a newbie with security
    Last edited by Patrick Lucas; Mar 16, 2003 at 21:42.
    Patrick Lucas

  10. #10
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I could get into this

    OK - from the login system point of view, all is looking good from what I saw.

    But how about this;

    http://www.hudson.edu/hcsd/admin/main.php?section=[]

    The error message tells me where you include all your files from. The error message also tells me that the file that does the including depends on value of $_GET['section'] to find out which subdirectory to look in - in other words by modify section in the URL I'm in control of what the script does.

    In the quickish look I took, this may lead to a hole where I can get to do things you don't want me to, without having logged in in the first place.

    For example: http://www.hudson.edu/hcsd/admin/inc...cs&view=modify

    See what I put for section?

    In other words you need to have an array or an switch statement which checks on the value of section, eg.;

    PHP Code:
    $sections = array ( 'news','hot_topics' );

    if ( 
    in_array$_GET['section'],$sections ) ) {
        include ( 
    $_GET['section'] );

    Otherwise, protecting everything in the include directory an below with a .htaccess file or similar to deny all direct access.

  11. #11
    SitePoint Enthusiast Patrick Lucas's Avatar
    Join Date
    Dec 2001
    Location
    Ohio
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah, thanks so much. I will change it to have that checking the information from the URL so it won't give you a PHP error message with file paths and such.

    header.inc.php, however, isn't capable of getting any real content, thankfully.

    You mentioned that you didn't see anything wrong with the login part, but yet you "get into this one." Did you just mean you that you had the ability to manipulate header.inc.php to possibly display good stuff, or did you actualy fool the script into thinking you were logged in?

    Also, I found a typo in my last post. I ment to say that I USE magic_quotes and DO NOT use MD5 or sessions (cookies though) for my login script. Does that make me susceptible to SQL injections with the login?

    Anyways, I really appreciate all the time you've put into this. Thanks so much
    Patrick Lucas

  12. #12
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you just mean you that you had the ability to manipulate header.inc.php to possibly display good stuff, or did you actualy fool the script into thinking you were logged in?
    Exactly - it may be that it wasn't possible to do anything bad with header.inc.php but where that could be a problem is when you come to upgrading to PHP 4.3.0 - include can fetch files from a remote server...
    [/quote]

    Also, I found a typo in my last post. I ment to say that I USE magic_quotes and DO NOT use MD5 or sessions (cookies though) for my login script. Does that make me susceptible to SQL injections with the login?
    I didn't check to see what type of cookies (session or otherwise). The question is what do you store in the cookie? If it's anything confidential, you need to be aware that this is visible to a network sniffer. PHP sessions only give the session Id to the client - data is store on the server. If it's a shared server other people using the server can examine the session files but at least you're not passing passwords over the internet. The only danger then is having a session hijacked - you should store someones IP address as they login...

  13. #13
    SitePoint Wizard silver trophy redemption's Avatar
    Join Date
    Sep 2001
    Location
    Singapore
    Posts
    5,269
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by -Ice-php
    Hey
    did you just guess them login names/passes
    or did you get them from somewhere
    and also the site is being developed atm so i just use them for testing

    Thanks
    I logged in with a userid and password that I often use for testing. So happened it was an actual account. It was userid 'test'. You should change the password for that account if it's impt.

  14. #14
    SitePoint Addict -Ice-php's Avatar
    Join Date
    May 2002
    Location
    UK
    Posts
    260
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i dont think much damage can be done atm becasuse its only just the test stage
    but the users will choose their own userid and pass so that wont be my problem when it comes to that :S
    Thanks a lot guys
    -Ice

  15. #15
    SitePoint Addict jamesbond's Avatar
    Join Date
    Feb 2001
    Location
    The Netherlands
    Posts
    256
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by HarryF
    PS - use addslashes or mysql_real_escape_string on the incoming data to prevent that SQL injection attack I used at the start.
    I thought that when you have magic_quotes_gpc enabled you don't need to use the addslashes function or mysql_real_escape_string anymore to prevent these SQL injections, since $_GET and $_POST input is automatically escaped in that case. Is this correct?

  16. #16
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, but magic_quotes_gpc sucks and should be turned off by default (it probably will be in the future; thank God!). when things need to be escaped, you should use addslashes() or such yourself, not have it done "for you." (of course you don't want to use addslashes() when magic_quotes_gpc is on because you'll add too many slashes. that's why i recommend putting code in a common include file to "turn off" magic_quotes_gpc if it's on.)

    magic_quotes_gpc is the stupidest thing. why in the world is it assumed that any GET/POST/COOKIE data is going to be used in a query?! if you simply have a page for someone to enter their name and show it to them on the next page, magic_quotes_gpc will screw up the display of any name with ' in it such as: John O'Connor

    that is absolutely wrong and why magic_quotes_gpc sucks and is stupid.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  17. #17
    SitePoint Addict jamesbond's Avatar
    Join Date
    Feb 2001
    Location
    The Netherlands
    Posts
    256
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DR_LaRRY_PEpPeR
    yes, but magic_quotes_gpc sucks and should be turned off by default (it probably will be in the future; thank God!). when things need to be escaped, you should use addslashes() or such yourself, not have it done "for you." (of course you don't want to use addslashes() when magic_quotes_gpc is on because you'll add too many slashes. that's why i recommend putting code in a common include file to "turn off" magic_quotes_gpc if it's on.)

    magic_quotes_gpc is the stupidest thing. why in the world is it assumed that any GET/POST/COOKIE data is going to be used in a query?! if you simply have a page for someone to enter their name and show it to them on the next page, magic_quotes_gpc will screw up the display of any name with ' in it such as: John O'Connor

    that is absolutely wrong and why magic_quotes_gpc sucks and is stupid. [img]images/smilies/mad.gif[/img]
    Now that's a clear explanation [img]images/smilies/smile.gif[/img]
    Thanks!

    P.S. in defense of magic_quotes_gpc, I must say that I've not often had to use stripslashes() to remove slashes added by magic_quotes_gpc, but I agree with what you're saying.
    Last edited by jamesbond; Mar 30, 2003 at 18:06.

  18. #18
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    really? cool. BTW, the code to strip magic_quotes if it's on is in my PHP and MySQL coding tips thread, under the magic_quotes, addslashes(), and stripslashes() section. then you just need to use addslashes() yourself before using GET/POST/COOKIE data in queries.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •