Possible direct link security flaw question

Posted: Thu Aug 17, 2006 7:58 pm

I'm building a couple of mods that I'm designing to be forum hacks. In other words the php files are put in the modules/Forums folder. The standard security scripts to make sure folks need to be logged in to access the file thru the site are working fine but I just found out that if you send someone the link they can access the file just fine without being logged in. As well, the script allows for comments to be put in and displayed thru a following link after submitting the information.

I was under the assumption that this piece of script

Code:




$user_id = $userdata['user_id'];


if (!$userdata['session_logged_in'] && $user_id == ANONYMOUS)


{


   $header_location = ( @preg_match("/Microsoft|WebSTAR|Xitami/", getenv("SERVER_SOFTWARE")) ) ? "Refresh: 0; URL=" : "Location: ";


   header($header_location . append_sid("login.$phpEx?redirect=course.$phpEx", true));


   exit;


}

Would force users to log in to access the script..to an extent it does but only if the user doesn't have a cookie set.

Since the code above is the standard script to stop unregistered users from accessing a file it seems to me that there's a flaw that someone could register...get the link...send the link to themselves and then enter malicious data into the comments field to do whatever they want.

The other problem is...my hack autodetects a members username for entry into the database. So since thru a direct link (I.E. if I pasted it here) if you have a cookie set from my site you will be allowed to post the submission of your comment and nuke will find your cookie and IP and allow you to enter data to the database without being logged in.

Since I'm using standard nuke/phpbb security this is not only a hassle for me to delete entries that have a blank entry for a username but it also opens up a hole for malicious attacks to the database. And it seems to be a flaw in any phpbb hack or mod that the php file is in modules/Forums.

I hope this makes sense because I'd like to fix the possiblity for non logged in members to be able to access the file completely..even with a cookie set.

Thanks for any comments and if you need more details please PM me.

Site Admin Joined: Jun 04, 2004 Posts: 6433

A little confusing, but I think the answer to prevent malicious code, whether or not a user is logged in, is to use the standard Nuke approach for accessing data. That sends the SQL through NukeSentinel at least. If you're using your own DB connections, you're asking for all kinds of problems, IMHO.

Posted: Thu Aug 17, 2006 8:57 pm

Thank you for the response but since this is a file I've installed in modules/Forums I assumed it would follow nuke rules ( I do have Sentinel installed and working fine...it has stopped every hack attempt to date ) here's the beginning of my file upto where the engine goes to work:

Code:




<?php


/*


Daily Tourney by PTM


*/





// standard hack prevent





if (!eregi("modules.php", $PHP_SELF)) {


    die ("You can't access this file directly...");


}








define('IN_PHPBB', true);





$phpbb_root_path = 'modules/Forums/';


include($phpbb_root_path . 'extension.inc');


include($phpbb_root_path . 'common.'.$phpEx);


include('header.php');





// standard session management


$userdata = session_pagestart($user_ip, PAGE_INDEX, $nukeuser);


init_userprefs($userdata);





 // Make sure the player is registered


$user_id = $userdata['user_id'];


if (!$userdata['session_logged_in'] && $user_id == ANONYMOUS)


{


   $header_location = ( @preg_match("/Microsoft|WebSTAR|Xitami/", getenv("SERVER_SOFTWARE")) ) ? "Refresh: 0; URL=" : "Location: ";


   header($header_location . append_sid("login.$phpEx?redirect=daily.$phpEx", true));


   exit;


}

That basic script seems to precede all modules/Forums files that require security so this is the extent of my knowledge to secure that type of file.