Ethical Hacking

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Ethical Hacking

Post by Charles256 »

We got any of those in here? Slightly curious if my login script is secure and well wanted to know if anyone was interested in giving it a go. :-D Let me know if you are, either PM me or post in here and I'll PM you with the site. :-D I'd post the link in here but don't want it to be seen as advertising or anything like that.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Read this thread to as to why we cannot do that.

Edit| Forgot to post link :wink:
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

now that my friends is communism at it's best...okay..anyone willing to read through 500 lines of code to look for security holes?LOL. I've looked myself but well,second opinions never hurt,. :)
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

500 lines of code for a login validation....?

Why not post your login code here and then list some concerns you may have.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Post a link to your source code (don't post the code itself on forums, it's hard to read when it's 30+ lines or so), maybe there're enthusiasts, who knows.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

it's actually login/registration :-D and when I get home I'll post the code on a site and color it pretty and everything so it's easy to read:-D
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Roja wrote:Any attempts across network is against both US law and international law.
Charles256 wrote:now that my friends is communism at it's best...
How is this communism..
Charles256 wrote: it's actually login/registration Very Happy and when I get home I'll post the code on a site and color it pretty and everything so it's easy to read:-D
Post it here using

Code: Select all

tags
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

they're taking away my right to ask for someone to hack me?:-D It should be my choice! that and i use the word communism whenever I am frustrated.. :-D
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

here is the registration page

Post by Charles256 »

Code: Select all

Please enter all of the requested information. Fields that are required the field name will be 
	<font color="#FF0000"> red </font>. All other fields are optional. All users will have to be 
	approved before they can login. When you are approved an e-mail will be sent to you with your username
	and password.  <br>
	<Br>
	<form method="post" action="http://www.chalkheadbaptist.com/index.php?page=members&register=yes&procregister=yes">
	<table>
		<tr>
			<td>
				<font color="#FF0000">Username</font>:</td>
			<td>
				<input type="text" name="username" value="<?php echo ("$username") ?>">
			</td>
	    	<td><font color="#990099">&nbsp;<?php echo ($usernamee) ?>
			</font></td>
		</tr>
		<tr>
			<td>
				<font color="#FF0000">Password</font>:</td>
			<td>
				<input type="password" name="password" value="<?php echo($password) ?>">
			</td>
	    	<td><font color="#990099">&nbsp; <? echo ($passworde) ?>
			</font></td>
		</tr>
		<tr>
			<td>
				<font color="#FF0000">First Name</font>:
			</td>
			<td>
				<input type="text" name="fname" value="<?php echo($fname) ?>">
			</td>
	    	<td><font color="#990099">&nbsp;<? echo ($fnamee) ?>
			</font></td>
		</tr>
		<tr>
			<td>
				<font color="#FF0000">Last Name</font>:
			</td>
			<td>
				<input type="text" name="lname" value="<?php echo($lname) ?>">
			</td>
	    	<td><font color="#990099">&nbsp; <? echo ($lnamee) ?>
			</font></td>
		</tr>
		<tr>
			<td>
				<font color="#FF0000">E-Mail Address</font>:
			</td>
			<td>
				<input type="text" name="email" value="<?php echo($email) ?>">
			</td>
			<td> <font color="#990099"><? echo ($emaile) ?>
			</font></td>
		</tr>
		<tr>
			<td>
				<font color="#FF0000">Birthday</font>:
			</td>
			<td>
				<select name="day">
			<?php
		if ($day!='')
		{
			$i=1;
			while ($i<13)
			{
				echo ("<option value='$i'");
				if ($day==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
				$i=1;
					while ($i<13)
					{
						echo ("<option value='$i'>$i");
						$i++;
					}
		}
		?>
		</select>
		<select name="month">
		<?php
		if ($month!='')
		{
			$i=1;
			while ($i<33)
			{
				echo ("<option value='$i'");
				if ($month==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
			$i=1;
			while ($i<33)
			{
				echo ("<option value='$i'>$i");
				$i++;
			}
		}
		?>
		</select>
		<select name="year">
		<?php
		if ($year!='')
		{
			$i=1900;
			while ($i<2005)
			{
				echo ("<option value='$i'");
				if ($year==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
			$i=1900;
			while ($i<2005)
			{
				echo ("<option value='$i'>$i");
				$i++;
			}
		}
		?>
		</select>
		</td>
	    <td>&nbsp;</td>
	</tr>
	<tr>
		<td>
			<font color="#FF0000">Are you married?
	    	</font></td>
		<td>
		<?php
		if ($married!='')
		{
			echo ("<input type='radio' name='married' value='$married' checked>$married");
		}
		else
		{
		?>
			<input type="radio" name="married" value="yes">Yes
			<br>
			<input type="radio" name="married" value="no" checked>No
		<?php
		}
		?>
		</td>
	    <td>&nbsp;</td>
	</tr>
	<tr>
		<td>
		When were you married?
		</td>
		
		<td>
		<select name="mday">
		<?php
		if ($mday!='')
		{
			$i=1;
			while ($i<13)
			{
				echo ("<option value='$i'");
				if ($mday==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
			$i=1;
			while ($i<13)
			{
				echo ("<option value='$i'>$i");
				$i++;
			}
		}
		?>
		</select>
		<select name="mmonth">
		<?php
		if ($mmonth!='')
		{
			$i=1;
			while ($i<33)
			{
				echo ("<option value='$i'");
				if ($mmonth==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
			$i=1;
			while ($i<33)
			{
				echo ("<option value='$i'>$i");
				$i++;
			}
		}
		?>
		</select>
		<select name="myear">
		<?php
		if ($myear!='')
		{
			$i=1900;
			while ($i<2005)
			{
				echo ("<option value='$i'");
				if ($myear==$i)
				{
					echo (" selected");
				}
				echo (">$i");
				$i++;
			}
		}
		else
		{
			$i=1900;
			while ($i<2005)
			{
				echo ("<option value='$i'>$i");
				$i++;
			}
		}
		?>
		</select>
		</td>
	    <td>&nbsp;</td>
	</tr>
	<tr>
		<td align="right">
		<input type="submit" name="register" value="register">
		</td>
	</tr>
</table>
</form>
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

the login page

Post by Charles256 »

Code: Select all

Welcome. Below enter the user name and password you registered with.

	<form name="login" action="index.php?page=members&testing=true" method="post">
	<table>
		<tr>
			<td>
				Username:
			</td>
			<td>
				<input type="text" name="username">
			</td>
		</tr>
		<tr>
			<td>
				Password:
			</td>
			<td>
				<input type="password" name="password">
			</td>
		</tr>
		<tr>
			<td>
				<input type="submit" name="login" value="login">
			</td>
		</tr>
	</table>
	</form>
	<table border="1" bordercolor="#000000">
		<tr>
			<td>
		  		<a href="http://www.chalkheadbaptist.com/index.php?page=members&register=yes">Not Registered? Sign up!</a> 
			</td>
			<td bordercolor="#000000">
				Forgot your password? 
			</td>
		</tr>
	</table>
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

processing the registration

Post by Charles256 »

Code: Select all

{
		$username=strtolower($_POST['username']);
		$password=$_POST['password'];
		$upassword=md5($password);
		$lname=$_POST['lname'];
		$fname=$_POST['fname'];
		$day=$_POST['day'];
		if ($day <= 10 )
		{
			$day='0'.$day;
		}
		$month=$_POST['month'];
		if ($month <= 10 )
		{
			$month='0'.$month;
		}
		$year=$_POST['year'];
		$married=$_POST['married'];
		$mday=$_POST['mday'];
		if ($mday <= 10 )
		{
			$mday='0'.$mday;
		}
		$mmonth=$_POST['mmonth'];
		if ($mmonth <= 10 )
		{
			$mmonth='0'.$mmonth;
		}
		$myear=$_POST['myear'];
		$email=strtolower($_POST['email']);
		$error='false';
		if (empty($username))
		{
			$usernamee="You didn't enter anything into this field, please enter something.";
			$error='true';
		}
		$name=mysql_fetch_object($result);
		if ($username==$name->Username)
		{
			$usernamee="That username is already taken, please try another one.";
			$error='true';
		}
		if (ereg("[^a-zA-Z0-9]", $username))
   		{
			$usernamee="Please only enters letters and numbers.";
   			$error='true';
   		}
		if (empty($password))
		{
			$passworde="You didn't enter anything into this field, please enter something.";
			$error='true';
		}
		if (ereg("[^a-zA-Z0-9]", $password))
   		{
			$passworde="Please only enters letters and numbers.";
   			$error='true';
   		}
		if (empty($fname))
		{
			$fnamee="You didn't enter anything into this field, please enter something.";
			$error='true';
		}
		if (ereg("[^a-zA-Z0-9]", $fname))
   		{
			$fnamee="Please only enters letters and numbers. For example leave out your middle name. ";
   			$error='true';
   		}
		if (empty($lname))
		{
			$lnamee="You didn't enter anything into this field, please enter something.";
			$error='true';
		}
		if (ereg("[^a-zA-Z0-9]", $lname))
   		{
			$lnamee="Please only enters letters and numbers. For example, exclude your title. I.E.- Jr.";
   			$error='true';
   		}
		if (empty($email))
		{
			$emaile="You didn't enter anything into this field, please enter something.";
			$error='true';
		}
		if ( !eregi('^[-a-z0-9!#$%&\'*+/=?^_<{|}~]+(\.[-a-zA-Z0-9!#$%&\'*+/=?^_<{|}~]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.[a-z0-9-]{2,}$', $email) ) {
 		$emaile = "Please enter a valid E-mail address.";
 		}
		if ($email==$name->Email)
		{
			$emaile="Someone else is all ready using that e-mail address.";
			$error='true';
		}
	}
Actual insertation into the database if they pass error checking

Code: Select all

if ($error=="false")
		{
		$sql=mysql_query("INSERT INTO member(Username, Password, Fname, Lname, Email, Bday, Married, Dmarried) VALUES ('$username','$upassword','$fname','$lname','$email','".$day.$month.$year."','$married','".$mday.$mmonth.$myear."')");		
		?>
			Congratulations, you have successfully registered. Your registration information is as follows. Unfortunatly, you're account will have to be activated before you can log in. Save the information from this page for future reference.<br>
			<br>
		<?php
			echo (" Username: $username <br> Password: $password <br> First Name: $fname <br>
			Last Name: $lname <br> E-Mail Address: $email <br> Birthday:".$day.$month.$year."<br>");
			if ($married=='no')
			{
				echo("Married: $married");
			}
			if ($married=='yes')
			{
				echo("Married: $married<br>Date Married:".$mday.$mmonth.$myear."<br>");
			}
			
			$message = "Thank you for registering $fname $lname.\nYour login information is as follows.\nUsername: $username\nPassword:$password\nWithin forty eight hours your account should be activated.\n       Thank you for your patience.\n\nIf you recieved this e-mail without registering at the site mentioned contact webmaster@chalkheadbaptist.com immediatly.\nBy doing so we can take steps to make sure whatever error occurred is promptly fixed.";
			$to=$email;
			$subject="Thank you for registering at ChalkheadBaptist.com";
			$headers='From:webmaster@chalkheadbaptist.com'."\r\n".'Reply-To:webmaster@chalkheadbaptist.com'."\r\n";
			mail($to, $subject, $message, $headers);
		}
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

and loggin in

Post by Charles256 »

if you have read this far you are probably a saint :-D

Code: Select all

if ($_REQUEST['testing']=='true')
{
	$password=md5($_POST['password']);
	$username=strtolower($_POST['username']);
	$nresult=mysql_query("SELECT * FROM member WHERE Username='$username'");
	$row=mysql_fetch_object($nresult);
	if (mysql_num_rows($nresult) != '1' OR $password != $row->Password)
	{
	?>
	Invalid username or password, please try <a href="http://www.chalkheadbaptist.com/index.php?page=members">again.</a>
	<?php
	}
	else if ($row->Active=='0')
	{
		echo ("While your name is registered you have not been approved. As such you do not have access to any of our member functions yet. We apologize for any inconvience.");
	}
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I don't really have time right now to look over your code at the moment, but at a quick glance I see a few things you should probably change

Code: Select all

$username=strtolower($_POST['username']);
You have not sanitized this variable, which is extremely dangerous especially during log-ins.
You should ALWAYS sanitize every piece of input possible.. never trust the user.. EVER

Code: Select all

$username=strtolower(mysql_real_escape_string($_POST['username']));
Probably better to change your query to something like

Code: Select all

$password=md5($_POST['password']);
    $username=strtolower(mysql_real_escape_string($_POST['username']));
    $nresult=mysql_query("SELECT * FROM member WHERE Username='$username' AND Password = '$password' LIMIT 1");
    if (mysql_num_rows($nresult))
    { 
            //now fetch the object
            $row=mysql_fetch_object($nresult);
Along with mysql_real_escape_string I would probably convert all input to html_entities() just incase they tried inserting malicious code
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

thanks for those tips.this is my first login/registration type system to be honest so i appreciate all the feedback:-D
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Jcart wrote: Post it here using

Code: Select all

tags [/quote]
500+ lines? Ahh... nevermind... he's posted already
Post Reply