Persistent spambot - can't block it

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Persistent spambot - can't block it

Post by anivad »

My site keeps getting intermittently hit by this spambot; I have no idea how it's getting past my security measures and posing as a user:

Image

Currently it's using the username '2009', which I've just blocked. Previous attacks have also been using years: '2005', '1998', '2007', etc.

This is in an include file at the beginning of each page:

Code: Select all

session_start();

if(isset($_COOKIE['winm'])) {

$uname = $_COOKIE['winm']['uname'];
$pword = $_COOKIE['winm']['pword'];

include 'db.php';

$sql = "SELECT uname, pword FROM login WHERE uname = '$uname' AND pword = 'pword'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);

if ($num_rows = 1) {
	$_SESSION['login'] = "1";
	$_SESSION['uname'] = "$uname";
	}
}

$scheck = (!(isset($_SESSION['login']) &&  $_SESSION['login'] != ''));
and on the page source code itself:

Code: Select all

$uname = $_SESSION['uname'];

if($scheck) {
$cname = "Guest";
}
else {
$cname = $uname;
}
If $cname = 'Guest', then the spam-prevention measures get called up. Which hasn't been happening, which means that this bot has been bypassing that altogether and tricking the code into thinking that it's a registered user.

Login page:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
	$uname = $_POST['username'];
	$pword = $_POST['password'];
	$cookie = $_POST['setcookie'];
	$time = time();

// Database details for connection

	$SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";
	$result = mysql_query($SQL) or die (mysql_error());
	$num_rows = mysql_num_rows($result);

	if ($result) {
		if ($num_rows > 0) {
			session_start();
			$_SESSION['login'] = "1";
			$_SESSION['uname'] = "$uname";
			if($cookie) {
			setcookie("winm[uname]", $uname, $time + 2592000);
			setcookie("winm[pword]", $pword, $time + 2592000);
			}
			header ("Location: loginsuccess.htm");
		}
		else {
			session_start();
			$_SESSION['login'] = "";
			error('Login failed. Check that you are registered, and that your username and password are correct.');
		}
	}

	mysql_close($db_handle);

	}

}

?>
Those sections of code were written several months apart, so it's possible that there was some inconsistency there as a result, but I can't work out where. Help would be great, thanks!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Persistent spambot - can't block it

Post by John Cartwright »

Oh god, you've got some insecure stuff going on there. Firstly, SQL injection:

Code: Select all

$uname = "admin";
$pword = "' OR '1'='1"

$SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";

//results in

SELECT * FROM login WHERE uname = 'admin' AND pword = '' OR '1' = '1'
which means they don't need a password to access any of your accounts. ALWAYS, and I mean ALWAYS, pass all user input through mysql_real_escape_string() when applying them to queries.

Code: Select all

$SQL = "SELECT * FROM login WHERE uname = '". mysql_real_escape_string($uname) ."' AND pword = '". mysql_real_escape_string($pword) ."' LIMIT 1
Next, never set the password in the users cookie. Better yet, don't store any sensitive information there. Cookies can be stolen / viewed maliciously by the right person.

Thirdly, if you want to implement a remember me functionality, generate a unique key for them and store that in their cookie / database to validate against eachother. These kinds of systems are inherently insecure to begin with, but there are many tutorials out there that explain measures to take beyond this to make it less "insecure". I.e., IP checks.
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Persistent spambot - can't block it

Post by anivad »

Thanks!
Post Reply