[RESOLVED] Find My Security Hole... I Give You A Nickel

ronjon

HELLO ALL.

PROFESSIONALS... I NEED YOUR HELP.

I HAVE RECENTLY GOT A JOB AT A DECENT PLACE THAT HIRED ME TO ADMIN THEIR NETWORK...AND... CODING A DYNAMIC WEBSITE WITH PHP AND MYSQL. WELL... IM A NEWBIE...IVE ONLY BEEN LOOKING AT MYSQL AND PHP FOR A WEEK. ANYHOW.. IVE BEEN CODING SOME STUFF FOR OUR WEBSITE. RIGHT NOW .. IM ONLY AT THE USER AUTHENTICATION PART. GIVEN THAT IM AN EXTREME NEWBIE... I DONT KNOW SECURITY...AT ALL ACTUALLY.

SO... FOR YOU PROFESSIONALS OUT THERE... I KNOW YOU ALL KNOW WHAT THINGS TO LOOK FOR WHEN IT COMES TO DEVEL0PING DYNAMIC PAGES FOR WEBSITES THAT NEED TO BE PRETTY SECURE. PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE (CODE WISE... I'VE YET TO START CONSIDERING HARDWARE SECURITY AND ALL THAT.) PLEASE HELP...ALL THIS CODE IVE PUT TOGETHER IS FROM TEXT BOOKS AND ONLINE HELP...I HAVE GOT ONLY ABOUT 2 SEMESTERS OF PROGRAMMING COURSEWORK UNDER MY BELST...SO IM REALLY WEARY OF PUTTING ANYTHING UP THAT HASNT BEEN CRITIQUED BY A SEASONED PROFESSIONAL.

ANY INPUT WOULD BE REALLY HELPFUL.
THANK YOU ALL SO MUCH.

HERE IT GOES.

GATEWAY.PHP is the page that recieves user input
AUTHENTICATION.PHP is the php page that verifies user input with the database.

//GATEWAY.PHP

<html>

<body
<br /><br />
<p> my company name</p>

<form action = "AUTHENTICATION.PHP" method=post>
<input type="text" name="username">
USERNAME
<br>
<input type="text" name="password">
PASSWORD<br>
<input type="image" src="login.gif">
</form>

</body>
</html>

//AUTHENTICATION.PHP
<?
echo "MYCOMPANY INC. User Authentication routine.<br /><br />";

//RETRIEVING VARS FROM GATEWAY.PHP VIA POST
$username =$POST['username'];
$password = $POST['password'];

//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if ($link)
{
echo "error: could not connect to database <br /><br />";
exit;
}

//RETRIEVING DATA FROM DATABASE
mysql_select_db('users');
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
$result = mysql_query($sql) or die (mysql_error());

//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) == 0)
{
echo "INVALID USERNAME AND/OR PASSWORD.
PLEASE CLICK BACK ON YOUR BROWSER AND
ENTER A VALID USERNAME AND PASSWORD.
THANK YOU.";
}

//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) ==1)
{
$row = mysql_fetch_array($result);
list(,$lastname) + each ($row);
echo 'RECORD FOUND! <br /><br />';
$username = ucfirst ($username);
$lastname = ucfirst ($lastname);
echo "$lastname, $username;
$found =1;
}

//IF FINDS MORE THAN ONE MATCHING PASSWORD AND USERNAME (BIG TROUBLE!)
if (mysql_num_rows($result) > 1)
{
echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT
THIS TIME. PLEASE COME BACK AT A LATER TIME.
THANK YOU - INFORMATION SYSTEMS DEPRTMENT";
}

cnperry

Personally...

I prefer keeping my mysql connection data in a file outside the www root. You can include it by include("/absolute/path/to/the/file"); Check the PHP website for details. Keeping that data within the www root (or lower) makes it more vulnerable to prying eyes.

I don't know a whole lot of security, either, but another thing I tend to use is validating the submission against the $_SERVER[HTTP_REFERER] variable on certain scripts just to make sure the form submission is actually coming from my script.

Just my two cents!

Cameron

ronjon

i appreciate your input... i will definitely look up how to do your suggestions and incorporate it to my code.

again, thanks.

anybody else have any suggestions?

id love to hear.

-ron

BuzzLY

So... you want us (some of whom are having trouble finding a good job) to help make you (who somehow landed a job with very little knowledge of PHP) look like you know what you are doing? 😉

ronjon

sorry you dont have a job. i really am..i been out of a job for 6 months..so i know how it feels. i was hired to LEARN and do php and mysql... yes i was lucky. i dont intend to hide behind your know how and say 'yeah... i did it all bymyself..' they know i dont know shit about mysql...but they also know that im willing to exhaust all resources to LEARN it so that i may be a professional like you guys and help them with their website. please dont hold it against me that i have found a job. regardless... thank you for your comment... it has made me realize how lucky i am and how much harder i have to work and endure ridicule for not knowing as much as a seasoned programming professional.... ultimately... making me realize how much harder i have to work.

thank you.
any comment from anybody else... however helpful or bitter... is appreciated.

-ron

gabidi

Congradulations on your new appointment, it's always good to keep your high school connections 😉

All kiding aside,

Your code looks fine , just a few sytnax errors


if ($link) 
{

i believe should be

if(!$link)
{

I'm also a relative newb to php, but i belive the list command changes an array to scalar variables so i think you sytanx for list command should be

list($var1,$var2,....,$varn)=$yourarray

also for echo statments , i dont think you put multiple lines of output using single quoations

echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND 
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT 
THIS TIME. PLEASE COME BACK AT A LATER TIME. 
THANK YOU - INFORMATION SYSTEMS DEPRTMENT";

should be replaced by either

echo<<<STARTHERE
  WE ARE HAVING TECHNICAL DIFFICULTIES AND 
  ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT 
  THIS TIME. PLEASE COME BACK AT A LATER TIME. 
  THANK YOU - INFORMATION SYSTEMS DEPRTMENT
STARTHERE;

STARTHERE can be replaced by whatever name you want but must end the "quote" with the same name and no indent before it

or you can use concatenation (SP ?).

You've got anumber of other sytnax errors but i'm sure u'll fix them before you're done .

Eitheway, good luck and hope the above helps.

BuzzLY

Originally posted by ronjon
any comment from anybody else... however helpful or bitter... is appreciated.

Ouch. I really didn't mean to sound so bitter, and I appreciate your candor. Of course, I can't fault you for finding and taking a job that is offered to you. I certainly would if I were in your shoes, in a heartbeat.

drew010

probably will want to change
<input type="text" name="password">
to
<input type="password" name="password">
so that the characters are masked and not visible by others

ronjon

gabidi..

yeah... the $link thing... i actually just copied it wrong. i forgot to bring the code home so i had to copy it from a printout... i just forgot to type the !. the code works... i tested it. the only thing that im really worried about is the security. but good noticing.

as for the list command... ill look into it and figure out what you mean... since i am a newb... i odnt even know what you mean by scalar variables...but ill definitely look into what you're suggesting.

as for the echo... not sure what you mean ... but again... ill look into that as well.

also, thank you for your congratulations... i appreciate it. im excited about the job and am looking forward to learning coding more in depth so that i can add that to my title as well == job security and more financial compensation in the long run 🙂

buzzly...
i forgot to mention... that 80% of what they hired me for was to admin their network, troubleshoot their pc's, coordinate it projects and such... the php and mysql was just about 20% or so... all they knew was that I can learn it and want to learn it. so... they didnt just hire me for php and mysql..that would be silly of them. thats like hiring a chef to fix cars.

drew010...
name = "password"... yeah. i actually intend to do that.

thank you all for your replies. the more replies i get, the more i get to put in my notes to refer to later... that helps immensely. you guys freakin rock. i figure if i take all these comments down and incorporate it in my future code, six months or so down the line... id probably churn out code that might actually look like its made by a pro. again, thank you all.

what i was most concerned about...or was not sure about was whether a user would be able to somehow maliciously use any variables or values that were stored in POST... i havent thought about it much really...but i had a comment from somebody that in essence said that doing so was dangerous or somethin... i dont really know if thats true..but was enoug hto make me concerned about it.

ok guys.. if you have any more comments... id love to hear it.

take care.
ron

laserlight

Maybe you could post the updated version, within [php] and [/php] bbcode tags?

ronjon

i will definitely use your idea... i will include the database connection code out of the root folder and will just refer to it in my code. thanks... great idea.

-ron

devinemke

Originally posted by BuzzLY
So... you want us (some of whom are having trouble finding a good job) to help make you (who somehow landed a job with very little knowledge of PHP) look like you know what you are doing? 😉

yes, but he's not asking for free advice. he has offered you a nickel.
how do we go about redeeming our nickel fees? paypal perhaps?

ronjon

give me your home address... ill book a flight...deliver the shiny nickel to you in person. 🙂

snoj

I really don't like having clear text passwords in the database that the script actually uses to do the auth.

Solution:

Use crypt on the pwds before storing them in DB and then use cryt on user input before trying to match passwords.

If you need to store the clear text passwords (ex: 'forgot your password') link, store them in a different DB that can only be read by an offline script that would then mail the user his password.

The best solution is to never store clear text passwords and use other user info (birthdate,city,pet name,secret question,and whatever you can think of) to provide 'forgot your password' utility.

Even better, the system automatically generates a new password, stores the crypted version and sends new pwd to user over email.

Remember though that email is always clear text.

MiiJay

Is it me, or is everyone totally blind ...

SQL injection attack

what if someone had a password called

none'; DELETE FROM users; SELECT FROM users WHERE password='

$username = addslashes($POST['username']);
$password = addslashes($POST['password']);

and passwords ideally should be MD5'ed but that ain't so important.

Assides from that, the code to me is not really that clean. That's just me, probably because I like to do everything in OOP because it's quicker and easier.

Now someone answer my question at http://www.phpbuilder.com/board/showthread.php?threadid=10280218 !

tekky

Originally posted by MiiJay
.....
Assides from that, the code to me is not really that clean. That's just me, probably because I like to do everything in OOP because it's quicker and easier.

Now someone answer my question.....

relative to the person...

and thread hi-jacking....

MiiJay

Originally posted by tekky
relative to the person...

and thread hi-jacking....

Well yeah I did mention that the coding style was just the way I percive things.

Yeah, true I might be "hi jacking" there, but I have fully answered the authors original question. As for my post, looking at the average experience level of people here, i would doubt one would be able to answer it, and to me it looks like a bug in PHP so I've filed it as a bug now.

tekky

the relative portion was mainly refering to the OOP being easier comment, missed the clean code portion when I deleted