Fixing a insecurity in a reply?

Teach

Hi guys.

I'm trying to improve my site secuity, and I'm stumped on what to do in this case.

We have a ticket system, and allow users (there is no membership, so we only check it's their ticket if they provide the correct ID, password and a password that's stored in the ticket database) to reply to their tickets.

I'm using the following code, but also have a hidden field for id_ticket:

<input type=\"hidden\" name=\"id\" value=\"".$myrow['id_ticket']."\" />

To stop multiple submissions on refreshed data etc, I have:

In the reply page:
 $secret=md5(uniqid(rand(), true));
 $_SESSION['REPLY_FORM_SECRET']=$secret;

echo it with:
 echo "              <input type=\"hidden\" name=\"reply_form_secret\" id=\"reply_form_secret\" value=\"".$_SESSION['REPLY_FORM_SECRET']."\" />\n";

--------------------------

in the process.php:

// Retrieve the value of the hidden field
$form_secret = htmlentities($_POST['form_secret']);
if(isset($_SESSION['FORM_SECRET'])) {
  if(strcasecmp($form_secret,$_SESSION['FORM_SECRET'])===0) {

  // valid


unset($_SESSION['FORM_SECRET']);
  } else {
    echo "<ul>\n<li><span>Invalid code</span></li>\n</ul>\n\n";
    echo "<p class=\"righttext\"><small>Go back to <strong><a href=\"javascript:history.go(-1)\" title=\"previous page\">previous page</a></strong></small></p>\n\n";
  }
} else {
    echo "<ul>\n<li><span>Invalid code</span></li>\n</ul>\n\n";
  echo "<p class=\"righttext\"><small>Go back to <strong><a href=\"javascript:history.go(-1)\" title=\"previous page\">previous page</a></strong></small></p>\n\n";
}

The problem: I am concerned as I realise that the user could easily alter the id_ticket, and then their reply would be processed and alter another ticket...

Is there a way I can modify the above code I currenty use to stop multiple submissions to secure this? By maybe having it purely in $_SESSION to check a code (that would fix the hidden id_ticket possible problem too...)

One other problem I have that code, is if someone opens two windows to a page, then it invalidates one. I don't know a a workaround for that either...

Any help appreciated 🙂

Teach

Just reading my lengthy confusing post...

I think a better way of asking this is:...

How can I protect my HTML forms from user's editing the hidden forms and then submitting it? When it contains details such as a Ticket ID (of the target ticket) it would be awful if they alter it and then handle someone else's ticket...

Also if the solution would also protect the resubmission of the form (such as the code I have above to stop that) it would be great.

Please help 🙂

halojoy

Try not to use any thing secret data, that can be misused
in your HTML code.
Even a hidden field can be read, easily by the press of a button:
View source of page.

SESSION variables is another way to store temporary data.
It is a bit more safe.
And anything stored in SESSION is Unique to only 1 user.
The user browsing.
( and possibly the user that takes over This Browser Window after first user )
[man]session_destroy/man ... when this data is no longer needed

Try if you can simplify your script.
So that as little sensitive info as possible is used outside database.

ID-numbers does not often reveal more than a number of what row in database.
Not the data in fields.
So they can be used in your scripts.

But as you say, you can not allow the chance that CLIENT Sets the ID.
And can get information that is secret, by doing so.
If he is not Authorized to.
Usually the only one that have this permission
is the user 'UserID' himself (via login)
and the Admin.

regars
halo

Teach

Hi halojoy, thank you for your reply

Yeah, the only hidden fields we use are the ones I put above.

The database structure for all tickets are the same fields, so it would have an affect. I guess I'm just asking how I protect it from someone being able to view source, save it, alter the id_ticket hidden field and then have it alter another ticket

Thanks 🙂

Horizon88

You can't stop anyone from viewing the source or altering the data in your form, but what you can do is tie tickets to passwords so they can't match - even if they do supply a ticket_id that's different, if it doesn't match the supplied password, throw an error. Also, look into using form tokens. There's a pretty good explanation of them here: http://php.robm.me.uk/#toc-CSRF

Teach

Hi guys

This is now resolved; I have simply extended the hidden fields to include ID, email and the password now, and then RECHECK those against the database to check they still match. If they do, proceed - otherwise error! Works fine, tested myself at saving and altering the hidden fields...

Thanks

halojoy

Teach wrote:
Hi guys
This is now resolved; I have simply extended the hidden fields to include ID, email and the password now, and then RECHECK those against the database to check they still match. If they do, proceed - otherwise error! Works fine, tested myself at saving and altering the hidden fields...
Thanks

yeah.
most often is like this
we know our script and our goal best ... ourselves
we have also the strongest motivation to fix things

often we only need a push to think from a new angle
maybe a bit of disturbance of mind
to get out of the stuck & rigid area of thinking
or a couple of new interesting ideas

then we do the rest 🙂

Horizon88 link is good!
Tells 2 easy & simple methods to deal with this issue:

http://php.robm.me.uk/#toc-CSRF
"Cross-Site Request Forgery"

PHP Security Guide
By Rob Miller. Last updated: 2008-01-10 04:48:14 GMT

Table of Contents:
1. Introduction
2. Different Types of Attack
1. XSS
1. How can I prevent XSS attacks?
2. SQL Injection
1. How can I prevent SQL injection attacks?
3. Spoofed Form Input
4. CSRF
5. File Uploads
6. Including Files
7. eval()
8. Register Globals
9. Magic Quotes
10. Error Reporting
1. PHP 5
11. Plain Text Passwords
1. Taking it further: Salting
3. Conclusion

thanks for link 🙂
halojoy