...

View Full Version : Big security issue with user variable



galahad3
06-15-2010, 05:16 PM
Hi,

I have a small login system whereby a user logs in and then is able to access the "customer" pages in a particular folder. It works fine in itself, but I've discovered a pretty big security problem- but can't see a way around it.

The script that handles login and redirection is as follows:



<?php
require_once ( 'settings.php' );

if ( array_key_exists ( '_submit_check', $_POST ) )
{
if ( $_POST['username'] != '' && $_POST['password'] != '' )
{
$query = 'SELECT ID, Username, Active, Password FROM ' . DBPREFIX . 'users WHERE Username = ' . $db->qstr ( $_POST['username'] ) . ' AND Password = ' . $db->qstr ( md5 ( $_POST['password'] ) );

if ( $db->RecordCount ( $query ) == 1 )
{
$row = $db->getRow ( $query );
if ( $row->Active == 1 )
{
set_login_sessions ( $row->ID, $row->Password, ( $_POST['remember'] ) ? TRUE : FALSE );
$userid = $row->Username;
header ( "Location: " . REDIRECT_AFTER_LOGIN . "?Username=" . $userid );
//header ( "Location: " . REDIRECT_AFTER_LOGIN );
}
elseif ( $row->Active == 0 ) {
$error = 'Your membership was not activated. Please open the email that we sent and click on the activation link.';
}
elseif ( $row->Active == 2 ) {
$error = 'You are suspended!';
}
}
else {
$error = 'Login failed!';
}
}
else {
$error = 'Please use both your username and password to access your account';
}
}
?>


This is the line from the above which grabs the user's ID and does the forwarding to the landing page:



$userid = $row->Username;
header ( "Location: " . REDIRECT_AFTER_LOGIN . "?Username=" . $userid );


Works great, but if the user then goes to an "Upload item" form (which they will need to do) this is where the problem can crop up.

Firstly, in the header of the landing page I pull in the username from the URL which was generated by the header above:



$user = $_GET['Username'];


Then I echo this in the body of the landing page- i.e "Welcome to...., $user" so they have a personalised welcome.

Now, I have a number of links for various actions that logged-in users can make, and for the "Add an item" linking I've used this code so that the $user variable is carried through to the "Add an item" form page (I need to ensure that the user ID is added into the db when a new item is added):



<a href="addlisting.php?_User=<?php echo $user ?>"><img src="../addlisting.gif" width="100" height="45" alt="Add New Listing" /></a>


The problem is, when the user reaches the addlisting.php page, he can in theory modify the URL, which is addlisting.php?_User=testuser. He can change the name of the user to whatever, and then upload a listing item.

This is a major issue as he can effectively pretend to be another user. Granted, most users won't think of doing this, but I need a way of preventing it.

At the same time I need a way of getting the $user variable "sent" to all the pages for logged-in users, so that whenever the user fills in a form etc. anywhere in that area, his username will be included in the form.

MattF
06-15-2010, 05:24 PM
Use sessions for storing the user id and name. Also, encode your output when you echo it.

galahad3
06-15-2010, 05:39 PM
Ok, so what would I actually need to change to make it work through a session instead? Presumably I don't use the "GET" to pull the user id but something else?

MattF
06-15-2010, 09:28 PM
http://uk2.php.net/manual/en/ref.session.php



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum