Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Sep 2009
    Posts
    165
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Big security issue with user variable

    Hi,

    I have a small login system whereby a user logs in and then is able to access the "customer" pages in a particular folder. It works fine in itself, but I've discovered a pretty big security problem- but can't see a way around it.

    The script that handles login and redirection is as follows:

    PHP Code:
    <?php
        
    require_once ( 'settings.php' );

        if ( 
    array_key_exists '_submit_check'$_POST ) )
        {
            if ( 
    $_POST['username'] != '' && $_POST['password'] != '' )
            {
                
    $query 'SELECT ID, Username, Active, Password FROM ' DBPREFIX 'users WHERE Username = ' $db->qstr $_POST['username'] ) . ' AND Password = ' $db->qstr md5 $_POST['password'] ) );

                if ( 
    $db->RecordCount $query ) == )
                {
                    
    $row $db->getRow $query );
                    if ( 
    $row->Active == )
                    {
                        
    set_login_sessions $row->ID$row->Password, ( $_POST['remember'] ) ? TRUE FALSE );
                        
    $userid $row->Username;
                        
    header "Location: " REDIRECT_AFTER_LOGIN "?Username=" $userid );
                        
    //header ( "Location: " . REDIRECT_AFTER_LOGIN );
                    
    }
                    elseif ( 
    $row->Active == ) {
                        
    $error 'Your membership was not activated. Please open the email that we sent and click on the activation link.';
                    }
                    elseif ( 
    $row->Active == ) {
                        
    $error 'You are suspended!';
                    }
                }
                else {        
                    
    $error 'Login failed!';        
                }
            }
            else {
                
    $error 'Please use both your username and password to access your account';
            }
        }
    ?>
    This is the line from the above which grabs the user's ID and does the forwarding to the landing page:

    PHP Code:
    $userid $row->Username;
    header "Location: " REDIRECT_AFTER_LOGIN "?Username=" $userid ); 
    Works great, but if the user then goes to an "Upload item" form (which they will need to do) this is where the problem can crop up.

    Firstly, in the header of the landing page I pull in the username from the URL which was generated by the header above:

    PHP Code:
    $user $_GET['Username']; 
    Then I echo this in the body of the landing page- i.e "Welcome to...., $user" so they have a personalised welcome.

    Now, I have a number of links for various actions that logged-in users can make, and for the "Add an item" linking I've used this code so that the $user variable is carried through to the "Add an item" form page (I need to ensure that the user ID is added into the db when a new item is added):

    PHP Code:
    <a href="addlisting.php?_User=<?php echo $user ?>"><img src="../addlisting.gif" width="100" height="45" alt="Add New Listing" /></a>
    The problem is, when the user reaches the addlisting.php page, he can in theory modify the URL, which is addlisting.php?_User=testuser. He can change the name of the user to whatever, and then upload a listing item.

    This is a major issue as he can effectively pretend to be another user. Granted, most users won't think of doing this, but I need a way of preventing it.

    At the same time I need a way of getting the $user variable "sent" to all the pages for logged-in users, so that whenever the user fills in a form etc. anywhere in that area, his username will be included in the form.

  • #2
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Use sessions for storing the user id and name. Also, encode your output when you echo it.

  • #3
    Regular Coder
    Join Date
    Sep 2009
    Posts
    165
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Ok, so what would I actually need to change to make it work through a session instead? Presumably I don't use the "GET" to pull the user id but something else?

  • #4
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •