Trädvy Permalänk
Medlem
Plats
Halland
Registrerad
Mar 2009

Stenlandet - Säkerhet

Stenlandet är under konstruktion och nu behöver vi veta om Stenlandet är tillräckligt säkert.
Om ni hittar någon bugg eller något sätt att hacka sidan så skriv det i denna tråden.
Ni kommer även stöta på en del funktioner som ej är klara. Detta är inget som ni
behöver bry sig om. Dvs. om ni får fram 404 eller dylikt.

http://stenlandet.se

För att logga in använder ni följande text som "openid":
phpportalen.myopenid.com

När ni gjort det så skickas ni vidare till en sida där ni ska skriva in ett lösenord, där skriver ni:
phpportalen1

Lite kod:

conn_database.php

<?php if(count(get_included_files()) == 1) exit(); require_once("magic_quotes.php"); $GLOBALS["DB_CONN"] = @mysql_connect("*********", "stenlandet", "***********") or exit("Databasfel"); mysql_select_db("stenlandet") or exit("FEL -4123: Databasfel"); date_default_timezone_set("Europe/Stockholm"); ?>

const.php

<?php define("ADMIN_ROBOT", 0); define("ADMIN_NOT_LOGGED_IN", 1); define("ADMIN_USER", 2); define("ADMIN_MODERATOR", 3); define("ADMIN_ADMIN", 4); define("ADMIN_SUPERADMIN", 5); define("MAX_SPAM_VALUE", 1000); define("SPAM_VALUE_RESET_FREQUENCY", 604800); define("NEW_FORUM_THREAD_SPAM_VALUE", 24); define("NEW_FORUM_POST_SPAM_VALUE", 6); define("EDIT_FORUM_POST_SPAM_VALUE", 1); define("LIVE_SPAM_VALUE", 16); define("PM_SPAM_VALUE", 7); define("EDIT_KLOTTER_SPAM_VALUE", 1); define("KLOTTER_SPAM_VALUE", 4); define("SEARCH_SPAM_VALUE", 2); define("EMAIL_ADDRESS_MAX_LENGTH", 72); define("KLOTTER_MAX_LENGTH", 1400); define("KLOTTER_MAX_LINES", 40); define("MAX_KLOTTER", 40); define("USERNAME_MIN_LENGTH", 2); define("USERNAME_MAX_LENGTH", 28); define("NAME_MIN_LENGTH", 1); define("NAME_MAX_LENGTH", 64); define("PASSWORD_MIN_LENGTH", 6); define("PASSWORD_MAX_LENGTH", 64); define("POLL_TITLE_MAX_LENGTH", 40); define("POLL_OPTIONS_MAX_LENGTH", 4000); define("POLL_MAX_OPTIONS", 400); define("FORUM_POSTS_PER_PAGE", 20); define("FORUM_THREAD_TITLE_MAX_LENGTH", 36); define("FORUM_POST_MAX_LINES", 280); define("FORUM_POST_MAX_LENGTH", 8000); define("FORUM_POST_SHORT_TEXT_MIN_LENGTH", 60); define("FORUM_POST_SHORT_TEXT_MAX_LENGTH", 80); define("ADMIN_LEVEL", (isset($_SESSION["sess_id"]) ? $_SESSION["admin"] : ADMIN_NOT_LOGGED_IN)); define("NOT_LOGGED_IN", ADMIN_LEVEL <= ADMIN_NOT_LOGGED_IN); define("LOGGED_IN", !NOT_LOGGED_IN); define("USER_ID", (isset($_SESSION["sess_id"]) ? $_SESSION["sess_id"] : 0)); ?>

top_body.php

<?php require_once("top_head.php"); require_once("const.php"); require_once("functions.php"); require_once("inc/include_layout.php"); require_once("inc/helpers.php"); ?> </head> <body> <?php $topArr[] = array(); $topArr["live"] = $live["live"]; $topArr["activeUsers"] = $activeUsers; require_once("menu.php"); $topArr["primaryMenuItems"] = $primaryMenuItems; $topArr["secondaryMenuItems"] = $secondaryMenuItems; $topArr["secondaryMenuURLs"] = $secondaryMenuURLs; echo layoutPrepareTop($topArr); ?>

helpers.php

<?php if(count(get_included_files()) == 1) exit(); require_once("inc/include_layout.php"); require_once("functions.php"); require_once("conn_database.php"); require_once("const.php"); function formatLive($AJAX = false, $userUpdateC = -1, $liveUpdateC = -1) { $r = array( "live" => array(), "liveUpdateC" => mysql_result(mysql_query("SELECT c FROM updates WHERE p='live'"), 0) ); if($AJAX) { $r["userUpdateC"] = getUserUpdateC(); if($r["userUpdateC"] == $userUpdateC && $r["liveUpdateC"] == $liveUpdateC) return ""; } $firstLive = true; if(LOGGED_IN && ($q = mysql_query("SELECT COUNT(*) FROM pm WHERE owner=" . USER_ID . " AND new=1")) && mysql_num_rows($q) && ($n = mysql_result($q, 0))) { $r["live"][] = call_user_func("layoutFormatLiveNoticeFunc", array( "type" => "newPMs", "newPMsNy" => "ny" . ($n == 1 ? "tt" : "a"), "newPMsCount" => $n, "first" => $firstLive )); $firstLive = false; } $q = mysql_query("SELECT user_id,text FROM live ORDER BY id DESC LIMIT " . max(1, 5 - count($r["live"]))); if($q && mysql_num_rows($q)) { while($t = mysql_fetch_row($q)) { $r["live"][] = call_user_func("layoutFormatLiveFunc", array( "first" => $firstLive && !$AJAX, "creatorLinkAndUser" => "<a class=\"live_link\" href=\"press.php?id=" . $t[0] . "\">" . htmlspecialchars(get_user($t[0])) . "</a>", "text" => $t[1] )); $firstLive = false; } } if($AJAX) { $r["userUpdateC"] = getUserUpdateC(); return json_encode($r); } return $r; } function formatNews() { $sql = mysql_query("SELECT id,bb,creator_id,created,title FROM news ORDER BY id DESC LIMIT 2"); $news = array(); while($row = mysql_fetch_assoc($sql)) { $news[] = call_user_func("layoutFormatNewsFunc", array( "newsID" => $row["id"], "text" => $row["bb"], "creatorID" => $row["creator_id"], "creatorLinkAndUser" => "<a href=\"press?id=" . $row["creator_id"] . "\">" . htmlspecialchars(get_user($row["creator_id"])) . "</a>", "created" => $row["created"], "title" => $row["title"] )); } return $news; } function formatForumActivity() { $sql = mysql_query("SELECT thread,last_upd,creator,content_short FROM forum_posts ORDER BY last_upd DESC LIMIT 4"); $threadInfo = array(); $forumAct = array(); $i = 0; while($f = mysql_fetch_assoc($sql)) { $thread = intval($f["thread"]); $threadInfo = isset($threadInfo[$thread]) ? $threadInfo[$thread] : ($threadInfo[$thread] = array(@mysql_result(mysql_query("SELECT title FROM forum_threads WHERE id=" . $thread), 0), @mysql_result(mysql_query("SELECT content_short FROM forum_posts WHERE thread=" . $thread . " ORDER BY id ASC LIMIT 1"), 0))); $forumAct[$i] = call_user_func("layoutFormatForumActFunc", array( "threadID" => $thread, "threadTitle" => $threadInfo[0], "threadFirstPostContentShort" => $threadInfo[1], "threadLinkAndTitle" => "<a href=\"forum_thread?id=" . $thread . "&p=last\" title=\"" . $threadInfo[1] . "\">" . $threadInfo[0] . "</a>", "creatorID" => $f["creator"], "creatorLinkAndUser" => "<a href=\"press?id=" . $f["creator"] . "\">" . htmlspecialchars(get_user($f["creator"])) . "</a>", "contentShort" => $f["content_short"], "lastUpdateText" => timeSinceStylish($f["last_upd"]) )); ++$i; } return implode($GLOBALS["layoutForumActDelim"], $forumAct); } function formatPoll() { $pollInfo = mysql_fetch_assoc(mysql_query("SELECT id,title FROM poll_info ORDER BY id DESC LIMIT 1")); $sql = mysql_query("SELECT opt_id,title,votes FROM poll_options WHERE poll_id=" . $pollInfo["id"] . " ORDER BY votes DESC,opt_id"); $pollOptions = array(); $i = 0; $voteP = 0; $highest = 1; while($o = mysql_fetch_assoc($sql)) { $pollOptions[$i++] = $o; $voteP += $o["votes"]; if($o["votes"] > $highest) $highest = $o["votes"]; } $title = call_user_func("layoutFormatPollInfoFunc", array( "ID" => $pollInfo["id"], "title" => $pollInfo["title"], "options" => $i, "votes" => $voteP )); if(!$voteP) $voteP = 1; else $voteP /= 100; $i = 0; $code = ""; foreach($pollOptions as $o) { $code .= call_user_func("layoutFormatPollFunc", array( "percent" => ($o["votes"] / $voteP), "number" => $i, "optionID" => $o["opt_id"], "title" => $o["title"], "widthFactor" => $o["votes"] / $highest, "voteLink" => "<a href=\"poll_vote?poll=" . $pollInfo["id"] . "&opt_id=" . $o["opt_id"] . "\" onclick=\"return !pollVote(" . $pollInfo["id"] . "," . $o["opt_id"] . ");\">" . $o["title"] . "</a>" )); ++$i; } return array( "title" => $title, "code" => $code ); } ?>

top_head.php

<?php require_once("conn_database.php"); require_once("functions.php"); require_once("const.php"); require_once("inc/include_layout.php"); require_once("inc/helpers.php"); ?><!DOCTYPE html> <html lang="sv-SE"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title><?php echo getTitle(); ?></title> <link rel="icon" type="<?php echo $layoutFaviconType; ?>" href="<?php echo $layoutFavicon; ?>"> <meta name="keywords" content="community,stenlandet,mötesplats,möt,kompisar,kompis,snacka,prata,diskutera,klottra,klotterplank,klotter,forum"> <meta name="description" content="Stenlandet!"> <meta name="Content-Language" content="sv-SE"> <meta name="language" content="sv-SE"> <meta name="robots" content="index,follow"> <meta name="revisit-after" content="16 days"> <link href="style/style.css" type="text/css" rel="stylesheet" charset="UTF-8"> <link href="style/<?php echo $layoutCSSFile; ?>" type="text/css" rel="stylesheet" charset="UTF-8"> <script type="text/javascript" src="smileys.js"></script> <script type="text/javascript" src="stenfunctions.js"></script> <script type="text/javascript">//<![CDATA[ var admin = <?php echo ADMIN_LEVEL; ?>; var liveUpdateCD = <?php $live = formatLive(); echo $live["liveUpdateC"]; ?>; var userUpdateCD = <?php $t = getUserUpdateC(); echo ($t === false ? "false" : $t) ?>; var currentPrimaryMenuItemD = <?php if(isset($MENU_NUM)) echo $MENU_NUM; else echo "0"; $q = mysql_query("SELECT id,visbild,user,last_act,last_page FROM members ORDER BY last_act DESC LIMIT 5"); $i = -1; $activeUsers = array(); $s = ""; while($activeUsers[++$i] = mysql_fetch_array($q)) $s .= $activeUsers[$i]["id"] . ","; array_pop($activeUsers); echo ", activeUserIDsD = \"" . substr($s, 0, -1) . "\", effectsD=" . (!NOT_LOGGED_IN ? mysql_result(mysql_query("SELECT effects FROM members WHERE id=" . USER_ID), 0) : "1"); ?>; //]]></script> <script type="text/javascript" src="sten.js"></script> <?php if(!NOT_LOGGED_IN) { $cursor = mysql_result(mysql_query("SELECT cur FROM members WHERE id=" . USER_ID), 0); if(strlen($cursor)) { ?> <style type="text/css">/*<![CDATA[*/ * { cursor: url("<?php echo htmlspecialchars(addslashes($cursor)); ?>"), auto; } /*]]>*/</style> <?php } } ?>

settings.php

<?php session_start(); require_once("const.php"); if(NOT_LOGGED_IN) { header("Location: ."); exit(); } $PRESS_MAX_LENGTH = 2000; $member; require_once("conn_database.php"); require_once("functions.php"); if(ADMIN_LEVEL >= ADMIN_SUPERADMIN && isset($_GET["id"])) { $member = intval($_GET["id"]); if(!memberExist($member)) HTMLExit("FEL 9 - användaren finns ej"); } else { $member = USER_ID; } if(isset($_POST["update"])) { if(!isset($_POST["effects"])) HTMLExit("FEL 1: effects plzkthx"); if(!isset($_POST["sex"])) HTMLExit("FEL 7 - sex plzkthx"); if(!isset($_POST["press"])) $_POST["press"] = ""; if(!isset($_POST["name"])) HTMLExit("FEL 5 - name plzkthx"); if(!isset($_POST["email"])) $_POST["email"] = ""; if(!isset($_POST["theme"])) $_POST["theme"] = 0; require_once("inc/layouts.php"); if($_POST["theme"] < 0 || $_POST["theme"] >= count($layoutList)) HTMLExit("FEL 10: det temat finns ej"); $effects = intval($_POST["effects"]); if($effects < 0 || $effects > 3) HTMLExit("FEL 3 - effects har ett felaktigt värde"); $sex = intval($_POST["sex"]); if($sex < 0 || $sex > 2) HTMLExit("FEL 8 - sex har ett felaktigt värde"); if(mb_strlen($_POST["email"]) > EMAIL_ADDRESS_MAX_LENGTH) HTMLExit("FEL 1234: email är för lång"); if(mb_strlen($_POST["press"]) > $PRESS_MAX_LENGTH) HTMLExit("FEL 4: press har felaktig längd"); $t = mb_strlen($_POST["name"]); if($t < 1 || $t > NAME_MAX_LENGTH) HTMLExit("FEL 6 - name har felaktig längd"); $press = prepareText($_POST["press"], 35, 14, 8, 72, 30, ADMIN_LEVEL); mysql_query("UPDATE members SET effects=" . $effects . ",press='" . mysql_real_escape_string($press[0]) . "',press_orig='" . mysql_real_escape_string(htmlspecialchars($_POST["press"])) . "',name='" . mysql_real_escape_string($_POST["name"]) . "',sex=" . $sex . ",email='" . mysql_real_escape_string($_POST["email"]) . "',layout=" . intval($_POST["theme"]) . " WHERE id=" . $member) or die(mysql_error()); if($member == USER_ID) header("Location: settings?ok=1"); else header("Location: settings?ok=1&id=" . $member); exit(); } setLastAct("Ändrar inställningar"); $settings = mysql_fetch_assoc(mysql_query("SELECT effects,name,sex,press_orig,email,layout FROM members WHERE id=" . $member)); require("top_head.php"); require("top_body.php"); ?> <div id="position_left"> <div class="left_box_top">Inställningar<?php if($member != $_SESSION["sess_id"]) echo " - " . htmlspecialchars(get_user($member)); ?></div> <div class="left_box_main"> <?php if(isset($_GET["ok"])) echo "Inställningar ändrade!<br>"; ?> <form action="settings<?php if($member != USER_ID) echo "?id=" . $member; ?>" method="post"> <div> » Effekter:<br> <input type="radio" name="effects" id="effects0" value="0"<?php if($settings["effects"] == 0) echo " checked=\"checked\""; ?>><label for="effects0"> År 1995</label><br> <input type="radio" name="effects" id="effects1" value="1"<?php if($settings["effects"] == 1) echo " checked=\"checked\""; ?>><label for="effects1"> Den som spar den har</label><br> <input type="radio" name="effects" id="effects2" value="2"<?php if($settings["effects"] == 2) echo " checked=\"checked\""; ?>><label for="effects2"> Mellanmjölk</label><br> <input type="radio" name="effects" id="effects3" value="3"<?php if($settings["effects"] == 3) echo " checked=\"checked\""; ?>><label for="effects3"> Bussvältareffekter</label><br> <br> » <label for="input_name">Namn</label>:<br> <input type="text" name="name" id="input_name" class="input long_input_text" maxlength="<?php echo NAME_MAX_LENGTH; ?>" value="<?php echo htmlspecialchars($settings["name"]); ?>"><br> » <label for="input_email">Epost</label>:<br> <input type="text" name="email" id="input_email" class="input long_input_text" maxlength="<?php echo EMAIL_ADDRESS_MAX_LENGTH; ?>" value="<?php echo htmlspecialchars($settings["email"]); ?>"><br> <br> » Kön:<br> <input type="radio" name="sex" id="sex1" value="1"<?php if($settings["sex"] == 1) echo " checked=\"checked\""; ?>><label for="sex1"> ♀ tjej/kvinna</label><br> <input type="radio" name="sex" id="sex2" value="2"<?php if($settings["sex"] == 2) echo " checked=\"checked\""; ?>><label for="sex2"> ♂ kille/man</label><br> <input type="radio" name="sex" id="sex0" value="0"<?php if($settings["sex"] == 0) echo " checked=\"checked\""; ?>><label for="sex0"> Både och, ingen av dom eller vill inte säja</label><br> <br> » Presentation:<br> <textarea name="press" class="input settings_textarea" rows="6" cols="44"><?php echo $settings["press_orig"]; ?></textarea><br> <br> » <label for="theme">Tema</label> (<span style="color: #FF0000;">OBS: beta!</span>):<br> <select name="theme" id="theme" class="input long_input"> <option value="0"<?php if($settings["layout"] == 0) echo " selected=\"selected\""; ?>>Originalet</option> <option value="1"<?php if($settings["layout"] == 1) echo " selected=\"selected\""; ?>>Nya färger</option> </select> <br> <input type="submit" class="input" name="update" value="Spara ändringar"> </div> </form> </div> </div> <div id="position_center"> <div class="center_box_top">Extra gurka!</div> <div class="center_box_main"> Här var det gurka! </div> </div> <?php require_once("bottom.php"); ?>

Vi ses på sidan!
Mvh. Robin
[/code]

Trädvy Permalänk
Medlem
Plats
Linköping
Registrerad
Jun 2005

Jag kollade igenom koden lite snabbt och kunde se några potentiella säkerhetshål. När du hämtar innehåll från $_POST och $_GET så kollar du inte om dem innehåller det de borde göra. Du hämtar till exempel användarens id från $_GET som mycket enkelt skulle kunna modifieras till något helt annat än en användares id. Jag vet inte hur farligt detta är i just ditt fall men du borde se över det.

Något du kan göra för att vara på den säkra sidan är att säkerställa att informationen är enbart siffror när du efterfrågar just det, om användarens id innehåller något annat så är det antagligen inte den informationen du vill ha.

if(!is_numeric($_GET['user_id'])) { //inte säkert } else { //säkert }