-3

Since I'm not an Php programmer I have to ask you, I have to challenge to investigate some source which is currently under attack. Its some local news site with custom cms inside. Its phg mysql under shared linux hosting env.

admin is registered on entering credentials in login form and those credentials are checked in db like this:

<?php
    session_start();
        include 'db.php';

    $connection = mysql_connect($dbHost, $dbUser, $dbPass) or die(mysql_error());
    mysql_select_db($dbName, $connection) or die(mysql_error());

        $queryString = "SELECT * FROM `Admins` WHERE `username` = '$user_name' AND password='$password'";
        $safeSelect = mysql_real_escape_string($queryString);

        $query = "SELECT * FROM `Admins`
            WHERE `username` = '$user_name' AND password='$password'";
    $result = mysql_query($query, $connection) or die('error making query');
    $affected_rows = mysql_num_rows($result);

        if($affected_rows == 1) {
        //add the user to our session variables
    $_SESSION['username'] = $user_name;
    header("Location: http://www.mysite.com/admin/index.php");
        exit;
        //print 'allowed';
        }
    else {
        print 'access is not allowed !!!';
    }
?>

Auth.php

<?php
    session_start();
    include 'db.php';
    if (empty($_SESSION['username'])) {
        die('to access these page you have to be registered user.
        <a href="/admin/login.php">log in</a>');
    }
?>

This session var is used on whole administration area to recognize registered user. Admin user edits and creates new content like this edit.php

<?php
session_start();
include '/admin/db.php';
include '/admin/auth.php';
  ini_set("display_errors", 1);
    error_reporting(E_ALL);
    $dbcnx = mysql_connect('localhost', $dbUser, $dbPass);
    mysql_select_db($dbName);
    if (isset($_POST['submit'])):
        // content will be updated with these
        $id = $_POST['id'];
        $cats = $_POST['cats'];
        $newstext = $_POST['newstext'];

$sql = "UPDATE `News` SET
             `NewsText`='$newstext',
             `AID`='$aid',
         `imgID`='$imgID'
             WHERE `ID`='$id'";
 if (mysql_query($sql)) {
            echo('<p><b>content is succ. updated</b></p>');
        } else {
            die('<p>Error occured when updating content: ' .
                    mysql_error() . '</p>');
        }
else: // Allow user to edit content using ID=$id

            /* $aid = $_GET['aid']; */
             if (isset($_GET['id'])) {
                if (is_numeric($_GET['id']) == FALSE) {
                    echo "<h1>Page is not found</h1>";
                    session_destroy();
                return;
             }
                $id = $_GET['id'];
            }

$row = @mysql_query("SELECT `NewsText`, `Title`, `AID`, `imgID` FROM `News` WHERE `ID`='$id'");
            if (!$row) {
                die('<p>Db error: ' .
                        mysql_error() . '</p>');
            }
$row = mysql_fetch_array($row);
            $newstext = $row['NewsText'];
            $text = $row ['Title'];
            $authid = $row ['AID'];
            $imgID = $row ['imgID'];
            $newstext = htmlspecialchars($newstext);

//ommitting html form
?>

Basically I want to ask is there some security issue here.

Found solution here http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

BobRock
  • 3,477
  • 3
  • 31
  • 48
  • 2
    Whole code have serious [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) vulneability – safarov Mar 30 '12 at 08:23
  • @safarov how would you fix these code – BobRock Mar 30 '12 at 08:25
  • Read on to some PHP security best practices, http://stackoverflow.com/questions/3012315/php-security-best-practices – softarn Mar 30 '12 at 08:27
  • Can you post a code snippet of the login page? especially the login form and handling of it. Are passwords scrambled in the database? do you use salted passwords? is setting of $password escaped? as in mysql_real_escape_string() – GuZzie Mar 30 '12 at 08:27

4 Answers4

8

Straight off the bat it looks like there is a SQL injection issue going on here. POST requests are being put straight into an SQL query which allows someone with a specially crafted POST request to execute any query pretty much on the server...

It might be worth looking at this...

How can I prevent SQL injection in PHP?

Hope that helps

Community
  • 1
  • 1
m4rc
  • 2,932
  • 2
  • 22
  • 29
3

No its not secure, its calling mysql_real_escape_string once on a string then not using that string in the actual query.

If your not a PHP programmer then why have you been asked to investigate this?

fire
  • 21,383
  • 17
  • 79
  • 114
  • 1
    cause I need to fix these and after that move on other platform where I'm on home field. Mvc3 and Nhibernate. – BobRock Mar 30 '12 at 08:25
0

Yes its vulnerable to sql injection

http://en.wikipedia.org/wiki/SQL_injection

allen213
  • 2,267
  • 2
  • 15
  • 21
0

As pointed at by others there is a chance SQL injection. Though using mysql_real_escape_string also helps prevent sql injection, I would recommend leaving the whole mysql* behind and go for PDO which can use prepared statements for example

Bono
  • 4,757
  • 6
  • 48
  • 77