RE: phpbb / sessionid nightmare

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I understand where you are going with the mysql injection.
It would appear as though the entire session is being dictated by this _utmX
session which I have never seen before.

It would appear as though the /index.php sets this java bases session
variable and since phpbb does not use this, it never even tries to set or
look at the java session.

I guess the key question here is;

1	What is the _utmX session, I find little on google, other than "it
uses it"?
2	How to teach phpbb to use it?

Brad


Check the parameters for the cookie.

If they limit the cookie to, say:
http://example.com/phpbb/
instead of the whole site:
http://example.com/
then your cookie isn't there, and the session will get lost with it.

> if(isset($_GET["forum"]))

What is this?

Is the whole rest of the site passing around a ?forum=1 parameter in
all its URLs?

Probably not.

Only phpbb is doing that.

So then you never even GET to the $_SESSION check.

>
> {
>
>       if(!isset($_SESSION["userid"]))
>
>       {


>       <?php if(!isset($_SESSION['userid']) && $_SESSION['userid'] ==
> "")

This is daft.

!isset($x) && $x == ""

If $x isn't even set, then why test it for being == to the empty string?

>                     <?php if($_POST['hiddensubmit']){

And here you're not using isset(), so are generating E_NOTICE
messages, most likely.

>             $get_count5 = mysql_query("SELECT * FROM `contest_stories`
> WHERE
> contest_id = '".$_POST['cid']."' AND year='2007'  AND username
> ='".$_SESSION["userid"]."'");

Splicing POST data directly into a query is a giant security SQL
Injection attack hole.

Stop coding NOW and start reading and re-reading here until you
understand why:
http://phpsec.org

Unless you WANT your entire database wiped out or even stolen by a
meanie.

> echo "<font color=\"red\">You can only submit 3 stories per
> contest.</a><br>";

And you might as well not bother to have a contest, as the meanie can
rig it to win using the SQL injection above...



Sorry to be the bearer of Bad News...

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux