Silly rabbit,why you sweatin me?
TuPac Shakur
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 | <? include "common.php"; $luser = @$_POST['user']; $lpass = @$_POST['pass']; $login = @$_POST['login']; $logined = false; if ($login) { Sleep(1); if ($luser == $user && $lpass == $pass) { setcookie("logined", $pass); header("location:index.php"); } } else { $logined = @$_COOKIE['logined']; if ($logined === $pass) { $logined = true; } } ?> <html> <head> <STYLE type=text/css> BODY{ BACKGROUND:#666666; FONT:11px Verdana,Arial } P{ FONT:10pt Verdana,Arial; COLOR:#000000; TEXT-ALIGN:justify } TD{ FONT:8pt Verdana,Arial; COLOR:#000000 } A{ COLOR:#000000; TEXT-DECORATION:underline } A.nav{ COLOR:#000000;TEXT-DECORATION:none } A:hover{ BACKGROUND:silver;TEXT-DECORATION:underline overline } INPUT,SELECT,TEXTAREA{ FONT-SIZE:8pt;FONT-FAMILY:Verdana,Helvetica; border:1px solid silver; color:#606060; background-color:#222222; margin-top:0px; margin-bottom:0px; } .HEAD TD{ BACKGROUND:silver;TEXT-ALIGN:center;FONT-WEIGHT:bold } .SLIST TD{ BACKGROUND:#888888 } </STYLE> </head> <body> <script> function wnd( url ) { window.open( url,"","statusbar=no,menubar=no,toolbar=no,scrollbars=yes,resizable=no,width=600,height=400"); } </script> <? if (!$logined) { ?> <form action=index.php method=POST> <table> <tr><td>user:</td><td><input type=text name=user></td></tr> <tr><td>pass:</td><td><input type=password name=pass></td></tr> <tr><td></td><td><input type=submit name=login value=login></td></tr> </table> </form> <? exit; } switch (@$_GET['d']) { case "add": if (empty($_POST['url'])) break; if (isset($_POST['country'])) $_POST['country'] = strtoupper($_POST['country']); $sql = "INSERT INTO `files` (`url`,`dnum`,`country`) VALUES ('{$_POST['url']}','".intval($_POST['dnum'])."','{$_POST['country']}') "; mysql_query($sql); header ("location:index.php"); break; case "del": if (!isset($_GET['id'])) break; $sql = "DELETE FROM `files` WHERE `id`='{$_GET['id']}'"; mysql_query($sql); header ("location:index.php"); break; } if (isset($_POST['opt'])) { if (!isset($_POST['opt']['spoof_ip'])) $_POST['opt']['spoof_ip'] = 0; foreach (array_keys($_POST['opt']) as $k) mysql_query("REPLACE INTO `opt` (`name`,`value`) VALUES ('$k','{$_POST['opt'][$k]}')"); header("location:index.php"); } $bopt = array(); $r = mysql_query("SELECT * FROM `opt`"); while ($f = mysql_fetch_array($r)) $bopt[$f['name']] = $f['value']; ?> |
If you enjoyed this post,make sure you subscribe to my RSS feed!
This one is pretty bad.
1. Don’t like lines 16-20 as it looks like they set the password in a cookie. On top of this the cookie does not have its secure and httponly flags set so an attacker on a shared medium (wireless network) would be able to sniff the credentials and bypass authentication.
2. If the Session Identifier is the user’s password then an attacker could execute brute force attacks on the application by passing common passwords as the cookie value.
3. Having the user’s password in a cookie will also expose the user’s password to anyone sniffing the wire. Most users use a common set of passwords and this could lead to the attacker compromising other websites where this user uses the same userId and password.
4. The problem is further exacerbated by the fact that there is no lock out mechanism so an attacker could make requests all day until he got the non login page and figured out the user’s password.
5. The pass and user input fields do not have their autocomplete=”off”attribute set (lines 88-89). This will allow the browser to cache credentials.
6. The rest of the page has a truck load of SQL Injection in almost every line of SQL. Pretty scary as I hope this is not production code.
Regards,
Abe
OMG,are you serious??!!
[...] [...]