Forums
This topic is locked
Dreamweaver Delete Record Security Hole
10 Nov 2003 05:54:12 Aron K posted:
Could someone please help me.I have this security hole.
I have a classified ads site. There is page where each user can delete their own ads, and only their ads are displayed. (ie uswebpro.com/myads.html)
But the code can be downloaded and manipulated to delete other user's ads.
EXAMPLE:
<pre id=code><font face=courier size=2 id=code>
<input type="hidden" name="MM_delete" value="delete">
<input type="hidden" name="MM_recordId" value="523">
</font id=code></pre id=code>
Can be changed to:
<pre id=code><font face=courier size=2 id=code>
<input type="hidden" name="MM_delete" value="delete">
<input type="hidden" name="MM_recordId" value="500">
</font id=code></pre id=code>
(notice the MM_recordId just being changed)
...And ran locally, I jsut tried it myself, & I deleted ads from a test account.... that I was not logged into!
What do you recommned I do?
Is there a line of code I can insert in the Dreamweaver code to check to see if the authenticated user owns those records thier deleting?
This is the Dreamweaver Delete Code:
<pre id=code><font face=courier size=2 id=code>
<%
// *** Delete Record: declare variables
if (String(Request("MM_delete"

String(Request("MM_recordId"


var MM_editConnection = MM_jwu_STRING;
var MM_editTable = "uswebpro.JWUads";
var MM_editColumn = "ad_id";
var MM_recordId = "" + Request.Form("MM_recordId"

var MM_editRedirectUrl = "account.asp";
// append the query string to the redirect URL
if (MM_editRedirectUrl && Request.QueryString && Request.QueryString.Count > 0) {
MM_editRedirectUrl += ((MM_editRedirectUrl.indexOf('?') == -1)?"?":"&"

}
}
%>
</font id=code></pre id=code>
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
Replies
Replied 10 Nov 2003 18:00:17
10 Nov 2003 18:00:17 Dave Clarke replied:
I can't figure out what you mean.
If someone downloads your page and alters the code how are they then going to get the altered page back on the server in order for it to operate?
If they simply run the page locally then it wont work.
I've just tried it and though the page appears in the browser, because it is on my machine it cannot communicate with the database in oder to delete anything.
ASP|VBScript|IIS5.1|Access|WinXPPro & WinXPHome
If someone downloads your page and alters the code how are they then going to get the altered page back on the server in order for it to operate?
If they simply run the page locally then it wont work.
I've just tried it and though the page appears in the browser, because it is on my machine it cannot communicate with the database in oder to delete anything.
ASP|VBScript|IIS5.1|Access|WinXPPro & WinXPHome
Replied 15 Nov 2003 18:09:14
15 Nov 2003 18:09:14 Aron K replied:
you can run a script cross server, just by putting the full url in the action tag.
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
Replied 15 Nov 2003 22:02:45
15 Nov 2003 22:02:45 Phil Shevlin replied:
Thats called inline sql. Its an easy hack. Two options I know of. In either case you need to use the session("userid"
1. Only allow them to delete if the session("userid"
equals the owner of the classified ad by wrapping the whole delete code in a -- If session(userid"
= rs("userid"
--
2. Don't use DW's insert, update and delete behaviors. Set up stored procedures to do all that and pass the session("userid"
#1 is probably easier if you aren't using MSSQL
#2 is way more secure

1. Only allow them to delete if the session("userid"



2. Don't use DW's insert, update and delete behaviors. Set up stored procedures to do all that and pass the session("userid"

#1 is probably easier if you aren't using MSSQL
#2 is way more secure
Replied 15 Nov 2003 22:09:20
15 Nov 2003 22:09:20 Aron K replied:
I've spent the past week trying to get:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
If (Request.ServerVariables("HTTP_REFERER"
!=
"www.uswebpro.com/jwu/account.asp"<img src=../images/dmxzone/forum/icon_smile_wink.gif border=0 align=middle> Then
Response.Redirect "www.uswebpro.com/jwu/";
End If
%>
..To work. For some reason it gives me error 500.
HTTP_REFERER returns nothing, even when I click a link to the page that has this code.
I like the stored procedure idea. The MM_Username session varaible is the user's email. That's in the ad's table. So when the user clicks delete and the stored procedure can check to see if the MM_Username = email in that record?
thanks!!
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
If (Request.ServerVariables("HTTP_REFERER"

"www.uswebpro.com/jwu/account.asp"<img src=../images/dmxzone/forum/icon_smile_wink.gif border=0 align=middle> Then
Response.Redirect "www.uswebpro.com/jwu/";
End If
%>
..To work. For some reason it gives me error 500.
HTTP_REFERER returns nothing, even when I click a link to the page that has this code.
I like the stored procedure idea. The MM_Username session varaible is the user's email. That's in the ad's table. So when the user clicks delete and the stored procedure can check to see if the MM_Username = email in that record?
thanks!!
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
Replied 16 Nov 2003 01:06:29
16 Nov 2003 01:06:29 Aron K replied:
I tried your first idea: wrapping the whole page
<b>I.E.</b>
MM behavoirs here
MM Record set info here
<% if
Session("MM_Username"
= (userInfo.Fields.Item("email"
.Value) {
<html>
whole page here
</html>
} %>
<b>This gave me error 500.</b>
But then I realized, if the hacker (logged in) downloads the page, inserts the full url into the action param and changes the record id, it will still run, because the delete action is BEFORE the recordset .
<i>(where Session("MM_Username"
= (userInfo.Fields.Item("email"
.Value) gets the email value)</i>
So wouldn't your stored procedure be the best route? I'm using SQL server 2000 so it should work fine.
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
<b>I.E.</b>
MM behavoirs here
MM Record set info here
<% if
Session("MM_Username"


<html>
whole page here
</html>
} %>
<b>This gave me error 500.</b>
But then I realized, if the hacker (logged in) downloads the page, inserts the full url into the action param and changes the record id, it will still run, because the delete action is BEFORE the recordset .
<i>(where Session("MM_Username"


So wouldn't your stored procedure be the best route? I'm using SQL server 2000 so it should work fine.
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
Replied 16 Nov 2003 04:32:41
16 Nov 2003 04:32:41 Phil Shevlin replied:
Just wrap the Delete Record MM code (the part in your first post above).
Or change the first part of it to
<pre id=code><font face=courier size=2 id=code> if (String(Request("MM_delete"
) == "delete" && String(Request("MM_recordId"
) != "undefined" && Session("MM_Username"
= (userInfo.Fields.Item("email"
.Value)) {</font id=code></pre id=code>
... but this will cause your delete server behavior to no longer show in the behavior panel
Or change the first part of it to
<pre id=code><font face=courier size=2 id=code> if (String(Request("MM_delete"




... but this will cause your delete server behavior to no longer show in the behavior panel
Replied 16 Nov 2003 17:55:24
16 Nov 2003 17:55:24 Aron K replied:
<font size=5>IT WORKED!!!
THANKS!
</font id=size5>
<b>I used this to secure my UPDATE and DELETE Record Pages.</b>
All your have to do is move the section that's DMX labels:
// *** Delete Record: construct a sql delete statement and execute it
You must move this after/below your record site info. I put it right before the <HTML> part.
Then wrap that code with the code you gave me prior.
thanks again! <img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
THANKS!
</font id=size5>
<b>I used this to secure my UPDATE and DELETE Record Pages.</b>
All your have to do is move the section that's DMX labels:
// *** Delete Record: construct a sql delete statement and execute it
You must move this after/below your record site info. I put it right before the <HTML> part.
Then wrap that code with the code you gave me prior.
thanks again! <img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>
-- Aron Kansal
1.401.368.3800 (Voice)
1.801.217.1704 (fax)
Replied 16 Nov 2003 18:07:23
16 Nov 2003 18:07:23 Phil Shevlin replied:
No problem!
I went through the same pains as you. Just thought I'd share me experience.
I went through the same pains as you. Just thought I'd share me experience.