Digitalus
|
| Posted: 05/01/2003, 5:18 PM |
|
OK, here goes my attempt at resolving the issue with being able to spoof url
parameters on the registration.asp page used in most of the prebuilt CCS
applications.
I would first like to say that I am very new to ASP programming and any
additional replies/instructions are welcome. If your are as inexperienced as
I am, you may be wondering what URL parameters are. When you see
http://www.yoursite.com/registration.asp?user_id=1 the "?user_id=1" is the
parameter being passed to the page.
Now comes the problem....if a user types user_id=2 or user_id=3 and so on
they can see the information for other records in your database. Using any
password revealing tool that shows what's hidden under the ************* in
your admin's password field the user can gain acces to ANY part of your
site. Alarmining isn't it?
In addition any anonymous person browsing your site can spoof the url
parameter, even without registering or logging in!
I am disclosing this information to help new ASP website writers patch the
holes, this info is by no means a reason to go about the web spoofing URL
parameters. Trust me when I say someone WILL catch you. After reading
several articles about url parameters I realized how big of a security hole
they were.
Most seasoned programmers will tell you that session variables and
application variables are quite a bit more secure as they are almost
impossible for a client with a browser to modify these variables. I have
lokked for an article covering this at codecharge.com & gotocode.com and I
never really found a simple way to fix the url spoofing. Lets see what I did
manually with minimal effort to try to solve the problem.
First I used a piece of code and saved it as sessions.asp
Next I pasted it in my footer so I could see all the variables being used
while I built my sites features. Here's the code:
' <-----------------------Begin Session & Application
Detector----------------------->
<%
dim item 'will be used to iterate through the contents %>
<table>
<tr>
<th colspan=2>Session</th>
</tr>
<%
'In case a particular item gives us trouble
on error resume next
for each item in Session.Contents %>
<tr>
<td><%=item%></td> <%'Show the item's name %>
<TD><%=dumpitem(Session(item))%> <%'Show the Item's contents%>
</td>
</tr>
<%
next 'For each%>
</table>
<table>
<Tr>
<th colspan=2>Application</th>
</tr>
<% for each item in Application.Contents %>
<tr>
<td><%=item%></td>
<TD><%=dumpItem(application(item))%></td>
</tr>
<% next %>
<%
function dumpItem(item)
'If it's an array we use this to iterate through it
dim subItem
dim result 'Will store the result
'If it's an array we have to
'grab its contents.
if TypeName(item) = "Variant()" then
for each subItem in item
'Separate each with a space
result = result & " " & subItem
next
else
result = item
end if
dumpItem = result
end function
%>
</table>
' !<-----------------------End Session & Application
Detector----------------------->
The snippet of code will loop through all session and application variables
that your ASP scripts are using and then display them in a nice table.
I learned from this looping code that CSS was using the Session Variable
"PortalUserID" to keep track of users browsing the site.
Next, I seen that CCS was using "members Initialize Method" to pass url
parameters to the registration.asp page to allow users to update their
profile.
I replaced a few lines of code in the following:
'members Initialize Method @9-80303BE5
Sub Initialize(objConnection)
If NOT Visible Then Exit Sub
Set DataSource.Connection = objConnection
With DataSource
.Parameters("urluser_id") = CCGetRequestParam("user_id", ccsGET)
'Here is the part requesting the Url Parameters
End With
End Sub
'End members Initialize Method
to read
'members Initialize Method @9-80303BE5
Sub Initialize(objConnection)
If NOT Visible Then Exit Sub
Set DataSource.Connection = objConnection
With DataSource
.Parameters("urluser_id") = Session("PortalUserID") 'Change Made
Here to request the Session Variables instead
End With
End Sub
'End members Initialize Method
Thats it!
This is all I have done and so far it works. No matter what you type as
registration.asp?user_id=Number Here
The page seems to only pass the user info that equals the
Session("PortalUserID") and ONLY after logging in.
I am not quite sure if this is the best way to accomplish the task of
securing your records from prying eyes.
Does anybody know if this is a good solution and if any other solutions are
available?
Happy Coding,
Digitalus
|
|
|
 |
|
