search

shootdatarget / owaspbricks

Automatically exported from code.google.com/p/owaspbricks
0 stars 0 forks source link

Login-6 does not work #1

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Install Bricks on a debian wheezy with all dependecies
2. Convert newlines from ^M to \r (unix newlines instead of windows newlines)
3. Try out login-6

What is the expected output? What do you see instead?
Expected to not be loged in without sql-injection or right username and 
password,
but redirect gives me the p=index which tells me I'm logged in. But still 
without a valid session.

What version of the product are you using? On what operating system?
-Standard debian wheezy with newest updates on 2014-05-20
-Bricks downloaded with link: 
http://sourceforge.net/projects/owaspbricks/files/Tuivai%20-%202.2/OWASP%20Brick
s%20-%20Tuivai.zip/download

Please provide any additional information below.

Original issue reported on code.google.com by k...@conduct.no on 20 May 2014 at 9:02

GoogleCodeExporter commented 9 years ago 
Here's the fix!

<?php
        require_once(dirname(dirname(__FILE__)) . '/includes/MySQLHandler.php');

        session_start();

        global $page; $page = "index";
        if ($_SERVER['REQUEST_METHOD'] === "POST") {

                if (isset($_POST["username"])) { $_SESSION['username'] = $_POST["username"]; }
                if (isset($_POST["passwd"])) { $_SESSION['passwd'] = $_POST["passwd"]; }
                if (isset($_POST['submit']))  {
                        $username=$_POST['username'];
                        $pwd=$_POST['passwd'];
                        $sql="SELECT * FROM users WHERE name='$username' and password='$pwd'";
                        $result=mysql_query($sql);
                        $count=mysql_num_rows($result);
                        if(intval($count) >  0){
                                $_SESSION['valid'] = "1";
                        } else { 
                        $_SESSION['valid'] = "0";
                        header("Location: index.php?p=login");
                        }       
                }
        } else if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET["p"])) {
                        // redirect on invalid page attempts
                        if (!in_array(strtolower($_GET["p"]), array(
                                "index","login","logout"
                        ))) {
                                header("Location: index.php");
                                exit("Invalid parameter. <a href='index.php'>Continue</a>.");
                        }
                        $page = $_GET["p"];
                        if ($_GET["p"] == "login") {$pagetitle = "Log In"; }
                        if ($_GET["p"] == "logout") {$pagetitle = "Log Out"; $_SESSION['valid'] = "0"; session_destroy(); }
        } else {
                header("Location: index.php?p=login");
        }

?><!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> 
<![endif]-->
<!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->
<!--[if IE 8]>    <html class="no-js lt-ie9" lang="en"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en"> <!--<![endif]-->
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width" />
  <title>Bricks Login Form #6</title>  
  <!-- Included CSS Files (Uncompressed) -->
  <!--
  <link rel="stylesheet" href="../stylesheets/foundation.css">
  -->  
  <!-- Included CSS Files (Compressed) -->
  <link rel="stylesheet" href="../stylesheets/foundation.min.css">
  <link rel="stylesheet" href="../stylesheets/app.css">
  <script src="../javascripts/modernizr.foundation.js"></script>
  <!-- IE Fix for HTML5 Tags -->
  <!--[if lt IE 9]>
    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
  <![endif]-->
</head>
<body>
        <div class="row">
                <div class="four columns centered">
                        <br/><br/><a href="../index.php"><img src="../images/bricks.jpg" /></a><br/>            
                        <?php
                                if ($page == "login") { ?><br/>
                                        <form method="post" action="<?php echo $_SERVER["SCRIPT_NAME"]; ?>">
                                                <fieldset>
                                                <legend>Login</legend>
                                                        <p><label for="username">Username:</label>
                                                        <input type="text" name="username" id="username" 
                                                        class="textinput" /></p>
                                                        <p><label for="password">Password:</label><input 
                                                        type="password" name="passwd" id="passwd" 
                                                        class="textinput" /></p>
                                                        <p><input type="submit" name="submit" class="button" value="Enter" /></p>
                                                </fieldset>
                                        </form>
                        <?php };
                        if ($page == "index") { ?><br/>
                                <p>You are succesfully logged in. | <a  class="small button" href="index.php?p=logout">Log Out</a></p>          
                        <?php };
                        if ($page == "logout") { ?><br/>
                                <p>You have successfully been logged out and will be redirected shortly to the login page.</p>
                        <?php 
                                header("Location: index.php?p=login");
                        }; ?>
                </div>
        </div>
  <!-- Included JS Files (Uncompressed) -->
  <!--
  <script src="../javascripts/jquery.js"></script>
  <script src="../javascripts/jquery.foundation.mediaQueryToggle.js"></script>  
  <script src="../javascripts/jquery.foundation.forms.js"></script>  
  <script src="../javascripts/jquery.foundation.reveal.js"></script>  
  <script src="../javascripts/jquery.foundation.orbit.js"></script>  
  <script src="../javascripts/jquery.foundation.navigation.js"></script>  
  <script src="../javascripts/jquery.foundation.buttons.js"></script>  
  <script src="../javascripts/jquery.foundation.tabs.js"></script>  
  <script src="../javascripts/jquery.foundation.tooltips.js"></script>  
  <script src="../javascripts/jquery.foundation.accordion.js"></script>  
  <script src="../javascripts/jquery.placeholder.js"></script>  
  <script src="../javascripts/jquery.foundation.alerts.js"></script>  
  <script src="../javascripts/jquery.foundation.topbar.js"></script>  
  <script src="../javascripts/jquery.foundation.joyride.js"></script>  
  <script src="../javascripts/jquery.foundation.clearing.js"></script>  
  <script src="../javascripts/jquery.foundation.magellan.js"></script>  
  -->  
  <!-- Included JS Files (Compressed) -->
  <script src="../javascripts/jquery.js"></script>
  <script src="../javascripts/foundation.min.js"></script>  
  <!-- Initialize JS Plugins -->
  <script src="../javascripts/app.js"></script>  
</body>
</html>

Original comment by k...@conduct.no on 20 May 2014 at 10:41