[RELEASE] Secure PHP Web Registration Script (MSSQL ODBC)

~~cypherxxl~~ · 09/20/2012, 14:47

Solved thank you.

Edit:
Cant create Accounts now, cause RowID cant insert nulls -.-

What about RowID = NULL <- does it make problems for players?

venci12345 · 10/08/2012, 23:16

Hello, I had the same problem I fixed easily RowID
1: I did step which showed JohnHeatz
2: Next just put a check RowID

I hope to help and sorry for bad english

RebeccaBlack · 10/09/2012, 13:52

Set UserUID as the Primary Key, and drop RowID

infinite59 · 02/02/2013, 12:18

Tested with Acunetix web vulnerability scanner 8
Results:
This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /registration/changepass.php.
Discovered by: Scripting (Blind_Sql_Injection.script).

TeddyBear94 · 02/02/2013, 13:13

the script at all is vulnerable to sql injection true. but the recaptcha which is placed in that script avoids the sql injection. if that recaptcha isnt placed in the registration that is it possible to get into via sql injection so i suggest to leave recaptcha in or otherwise u will be an easy target.

abrasive · 02/04/2013, 23:16

Quote:

Originally Posted by infinite59

Tested with Acunetix web vulnerability scanner 8
Results:
This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /registration/changepass.php.
Discovered by: Scripting (Blind_Sql_Injection.script).

Your scanner is unable tell if it is vulnerable or not, which is why it says it is "possibly" vulnerable to SQL injection attacks. If you look at the scripts you will see there is no place where user input is directly placed into a SQL statement. Thus, the scripts are not vulnerable to SQL injection.

Quote:

Originally Posted by TeddyBear94

the script at all is vulnerable to sql injection true. but the recaptcha which is placed in that script avoids the sql injection. if that recaptcha isnt placed in the registration that is it possible to get into via sql injection so i suggest to leave recaptcha in or otherwise u will be an easy target.

The purpose of ReCaptcha is to prevent people from botting account creation. It has no effect at all in regards to SQL injection.

Su1ph3r · 02/06/2013, 03:35

Quote:

Your scanner is unable tell if it is vulnerable or not, which is why it says it is "possibly" vulnerable to SQL injection attacks. If you look at the scripts you will see there is no place where user input is directly placed into a SQL statement. Thus, the scripts are not vulnerable to SQL injection.

^ Exactly. There is no possible SQL injection through those scripts, even using TamperData to manually edit the data in transit SQLi is blocked. There is however confirmed XSS in the input fields. If you put in code it is reflected back to the user. Although the type of XSS isn't even remotely high impact the code should probably be changed up a bit to provide better input sanitization (I would do it but I am a horrible coder).

Kudos on the scripts Abrasive.

Also, you can't rely to heavily on the output from vulnerability scanners as they tend to only test heuristics instead of actually trying the attack vector. Heuristic scanners are always prone to give out false positives. This is true of Acunetix, WebSecurify, W3AF, Arachni, Nessus, OpenVAS, etc. They are useful for giving you an idea of where a vulnerability may be present, but you always need to test it yourself before you can really know for sure.

abrasive · 02/06/2013, 06:53

Quote:

Originally Posted by Su1ph3r

^ Exactly. There is no possible SQL injection through those scripts, even using TamperData to manually edit the data in transit SQLi is blocked. There is however confirmed XSS in the input fields. If you put in code it is reflected back to the user. Although the type of XSS isn't even remotely high impact the code should probably be changed up a bit to provide better input sanitization (I would do it but I am a horrible coder).

Kudos on the scripts Abrasive.

Also, you can't rely to heavily on the output from vulnerability scanners as they tend to only test heuristics instead of actually trying the attack vector. Heuristic scanners are always prone to give out false positives. This is true of Acunetix, WebSecurify, W3AF, Arachni, Nessus, OpenVAS, etc. They are useful for giving you an idea of where a vulnerability may be present, but you always need to test it yourself before you can really know for sure.

You are correct about the XSS in a sense. You can only XSS yourself with it, which I can't think of a single useful reason to do that. Also in that context it would not really be cross site scripting, since only you can see it, and not everyone accessing the site.

It is still my bad for overlooking the htmlentities() call in the view though -.-

Su1ph3r · 02/06/2013, 08:37

Quote:

Originally Posted by abrasive

You are correct about the XSS in a sense. You can only XSS yourself with it, which I can't think of a single useful reason to do that. Also in that context it would not really be cross site scripting, since only you can see it, and not everyone accessing the site.

It is still my bad for overlooking the htmlentities() call in the view though -.-

Yeah that's why I said it wasn't even remotely high impact. In the context of the Registration Script as is, it isn't even close to XSS, but that's only if you are using traditional methods for XSS such as javascript or html (iframes, anchors, etc.) BUT since XSS can actually be exploited through any scripting language, it becomes a bit more of an issue if you use other scripting languages.

I've not been able to do anything high impact with it, and I doubt it could be done tbh, but I have been able to get certain CGI languages to render through the input fields. Nothing more than a popup though.

The scripts are really nicely coded. It's clear you put some thought into them.

seb35137 · 02/11/2013, 23:55

hi i want to know if it possible to setup auto increment with a script or modified the table:
CREATE TABLE [dbo].[Users_Master](
[UserUID] [int] NOT NULL,AUTO_INCREMENT or something like that ( this request not work) because i cant change propriety of the columm the screen is blocked . i try with all account of sql but options screen is blocked i cant anything thanks

Problem resolved , i don't see the little crooss at left of name for open the submenus in propeties . so my web register work when i run it with xampp i can create account but now the problem is when i try to create an account on my website (ucoz) thats said 404 error not found .
i think problem come from IP or maybe i need change in xampp or server or to insert a link of the webpage to xammp . i m lost . can help me please thx

sitrus123 · 07/14/2013, 18:21

If i set UserUID allows Nulls, this can be a problem when the server seach for an ID? Because in one regsystem use UserUID and in this one use RowID ...

infinite59 · 07/14/2013, 19:33

You can drop column RowID and set UserUID to auto increment

And definitely no, don't make UserUID allow nulls as this identifier is the one used by the server to recognise you

oasis1984 · 08/14/2013, 13:41

Ok, needing some help and not understanding why I'm getting this error: Failed to determine if this username already exists in the database.

Never had this one until now. Setup is on WinServ 2008 R2 x64 MSSQL Server 2012

white95260 · 07/05/2014, 05:50

That a joke ? Well I dropped RowID, account created successfully but can't log on game, because don't add a new user on the OMG GameWEB, what I need to do ?

I think had a problem on the script or something like that, I only have the Users_Masters and not the OMG_GameWEB account.

oldjayy · 07/07/2014, 23:07

You don't need OMG_GameWEB at all. Also dropping RowID would not cause any problem.