Secure login script does recognize user but doesn't actually login

jeffrey1586 · October 27, 2015, 10:49am

For my website I’ve created different pages. To access these pages the user needs to log in once. For this secure login I used the script from WikiHow:

www.wikihow.com/Discussion:Create-a-Secure-Login-Script-in-PHP-and-MySQL

When I started everything worked just fine. Somehow, now it doesn’t anymore. The index exists of 2 frames, topFrame and mainFrame. The content’s loaded in the mainFrame, after logging in the users credentials and a logout button appears in the topFrame. The scripts works random. Sometimes I’m able to login, sometimes not. If I’m able to login I stay logged in. But it usually takes a lot of effort to actually log in.

If I enter my credentials for the first time, all data in the topFrame change to my details. So somehow the topFrame seems to see that I’m logged in. mainFrame keeps asking for me to log in. Even if I put a link in the topFrame which I can click after loggin in, to change the page in mainFrame to another page, it doesn’t allow me to see the content.

All pages work just fine if I delete the login script. Also, both top and mainFrame are linked to the same login script.

Does anybody know if this is a common problem and even more important: does anybody know how to fix this? The only modification I made to the original script is the name of the database.

JimL · October 27, 2015, 10:58am

We need to see some code. Are you using actual frames? If so that should probably be changed.

jeffrey1586 · October 27, 2015, 11:02am

It consist of many pages. The actual index contains just a few lines of code:

[code]

[/code]

jeffrey1586 · October 27, 2015, 11:04am

But the script doesn’t look at the actual frame. The script changes some values in $_SESSION. Every page on mainFrame checks if ($_SESSION == ‘value’). If so, it display the page, if not, it displays the login form. This if/else code is on every page.

Strider64 · October 27, 2015, 12:58pm

I personally don’t like that script, but that is probably just me. :o

Who ever wrote the script created a bunch of code to sanitize the PHP_SELF, when it simply can be sanitize like this:
[php]$phpSelf = filter_input(INPUT_SERVER, ‘PHP_SELF’, FILTER_SANITIZE_URL);[/php]

and you can get the relative links from that by doing this:

[php]$path_parts = pathinfo($phpSelf);

$basename = $path_parts[‘basename’]; // Use this variable for action=’’:
$pageName = ucfirst($path_parts[‘filename’]);[/php]

I personally don’t see how a person could attack that, if they can attack that they can attack that script for I’m sure that script isn’t truly vested either.

benanamen · October 28, 2015, 4:03am

$phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL);

[member=57087]Strider64[/member], you keep posting this. It doesn’t do what you think. It is still vulnerable to SQL Injection.

The correct and safe solution is to use $_SERVER[SCRIPT_NAME] for the form action if you are going to use the action attribute.

Test it

[php]<?php
$phpSelf = filter_input(INPUT_SERVER, ‘PHP_SELF’, FILTER_SANITIZE_URL);
/* Test URL
page.php/">
*/
?>

Exploit Demonstration
Submit [/php]

astonecipher · October 28, 2015, 4:42am

Let’s just say, anything that uses framesets is so old, that you should move on.