Is is possbile to hack this admin page ?

[schnapy]

Hello,

I've created this login admin page. Can you help me to tell if can be hacked and how ?
It is vulnerable to sql injection ?

Code: Select all

<?php

include_once('../_config/_config.php');

include_once('../_library/_library.php');

load_helpers(array('_mysql','_validation','_mailer','_template'),'../');



$template   =new Template('_template');

$validation =new Validation;

$mail       =new PHPMailer();

$database   =new MySQL(true, ''.DATABASE.'', ''.HOST.'', ''.USERNAME.'', ''.PASSWORD.'');



if ($database->Error()) $database->Kill();



$er_login='';

$no_login='';

$er_recover='';

$no_recover='';

$ok='';

$show='';



if(isset($_POST['login'])) {



$source= array(

            'username' => @$_POST['username'],

            'parola'   => @$_POST['password']

              );

         

$rules = array(

            'username'=>array('type'=>'string', 'required'=>true, 'min'=>1, 'max'=>50, 'trim'=>true),

            'parola'  =>array('type'=>'string', 'required'=>true, 'min'=>1, 'max'=>50, 'trim'=>true)

            );         



$validation->addSource($source);

$validation->addRules($rules);

$validation->run();



if(sizeof($validation->errors) > 0)

{



$er_login=$validation->errors;



} else {



$database->Query("SELECT `username`, `level` FROM admin WHERE `username`='".$validation->sanitized['username']."' AND `password`='".md5($validation->sanitized['parola'])."' AND active='1' LIMIT 1");



if($database->RowCount()==1) {



$admin=$database->RowArray(0, MYSQL_ASSOC);

$_SESSION['ADMIN']=$admin['username'];

$_SESSION['LEVEL']=$admin['level'];

header('Location: '.SITE.'/admin/home/');

exit();

} else {

$no_login='Datele de logare in partea de administrare sunt incorecte!';

}



}



}





if(isset($_POST['recover'])) {



$source= array(

            'username' => @$_POST['username'],

            'email'    => @$_POST['email']

              );

         

$rules = array(

            'username'=>array('type'=>'string', 'required'=>true, 'min'=>1, 'max'=>50, 'trim'=>true),

            'email'   =>array('type'=>'string', 'required'=>true, 'min'=>1, 'max'=>50, 'trim'=>true)

            );         



$validation->addSource($source);

$validation->addRules($rules);

$validation->run();



if(sizeof($validation->errors) > 0)

{



$er_recover=$validation->errors;



} else {



$database->Query("SELECT `username`, `email`, `ID` FROM admin WHERE `username`='".$validation->sanitized['username']."' AND `email`='".$validation->sanitized['email']."' AND active='1' LIMIT 1");



if($database->RowCount()==1) {



$data=$database->RowArray(0, MYSQL_ASSOC);



$password=random_string('alnum',8);



$database->Query("UPDATE admin SET `password`='".md5($password)."' WHERE ID='".$data['ID']."' LIMIT 1");


[Cryptovirus]

Not sure, but it appears that anyone can reset passwords knowing the username and email?

[eggscrambler]

What you need to realize is that anything is hackable. It is impossible to make something that has no vulnerabilities. However you can get rid of the more obv vulns just remember that because it is essential.

[tremor77]

What you need to realize is that anything is hackable. It is impossible to make something that has no vulnerabilities. However you can get rid of the more obv vulns just remember that because it is essential.

I wouldn't say that, there are in fact many ways to develop a perfectly secure login, however not always as functional and friendly as they may need to be.

@schnappy: just reviewing your code isn't enough to tell me exactly how secure it may or may not be. Other factors come in to play such as the server hosting environment, php and mysql versions, etc.

-Is it LAMP or IIS?
-Are there other security measures in place?
-Is this using an outdated version of PHP or MYSQL?
-Did someone leave register globals ON?
-Are there other portions of the website that use GET or POST methods that may not be directly associated with your login but still make calls to the database?
-Are the proper read/write permissions set?
-Is .htaccess being used and if so it is being used properly?

One thing I see is that you are using SESSIONS - it should be known that sessions can be spoofed and hijacked.

You are also using the 'header' method as a redirect, this can also be exploited.. as well as being tricky in programming properly.. injecting some characters or whitespace before the header output can potentially cause code or environment variables to be exposed.

Hope this helps.

[Defience]

What you need to realize is that anything is hackable. It is impossible to make something that has no vulnerabilities. However you can get rid of the more obv vulns just remember that because it is essential.

I wouldn't say that, there are in fact many ways to develop a perfectly secure login, however not always as functional and friendly as they may need to be.

@schnappy: just reviewing your code isn't enough to tell me exactly how secure it may or may not be. Other factors come in to play such as the server hosting environment, php and mysql versions, etc.

-Is it LAMP or IIS?
-Are there other security measures in place?
-Is this using an outdated version of PHP or MYSQL?
-Did someone leave register globals ON?
-Are there other portions of the website that use GET or POST methods that may not be directly associated with your login but still make calls to the database?
-Are the proper read/write permissions set?
-Is .htaccess being used and if so it is being used properly?

One thing I see is that you are using SESSIONS - it should be known that sessions can be spoofed and hijacked.

You are also using the 'header' method as a redirect, this can also be exploited.. as well as being tricky in programming properly.. injecting some characters or whitespace before the header output can potentially cause code or environment variables to be exposed.

Hope this helps.

+1

[tremor77]

@defience: gratz on admin - when did this happen.. i'm far too randomly active.

[Defience]

@defience: gratz on admin - when did this happen.. i'm far too randomly active.

It's been like that for some time, doesn't mean much though