freecrm
New Member
- Messages
- 629
- Reaction score
- 0
- Points
- 0
I have just completed a registration and login system using php and I would love it if someone could break it!!!
The site is www.freecrm.x10hosting.com
I'll even tell you how it works!
1st Registration page:
Uses "ReCaptcha" image verification and validates all input, including repeats of critical information.
e-mail, username, password etc.
Checks if username already exists.
Creates random membership ID - lots of characters, mixed string (hidden field)
Creates random password - lots of characters, mixed string (hidden field)
Commits all $_POST variables to server variables.
Inserts record with random password. (membership id is unique MySQL field)
2nd Registration page:
Re-assigns $_SESSION variables to normal strings and e-mails verification to inserted e-mail address.
E-mail contains link to account verification page, carrying random membership ID and real password.
i.e. http://freecrm.x10hosting.com/accountverification.php?memid=<?php echo $memid;?>&password=<?php echo $password;?>
The account verification page calls a recordset where the $_GET memid matches.
An update (using form) then inserts the real password over the existing password.
You can then login!
There is only one small crack I can see here:
If a user types the account verification URL into a browser with a random number and password, the chances are they will not match an existing record; however, if the user continues to do this with a random memid string (29 characters!), they might match an existing record. The password variable could then be used to over-write an existing users account!
What are the chances???
The site is www.freecrm.x10hosting.com
I'll even tell you how it works!
1st Registration page:
Uses "ReCaptcha" image verification and validates all input, including repeats of critical information.
e-mail, username, password etc.
Checks if username already exists.
Creates random membership ID - lots of characters, mixed string (hidden field)
Creates random password - lots of characters, mixed string (hidden field)
Commits all $_POST variables to server variables.
Inserts record with random password. (membership id is unique MySQL field)
2nd Registration page:
Re-assigns $_SESSION variables to normal strings and e-mails verification to inserted e-mail address.
E-mail contains link to account verification page, carrying random membership ID and real password.
i.e. http://freecrm.x10hosting.com/accountverification.php?memid=<?php echo $memid;?>&password=<?php echo $password;?>
The account verification page calls a recordset where the $_GET memid matches.
An update (using form) then inserts the real password over the existing password.
You can then login!
There is only one small crack I can see here:
If a user types the account verification URL into a browser with a random number and password, the chances are they will not match an existing record; however, if the user continues to do this with a random memid string (29 characters!), they might match an existing record. The password variable could then be used to over-write an existing users account!
What are the chances???