How secure Dreamweaver PHP login logout is?

Question

just for knowledge sake, i wanna know that how good is to use a Dreamweaver in-built feature of PHP login logout authentication?

Is it secure?

I always use sessions, posts and so many things to build a login system, however when i used the Dreamweaver one, it was quite simple and seems to be secure. Still need expert advice, should i start using it or the traditional one is better. I don't find any limitation, just want to know that weather it is secure enough or not.

Here is the code which Dreamweaver provides:-

This is my login form

<form action="<?php echo $loginFormAction; ?>" method="POST" target="_self">
    <input name="ecsuser" class="form-login" title="Username" value="" size="30"
    maxlength="2048" />

    <input name="ecspass" type="password" class="form-login" title="Password" 
    value="" size="30" maxlength="2048" />

    <?php if(!empty($ERRORMESSAGE)) echo '<div style="color:#FFF; 
    font-weight:bold;">'.$ERRORMESSAGE.'</div>'; ?>

    <input name="" type="submit" value="" />
</form>

This is my Error Handling code.

<?php
if (isset($_GET['ERRORMESSAGE']))
{
    if($_GET['ERRORMESSAGE'] == 1)
    {
    global $ERRORMESSAGE;
    $ERRORMESSAGE = "Sorry! The username or password is incorrect, 
            Please try again.";
    }
}
?>

This is my further code

// Database Connection Include
<?php require_once('Connections/ecs.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['ecsuser'])) {
  $loginUsername=$_POST['ecsuser'];
  $password=md5($_POST['ecspass']);
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php?ERRORMESSAGE=1";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_ecs, $ecs);

  $LoginRS__query=sprintf("SELECT username, password FROM student WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 

  $LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

    if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;       

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];  
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

Also, i want to know, what all other security measures we need to take for building an efficient Login system and does the above code is 100% perfect with no security issue.

If links and example codes are provided it will be very helpful, thanks in advance :) — Django Anonymous, Mar 13 '12 at 07:52
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Password_Storage — zuallauz, Mar 13 '12 at 08:10

score 9 · Accepted Answer · edited May 23 '17 at 12:11

Is it secure?

No. I see a few problems:

1) First of all there is an XSS vulnerability. When you echo $_SERVER['PHP_SELF'] like that, it needs to be escaped with htmlspecialchars(). If you don't do this, an attacker can craft link which when clicked, will steal session cookies which can be used to become logged in without a username and password. See: PHP_SELF and XSS

2) GetSQLValueString has problems. It is falling back to mysql_escape_string() if mysql_real_escape_string() does not exist. You should never fall back to mysql_escape_string(). If mysql_real_escape_string() is not available and you're relying on it to avoid SQL Injection, your application should stop. This function is also doing an escape on the data, before it knows what datatype it is. If you're using intval(), floatval(), doubleval(), you don't need to do a mysql_real_escape_string() first.

I suggest changing this to use MySQLi or PDO parameterised queries which will automatically handle the escaping for you.

MySQLi: http://php.net/manual/en/mysqli.prepare.php PDO: http://us2.php.net/manual/en/book.pdo.php

3) It appears to be trying (and failing) to redirect to the previous page on successful login. You should never redirect unless you have hardcoded the URL or you have validated the user supplied URL, if you don't do this you could be vulnerable to open redirect/phishing attacks. It looks like someone might have tried to fix this by adding false to the if here: if (isset($_SESSION['PrevUrl']) && false) {, this statement will never evaluate to true and so it is pointless keeping it.

4). Take a look at this line:

$LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());

If there is any MySQL error when this query executes, the application is going to print out the full MySQL error and then stop. This will be extremely helpful to anyone trying to perform SQL Injection attacks. Even if you've secured for SQL Injection, this is still going to tell the world parts of your database structure. You should use trigger_error() or do your own error logging, but never show it to the user in a production/live/public system.

5). Finally, it is possible to perform XSRF attacks on the login/out form. You should use an anti-XSRF token when submitting actions like login/logout. See: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Thanks for your help :) Its really descriptive and full of knowledge... three cheers for you... — Django Anonymous, Mar 13 '12 at 11:22

jpic · Answer 2 · 2012-03-13T08:26:34.557

2

It is vulnerable to CSRF. Sorry.

Also, I had a client with a PHP backoffice in dreamweaver in the past. He got hacked (all database records deleted) by Google.

Apparently:

Some pages where not secure - didn't verify credentials
There were "delete" links which did not force any confirmation and worked in GET (standard fail)
Google nicely crawled the backoffice and got everything deleted (say it in the logs)

edited Mar 13 '12 at 08:26

answered Mar 13 '12 at 08:19

jpic

32,891
5
112
113

Yes, this made me think, if dreamweaver relied on a framework like symfony instead of generating horrible code, maybe dreamweaver could look serious. – jpic Jan 23 '13 at 11:36

score 1 · Answer 3 · answered Jan 22 '13 at 14:15

Not bulletproof certainly. To be honest, it is somewhere in-between. There are problems, but I've seen worst cases.

The XSS on $_SERVER['PHP_SELF'] is known, but not as damaging as one believes and I guarantee you many websites suffer of it.

mysql_escape_string() is bad and all that piece of code is bad, but it doesn't have to fall if your server has mysql_real_escape_string(). If your server has it, than it will not fall.

You have XSS and the chance of getting screwed if you have an old version of php, but chances are if you have such an old version you are vulnerable anyway.

If you base your work on dreamweaver, try to add validation and sanitization to form elements, there are some extensions for this matter. Take care to use a server side validation dreamweaver extension for the job (check the marketplace).

I assume your question was dreamweaver related and you wanted to know how safe there are applications created with dreamweaver server behaviors and commands. Not that safe, not that vulnerable.

The advise you got until now from other users is correct, prepared statements are better, mysqli should be the minimum standard. But if you have to do your job with dreamweaver (programming for poets), than my advise is to check some dreamweaver extensions for server side validation of form elements, than you may buy a more expensive dreamweaver extension that may provide you the same functionality and same integration with dreamweaver I guess you are looking for, but has a better code when it comes to "registration" module. There are a few on marketplace.

Web Assist for example has such things. I do not like them as the code resulted is messy and the pages are rather bloated. Also the learning curve is an issue, you may rather learn PHP than learn pushing buttons on those extensions.

FelixOne is another provider of such extensions, cheaper and the learning curve is better than Web Assist. Give them a try.

How secure Dreamweaver PHP login logout is?

3 Answers3

Linked