Vulnerabilities caused by logical errors

Author: Old K Source: http://www.cha8.com/

In the previous phase, problems occurred in the chat room system on my personal website, and many abnormal pictures and styles appeared in the chat room .. I am confused. According to common sense, all portraits that users can choose are stored in the user profile picture store .. But how did other portraits come from?

Because the chat room system is rented, not developed by me, it is easy to think that there may be vulnerabilities in the program, and in all likelihood, it is SQL injection ..

Therefore, the Administrator requested the source code of the entire management system and found that there were indeed injection points, and the problem was found .. However, after the repair, the problem is not solved .. I am also thinking that, if it is the injection method, these netizens should add a batch of administrators .. Then I re-audited the code several times .. Finally, we found a logical error ..

This system is a multi-user version .. The user profile store table has a roomid indicating which chat room user has the profile picture. The command to add the corresponding user's profile picture is correct. update the profile picture to the user in the room. However, after purchasing more than one profile picture, logically, the original No. 4 record is sent to No. 3, No. 3 record is sent to No. 2, no. 2 to No. 1, and No. 1 is blank. Then, the new record is submitted to him, it is written as follows:

SQL = "update usericon set usericonm =" & rs2 ("usericon4") & ", usericon4 =" & rs2 ("usericon3 ")&", usericon3 = "& rs2 (" usericon2 ") &", usericon2 = "& rs2 (" usericon1 ") &", usericon1 = "& rs (" usericon ") & "where username =" & session ("username ")&""

Although the image address was previously called up:

Rs2.Open "Select * From usericon where roomid =" & session ("roomid") & "and username =" & session ("username") & "", conn, 1, 3

In his opinion, the url that a user can only obtain a new profile from this dataset is that the current user must meet the current session ("roomid ").. However, he did not consider that the current user may register the same name in two chat rooms, so that he can get the two-room avatar ..

Of course .. These are just external factors... This is just a condition for committing crimes .. After all, not all new users can directly purchase very large portraits .. There are also some reasons for competition in the future. Other people's chat rooms have "customized" a batch of our users .. These things will not be discussed .. When writing a program, you must pay attention to similar logical errors .. Do not make the accounting of a branch company appear. You can modify the accounts of all branch companies ..