theta
02-23-2012, 04:40 AM
Hi all...I have been told our intranet login (not available externally) is unsafe. It is not my project, but wanted to get some insight into what people think and highlight any glaring issues with the code. Is it open to SQL injection etc. To be frank the system is a joke (you can hotlink to the .aspx pages behind this login) but need some credible example to pass up...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>LOGINSYS.Net</title>
<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
<meta content="Visual Basic .NET 7.1" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<LINK href="common/StyleSheet/LOGINSYS01.css" type="text/css" rel="stylesheet">
<LINK href="common/StyleSheet/LOGINSYS02.css" type="text/css" rel="stylesheet">
<style>.initial {
FONT-WEIGHT: bold; BACKGROUND-COLOR: seashell
}
</style>
<SCRIPT language="JavaScript" src="common/test/template.js"></SCRIPT>
<SCRIPT language="JavaScript">
function f_ShowError(strErrMessage)
{
//var strErrMessage = document.frmSignIn.hdErrorMessage.value;
//var strMessage = new String(strErrMessage);
//strMessage.toUpperCase();
if(strErrMessage < 8)
{
if(confirm("Your Password is going to expire in " + strErrMessage + " days. Do you want to change it now?")){
window.open('default.aspx?strform=Authorisation/Change_Password.aspx','_top');
return true;
}
else
{
window.open('default.aspx?strform=right.aspx','_top');
}
}
window.open('default.aspx?strform=right.aspx','_top');
return true;
}
</SCRIPT>
</HEAD>
<body onresize="history.go(0)" leftMargin="0" background="file:///E:\UnitedClearing\LOGINSYSnet\Development\User Services\LOGINSYSnet\Common\Images\emily.jpg"
topMargin="0" onload="document.frmSignIn.txtUserAccount.focus();" MARGINWIDTH="0"
MARGINHEIGHT="0">
<form name="frmSignIn" method="post" action="Sign-In.aspx" language="javascript" onsubmit="if (!ValidatorOnSubmit()) return false;" id="frmSignIn">
<input type="hidden" name="__VIEWSTATE" value="dDw2MzY4OTgzNzY7Oz4jHnpr+1tsQdU6Apgz5Abxg1uFUA==" />
<script language="javascript" type="text/javascript" src="/aspnet_client/system_web/1_1_4322/WebUIValidation.js"></script>
<TABLE height="100%" cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<TR>
<td align="center">
<DIV ID="sunLayer" STYLE="Z-INDEX: 1; VISIBILITY: hidden; POSITION: absolute">
<!--<IMG SRC="common/images/core_1.gif" SUPPRESS="TRUE" BORDER="0">-->
</DIV>
<DIV id="flareLayer" style="Z-INDEX: 2; VISIBILITY: hidden; POSITION: absolute"><IMG height="100" src="common/images/blank.gif" width="100" border="0" SUPPRESS="TRUE">
</DIV>
<DIV id="contentLayer" style="Z-INDEX: 3; LEFT: 0px; VISIBILITY: hidden; POSITION: absolute; TOP: 0px"></DIV>
<DIV ID="isletLayer" STYLE="Z-INDEX: 4; LEFT: 700px; VISIBILITY: visible; WIDTH: 172px; POSITION: absolute; TOP: 430px; HEIGHT: 148px">
<!--<IMG NAME="islet" SRC="common/images/guru.gif" BORDER="0">-->
</DIV>
<table height="15%" cellSpacing="0" cellPadding="0" width="40%" align="center" border="0">
<TR>
<TD class="ctxTitle">Sign In</TD>
</TR>
</table>
<!-- table to display sign off title=end here--><BR>
<table align="center">
<TR>
<TD class="ctxSubTitleDiffCol1">
<table cellSpacing="0" cellPadding="0" width="525" align="center" border="0">
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%">User Name</TD>
<TD class="ctxSubTitleDiffCol1"><input name="txtUserAccount" type="text" size="25" id="txtUserAccount" /> <span id="rvfUser" controltovalidate="txtUserAccount" errormessage="Please enter User Name" display="Dynamic" evaluationfunction="RequiredFieldValidatorEvaluateIsValid" initialvalue="" style="color:Red;display:none;">*</span>
</TD>
</TR>
<TR>
<td> </td>
</TR>
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%">Password</TD>
<TD class="ctxSubTitleDiffCol1"><input name="txtPassword" type="password" size="25" id="txtPassword" /> <span id="rvfPassword" controltovalidate="txtPassword" errormessage="Please enter Password" display="Dynamic" evaluationfunction="RequiredFieldValidatorEvaluateIsValid" initialvalue="" style="color:Red;display:none;">*</span>
</TD>
</TR>
<TR>
<td> </td>
</TR>
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%"></TD>
<TD><input type="submit" name="btnSubmit" value="Submit" onclick="if (typeof(Page_ClientValidate) == 'function') Page_ClientValidate(); " language="javascript" id="btnSubmit" class="initial" style="width:82px;" />
<input type="submit" name="btnCancel" value="Cancel" id="btnCancel" class="initial" style="width:82px;" /></TD>
</TR>
</table>
</TD>
</TR>
</table>
<br>
<br>
<TABLE id="Table19" cellSpacing="0" cellPadding="0" width="30%" align="center" border="0">
<TR>
<TD align="left" width="30%"></TD>
</TR>
</TABLE>
<br>
<table cellSpacing="0" cellPadding="0" width="525" align="center" border="0">
<TR>
<td class="ctxSubTitleDiffCol1" vAlign="top"><span id="cvCommonErrors" display="None" evaluationfunction="CustomValidatorEvaluateIsValid" style="color:Red;display:none;"></span><div id="vsError" headertext="The following error(s) have occurred" style="color:Red;display:none;">
</div>
<P></P>
<P><span id="lblContactMessage" class="cAlertMsg"></span></P>
</td>
</TR>
</table>
<p></p>
</td>
</TR>
<tr>
<td vAlign="bottom">
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<TR>
<td vAlign="bottom" align="right" width="100%"><A href="http://iris.unitedclearing.com/iris/" target="_blank"><b><font size="2" style="COLOR: #000099">
IRIS - Click Here</font></b></A></td>
</TR>
</table>
</td>
</tr>
</TABLE>
<input name="hdErrorMessage" id="hdErrorMessage" type="hidden" />
<script language="javascript" type="text/javascript">
<!--
var Page_ValidationSummaries = new Array(document.all["vsError"]);
var Page_Validators = new Array(document.all["rvfUser"], document.all["rvfPassword"], document.all["cvCommonErrors"]);
// -->
</script>
<script language="javascript" type="text/javascript">
<!--
var Page_ValidationActive = false;
if (typeof(clientInformation) != "undefined" && clientInformation.appName.indexOf("Explorer") != -1) {
if ((typeof(Page_ValidationVer) != "undefined") && (Page_ValidationVer == "125"))
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return ValidatorCommonOnSubmit();
}
return true;
}
// -->
</script>
</form>
</body>
</HTML>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>LOGINSYS.Net</title>
<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
<meta content="Visual Basic .NET 7.1" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<LINK href="common/StyleSheet/LOGINSYS01.css" type="text/css" rel="stylesheet">
<LINK href="common/StyleSheet/LOGINSYS02.css" type="text/css" rel="stylesheet">
<style>.initial {
FONT-WEIGHT: bold; BACKGROUND-COLOR: seashell
}
</style>
<SCRIPT language="JavaScript" src="common/test/template.js"></SCRIPT>
<SCRIPT language="JavaScript">
function f_ShowError(strErrMessage)
{
//var strErrMessage = document.frmSignIn.hdErrorMessage.value;
//var strMessage = new String(strErrMessage);
//strMessage.toUpperCase();
if(strErrMessage < 8)
{
if(confirm("Your Password is going to expire in " + strErrMessage + " days. Do you want to change it now?")){
window.open('default.aspx?strform=Authorisation/Change_Password.aspx','_top');
return true;
}
else
{
window.open('default.aspx?strform=right.aspx','_top');
}
}
window.open('default.aspx?strform=right.aspx','_top');
return true;
}
</SCRIPT>
</HEAD>
<body onresize="history.go(0)" leftMargin="0" background="file:///E:\UnitedClearing\LOGINSYSnet\Development\User Services\LOGINSYSnet\Common\Images\emily.jpg"
topMargin="0" onload="document.frmSignIn.txtUserAccount.focus();" MARGINWIDTH="0"
MARGINHEIGHT="0">
<form name="frmSignIn" method="post" action="Sign-In.aspx" language="javascript" onsubmit="if (!ValidatorOnSubmit()) return false;" id="frmSignIn">
<input type="hidden" name="__VIEWSTATE" value="dDw2MzY4OTgzNzY7Oz4jHnpr+1tsQdU6Apgz5Abxg1uFUA==" />
<script language="javascript" type="text/javascript" src="/aspnet_client/system_web/1_1_4322/WebUIValidation.js"></script>
<TABLE height="100%" cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<TR>
<td align="center">
<DIV ID="sunLayer" STYLE="Z-INDEX: 1; VISIBILITY: hidden; POSITION: absolute">
<!--<IMG SRC="common/images/core_1.gif" SUPPRESS="TRUE" BORDER="0">-->
</DIV>
<DIV id="flareLayer" style="Z-INDEX: 2; VISIBILITY: hidden; POSITION: absolute"><IMG height="100" src="common/images/blank.gif" width="100" border="0" SUPPRESS="TRUE">
</DIV>
<DIV id="contentLayer" style="Z-INDEX: 3; LEFT: 0px; VISIBILITY: hidden; POSITION: absolute; TOP: 0px"></DIV>
<DIV ID="isletLayer" STYLE="Z-INDEX: 4; LEFT: 700px; VISIBILITY: visible; WIDTH: 172px; POSITION: absolute; TOP: 430px; HEIGHT: 148px">
<!--<IMG NAME="islet" SRC="common/images/guru.gif" BORDER="0">-->
</DIV>
<table height="15%" cellSpacing="0" cellPadding="0" width="40%" align="center" border="0">
<TR>
<TD class="ctxTitle">Sign In</TD>
</TR>
</table>
<!-- table to display sign off title=end here--><BR>
<table align="center">
<TR>
<TD class="ctxSubTitleDiffCol1">
<table cellSpacing="0" cellPadding="0" width="525" align="center" border="0">
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%">User Name</TD>
<TD class="ctxSubTitleDiffCol1"><input name="txtUserAccount" type="text" size="25" id="txtUserAccount" /> <span id="rvfUser" controltovalidate="txtUserAccount" errormessage="Please enter User Name" display="Dynamic" evaluationfunction="RequiredFieldValidatorEvaluateIsValid" initialvalue="" style="color:Red;display:none;">*</span>
</TD>
</TR>
<TR>
<td> </td>
</TR>
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%">Password</TD>
<TD class="ctxSubTitleDiffCol1"><input name="txtPassword" type="password" size="25" id="txtPassword" /> <span id="rvfPassword" controltovalidate="txtPassword" errormessage="Please enter Password" display="Dynamic" evaluationfunction="RequiredFieldValidatorEvaluateIsValid" initialvalue="" style="color:Red;display:none;">*</span>
</TD>
</TR>
<TR>
<td> </td>
</TR>
<TR>
<TD class="ctxSubTitleDiffCol1" width="20%"></TD>
<TD><input type="submit" name="btnSubmit" value="Submit" onclick="if (typeof(Page_ClientValidate) == 'function') Page_ClientValidate(); " language="javascript" id="btnSubmit" class="initial" style="width:82px;" />
<input type="submit" name="btnCancel" value="Cancel" id="btnCancel" class="initial" style="width:82px;" /></TD>
</TR>
</table>
</TD>
</TR>
</table>
<br>
<br>
<TABLE id="Table19" cellSpacing="0" cellPadding="0" width="30%" align="center" border="0">
<TR>
<TD align="left" width="30%"></TD>
</TR>
</TABLE>
<br>
<table cellSpacing="0" cellPadding="0" width="525" align="center" border="0">
<TR>
<td class="ctxSubTitleDiffCol1" vAlign="top"><span id="cvCommonErrors" display="None" evaluationfunction="CustomValidatorEvaluateIsValid" style="color:Red;display:none;"></span><div id="vsError" headertext="The following error(s) have occurred" style="color:Red;display:none;">
</div>
<P></P>
<P><span id="lblContactMessage" class="cAlertMsg"></span></P>
</td>
</TR>
</table>
<p></p>
</td>
</TR>
<tr>
<td vAlign="bottom">
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<TR>
<td vAlign="bottom" align="right" width="100%"><A href="http://iris.unitedclearing.com/iris/" target="_blank"><b><font size="2" style="COLOR: #000099">
IRIS - Click Here</font></b></A></td>
</TR>
</table>
</td>
</tr>
</TABLE>
<input name="hdErrorMessage" id="hdErrorMessage" type="hidden" />
<script language="javascript" type="text/javascript">
<!--
var Page_ValidationSummaries = new Array(document.all["vsError"]);
var Page_Validators = new Array(document.all["rvfUser"], document.all["rvfPassword"], document.all["cvCommonErrors"]);
// -->
</script>
<script language="javascript" type="text/javascript">
<!--
var Page_ValidationActive = false;
if (typeof(clientInformation) != "undefined" && clientInformation.appName.indexOf("Explorer") != -1) {
if ((typeof(Page_ValidationVer) != "undefined") && (Page_ValidationVer == "125"))
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return ValidatorCommonOnSubmit();
}
return true;
}
// -->
</script>
</form>
</body>
</HTML>