Re: [WebDNA] Stop hacking

This WebDNA talk-list message is from

2013

It keeps the original formatting. numero = 110694
interpreted = N
texte = Hi John, yes, I rememberMy quick reply was not very good.. but you all have covered it pretty well.. I will add: - Yes, this is "fixed" in the latest betas (though there needs to be some refinement on the fix (thus the quotation marks) - I would prefer something other than a search context on every page... less process intensive. - In general, I would not put any sensitive info into global vars, so even if you are using an older version, these kinds of fixes are not necessarily a requirement.. it's a judgement call overall based on your site and code. However, if someones fishing around your server, you may want to instead grab their I.P. address and route future requests to your favorite charity donation site.DonovanOn 9/11/13 6:56 PM, John Butler wrote:>> On 2013-09-11, at 7:42 PM, Donovan Brooke > wrote:>>> Steve,>> It appears the original coder was trying to stop anyone from trying a>> context in the URL...>>> however, I'm not sure why that would be desired.>> because ^^^ e.g. if someone places a webdna context in the URL like it> is an URL param/var ... then that would expose a security bug in webdna> ... at least in versions before 6.x (?).> The bug caused the first context to be evaluated as if it was a form> var... e.g. this:>> myPage.tpl?capitalize=1234>>> ---------- START snip from 'myPage.tpl' ------------->> [capitalize]abc[/capitalize]>> ---------- END snip from 'myPage.tpl' ------------->>> this ^^^ would NOT be evaluated as>> ABC>> ... but (IIRC) instead as this:>> 1234abc[/capitalize]>> ...and so cause an error because of the lone latter half of the> [capitalize] context.>> I am sure you remember this all very well Donovan... I am just writing> this because you said, "I'm not sure why that would be desired". (?)> (Desired as a way to stop a hacker from trying to exploit the security> hole I show here.)>> Many of us placed other code to prevent this hole in the webdna> pre-parse script.>>>>> We don't know the contents of "noHack.db" so we can't tell you exactly>> what the coder was trying to protect the site from.>> Agreed. Steve, you have to show the contents of 'noHack.db' for us to> even guess what the coder was doing.>> At some point the said security hole was patched, IIRC, so hopefully> someone at WSC can say which version(s) of webdna have the patch.> Steve, try my example above if you want to see whether or not your> version of Webdna has the patch or not.>>> -G-- ===============================================www-tek.euca.us|design.euca.us|euca-hosting.com===============================================[WebDNA -> squarebracket utopia] www.webdna.us Associated Messages, from the most recent to the oldest:

Re: [WebDNA] Stop hacking (Donovan Brooke 2013)
Re: [WebDNA] Stop hacking (Dan Strong 2013)
Re: [WebDNA] Stop hacking (John Butler 2013)
Re: [WebDNA] Stop hacking (WebDNA 2013)
Re: [WebDNA] Stop hacking (John Butler 2013)
Re: [WebDNA] Stop hacking (Steve Graham 2013)
Re: [WebDNA] Stop hacking (John Butler 2013)
Re: [WebDNA] Stop hacking (John Butler 2013)
Re: [WebDNA] Stop hacking (Steve Graham 2013)
Re: [WebDNA] Stop hacking (Donovan Brooke 2013)
[WebDNA] Stop hacking (Steve Graham 2013)

Hi John, yes, I rememberMy quick reply was not very good.. but you all have covered it pretty well.. I will add: - Yes, this is "fixed" in the latest betas (though there needs to be some refinement on the fix (thus the quotation marks) - I would prefer something other than a search context on every page... less process intensive. - In general, I would not put any sensitive info into global vars, so even if you are using an older version, these kinds of fixes are not necessarily a requirement.. it's a judgement call overall based on your site and code. However, if someones fishing around your server, you may want to instead grab their I.P. address and route future requests to your favorite charity donation site.DonovanOn 9/11/13 6:56 PM, John Butler wrote:>> On 2013-09-11, at 7:42 PM, Donovan Brooke > wrote:>>> Steve,>> It appears the original coder was trying to stop anyone from trying a>> context in the URL...>>> however, I'm not sure why that would be desired.>> because ^^^ e.g. if someone places a webdna context in the URL like it> is an URL param/var ... then that would expose a security bug in webdna> ... at least in versions before 6.x (?).> The bug caused the first context to be evaluated as if it was a form> var... e.g. this:>> myPage.tpl?capitalize=1234>>> ---------- START snip from 'myPage.tpl' ------------->> [capitalize]abc[/capitalize]>> ---------- END snip from 'myPage.tpl' ------------->>> this ^^^ would NOT be evaluated as>> ABC>> ... but (IIRC) instead as this:>> 1234abc[/capitalize]>> ...and so cause an error because of the lone latter half of the> [capitalize] context.>> I am sure you remember this all very well Donovan... I am just writing> this because you said, "I'm not sure why that would be desired". (?)> (Desired as a way to stop a hacker from trying to exploit the security> hole I show here.)>> Many of us placed other code to prevent this hole in the webdna> pre-parse script.>>>>> We don't know the contents of "noHack.db" so we can't tell you exactly>> what the coder was trying to protect the site from.>> Agreed. Steve, you have to show the contents of 'noHack.db' for us to> even guess what the coder was doing.>> At some point the said security hole was patched, IIRC, so hopefully> someone at WSC can say which version(s) of webdna have the patch.> Steve, try my example above if you want to see whether or not your> version of Webdna has the patch or not.>>> -G-- ===============================================www-tek.euca.us|design.euca.us|euca-hosting.com===============================================[WebDNA -> squarebracket utopia] www.webdna.us Donovan Brooke

DOWNLOAD WEBDNA NOW!

Re: [WebDNA] Stop hacking

2013

Top Articles:

Related Readings: