Re: Major Security Hole

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18818
interpreted = N
texte = I hit the following page on your site: http://database.columbusrealestate.com/search.tmplAppending the URL with _any_ string beginning with a colon (:) showed me your [include] tags. I could not duplicate this on our servers, nor on www.smithmicro.com, www.smithmicro.com, or www.webdna.netCan you tell us a little more about your server setup (other plugins, etc)?-Dave At 1:09 PM 7/13/98, Paul Uttermohlen wrote: >Major Security Hole, > >Earlier this month, Mac Webmasters got a chuckle at the security hole >exposed in IIS using that text ::$DATA at the end of a url for .tpl or >.asp, etc. > >Cool. It reveals the code that we all thought was hidden because it was >processed on the server. The fix was to map .tpl::$DATA to the webcat .dll. >Simple enough. It works. > >BUT Macs are susceptible to this as well! And you can't, or at least I >couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags. >NOT good if you are showing and hiding text based on passwords like [showif >[password]=3294.bob]. Now it becomes simple to find the once hidden >passwords. > >Any body got any ideas? > >Anyone know why I can't map .tmpl::$DATA to Webcatalog on Webstar? Maybe >the $ is the problem. > >Thanks, Paul > > > _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ > _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ > _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ > _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ > _/_/_/ Real Estate - _\_\_\_\_ > _/_/_/Websites - Children _/ _\_\_\_ >_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ o--------------- Dave MacLeay --+ o----------- Digital Frontier --+ o--- dave@digitalfrontier.com --+ Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  2. Re: Major Security Hole (Kenneth Grome 1998)
  3. Re: Major Security Hole (Peter Ostry 1998)
  4. Re: Major Security Hole (Paul Uttermohlen 1998)
  5. Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998)
  6. Re: Major Security Hole (Charles Kefauver 1998)
  7. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  8. Re: Major Security Hole (PCS Technical Support 1998)
  9. Re: Major Security Hole (Peter Ostry 1998)
  10. Re: Major Security Hole (Dan Tryon 1998)
  11. Re: Major Security Hole (Jim Turney 1998)
  12. Re: Major Security Hole (Peter Ostry 1998)
  13. Re: Major Security Hole (Paul Uttermohlen 1998)
  14. Re: Major Security Hole (Bob Minor 1998)
  15. Re: Major Security Hole (Dan Tryon 1998)
  16. Re: Major Security Hole (Brian Willson 1998)
  17. Re: Major Security Hole (Britt T. 1998)
  18. Re: Major Security Hole (Paul Uttermohlen 1998)
  19. Re: Major Security Hole (Dave MacLeay 1998)
  20. Re: Major Security Hole (Bob Minor 1998)
  21. Re: Major Security Hole (Peter Ostry 1998)
  22. Re: Major Security Hole (PCS Technical Support 1998)
  23. Major Security Hole (Paul Uttermohlen 1998)
  24. Re: Major Security Hole IIS NT (Bob Minor 1998)
  25. Re: Major Security Hole IIS NT (greg 1998)
  26. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  27. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  28. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  29. RE: Major Security Hole IIS NT (Olin 1998)
  30. Re: Major Security Hole IIS NT (Bob Minor 1998)
  31. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  32. Re: Major Security Hole IIS NT (Bob Minor 1998)
  33. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  34. Re: Major Security Hole IIS NT (Bob Minor 1998)
  35. Re: Major Security Hole IIS NT (Bob Minor 1998)
  36. Major Security Hole IIS NT (Bob Minor 1998)
  37. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  38. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  39. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  40. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  41. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  42. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  43. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
I hit the following page on your site: http://database.columbusrealestate.com/search.tmplAppending the URL with _any_ string beginning with a colon (:) showed me your [include] tags. I could not duplicate this on our servers, nor on www.smithmicro.com, www.smithmicro.com, or www.webdna.netCan you tell us a little more about your server setup (other plugins, etc)?-Dave At 1:09 PM 7/13/98, Paul Uttermohlen wrote: >Major Security Hole, > >Earlier this month, Mac Webmasters got a chuckle at the security hole >exposed in IIS using that text ::$DATA at the end of a url for .tpl or >.asp, etc. > >Cool. It reveals the code that we all thought was hidden because it was >processed on the server. The fix was to map .tpl::$DATA to the webcat .dll. >Simple enough. It works. > >BUT Macs are susceptible to this as well! And you can't, or at least I >couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags. >NOT good if you are showing and hiding text based on passwords like [showif >[password]=3294.bob]. Now it becomes simple to find the once hidden >passwords. > >Any body got any ideas? > >Anyone know why I can't map .tmpl::$DATA to Webcatalog on Webstar? Maybe >the $ is the problem. > >Thanks, Paul > > > _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ > _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ > _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ > _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ > _/_/_/ Real Estate - _\_\_\_\_ > _/_/_/Websites - Children _/ _\_\_\_ >_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ o--------------- Dave MacLeay --+ o----------- Digital Frontier --+ o--- dave@digitalfrontier.com --+ Dave MacLeay

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Re1000002: Setting up shop (1997) Setting up shop (1997) Which GUI HTML editors work with WC ? (1997) PIXO support (1997) [WebDNA] JSON parsing (2010) Quiz question: Return all green and blank records? (2001) japanese characters (1997) HELP WITH DATES (1997) ShipTotal Again (1998) Using [Showif] tag. Mac (1997) Any way to retrieve information from clipboard? (1999) GuestBook example (1997) [showif [numfound]=0]? (2000) [DOS] (1999) Limiting user access to .tmpl files (1997) Add to Cart & List of Products (1997) Using the sendmail command on CGate Pro (Unix) (2000) [CART] inside a [LOOP] (1997) Database Upload (2000) Running 2 two WebCatalog.acgi's (1996)