Re: Major Security Hole

This WebDNA talk-list message is from

1998

It keeps the original formatting. numero = 18824
interpreted = N
texte = How do you have your database extension preference set up in webcatalogspreferences?I am using webcat on webstar and webten and I simply cannot access thesefiles with any combination of your files.Bob MinorCybermill Communications-----Original Message-----From: Dan Tryon To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PMSubject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user namesbut the passwords appear as a string of weird characters. Now I don't knowif the characters can be interpreted or if it is just garbage. I wouldprefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db:Here is the complete string that gets returned:user pass groups ADMIN �m&%22#022#!#027#h ADMIN UPDATEDONEZ�c�MNv#027#�TE���Ih DAN TRYON �-�e�%2C �#004#��Tw��{ ADMIN,RSKILLS,CESDGEOFF FULLER*QK�V#031#�#026#��u�#%00�� RSKILLS,CESD CARL HADSELL ]��%22D7�pFx� 2̻MRSKILLS,CESDI run a mac - webstar 2.1 and netcloakI do NOT allow all webcatalog commands!dan t.>>I thought that the $ was the problem too at first. But then it worked>with just a single :>>It worked on .db files which allowed ANYONE to find and look at our>users.db file. OUCH!>>I tried to do the same thing on the Pacific-Coast server and that of>several others that I know run WebCat or Typhoon, including some of our>other servers here. It only was valid in the one instance on this machine>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>WebStar to 2.1 and deleted Netcloak.>>Problem solved. But I sure was in a panic when I could type>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>of users, passwords and groups!>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>Macintosh should be made aware that their setup may not be secure. People>can get your admin passwords and then track down any credit card numbers>from online stores. I am not sure if this is a problem with WebStar or>Netcloak, but I am sure that the problem is real and it does not exist with>NetCloak removed and Webstar updated to 2.1 or greater.>>Thanks, Paul>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_> _/_/_/ Real Estate - _\_\_\_\_> _/_/_/Websites - Children _/ _\_\_\_>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>> Associated Messages, from the most recent to the oldest:

Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998) Re: Major Security Hole (Kenneth Grome 1998) Re: Major Security Hole (Peter Ostry 1998) Re: Major Security Hole (Paul Uttermohlen 1998) Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998) Re: Major Security Hole (Charles Kefauver 1998) Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998) Re: Major Security Hole (PCS Technical Support 1998) Re: Major Security Hole (Peter Ostry 1998) Re: Major Security Hole (Dan Tryon 1998) Re: Major Security Hole (Jim Turney 1998) Re: Major Security Hole (Peter Ostry 1998) Re: Major Security Hole (Paul Uttermohlen 1998) Re: Major Security Hole (Bob Minor 1998) Re: Major Security Hole (Dan Tryon 1998) Re: Major Security Hole (Brian Willson 1998) Re: Major Security Hole (Britt T. 1998) Re: Major Security Hole (Paul Uttermohlen 1998) Re: Major Security Hole (Dave MacLeay 1998) Re: Major Security Hole (Bob Minor 1998) Re: Major Security Hole (Peter Ostry 1998) Re: Major Security Hole (PCS Technical Support 1998) Major Security Hole (Paul Uttermohlen 1998) Re: Major Security Hole IIS NT (Bob Minor 1998) Re: Major Security Hole IIS NT (greg 1998) Re: Major Security Hole IIS NT (Kenneth Grome 1998) Re: Major Security Hole IIS NT (Kenneth Grome 1998) RE: Major Security Hole IIS NT (PCS Technical Support 1998) RE: Major Security Hole IIS NT (Olin 1998) Re: Major Security Hole IIS NT (Bob Minor 1998) Re: Major Security Hole IIS NT (PCS Technical Support 1998) Re: Major Security Hole IIS NT (Bob Minor 1998) Re: Major Security Hole IIS NT (Peter Ostry 1998) Re: Major Security Hole IIS NT (Bob Minor 1998) Re: Major Security Hole IIS NT (Bob Minor 1998) Major Security Hole IIS NT (Bob Minor 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998) Re: Major Security Hole IIS NT (Chuck Wall 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998) Re: Major Security Hole IIS NT (Raymond Hatch 1998)

How do you have your database extension preference set up in webcatalogspreferences?I am using webcat on webstar and webten and I simply cannot access thesefiles with any combination of your files.Bob MinorCybermill Communications-----Original Message-----From: Dan Tryon To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PMSubject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user namesbut the passwords appear as a string of weird characters. Now I don't knowif the characters can be interpreted or if it is just garbage. I wouldprefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db:Here is the complete string that gets returned:user pass groups ADMIN �m&%22#022#!#027#h ADMIN UPDATEDONEZ�c�MNv#027#�TE���Ih DAN TRYON �-�e�%2C �#004#��Tw��{ ADMIN,RSKILLS,CESDGEOFF FULLER*QK�V#031#�#026#��u�#%00�� RSKILLS,CESD CARL HADSELL ]��%22D7�pFx� 2̻MRSKILLS,CESDI run a mac - webstar 2.1 and netcloakI do NOT allow all webcatalog commands!dan t.>>I thought that the $ was the problem too at first. But then it worked>with just a single :>>It worked on .db files which allowed ANYONE to find and look at our>users.db file. OUCH!>>I tried to do the same thing on the Pacific-Coast server and that of>several others that I know run WebCat or Typhoon, including some of our>other servers here. It only was valid in the one instance on this machine>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>WebStar to 2.1 and deleted Netcloak.>>Problem solved. But I sure was in a panic when I could type>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>of users, passwords and groups!>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>Macintosh should be made aware that their setup may not be secure. People>can get your admin passwords and then track down any credit card numbers>from online stores. I am not sure if this is a problem with WebStar or>Netcloak, but I am sure that the problem is real and it does not exist with>NetCloak removed and Webstar updated to 2.1 or greater.>>Thanks, Paul>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_> _/_/_/ Real Estate - _\_\_\_\_> _/_/_/Websites - Children _/ _\_\_\_>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>> Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

problems with 2 tags (1997) [WebDNA] HTML Symbol Entities (2009) special commerce fields (1997) Multiple Selections in Pull-Down Menu (2000) SSL and reg web* (1997) [/application] error? (1997) Subtotal help (1997) [WebDNA] TcpConnect Help (2011) converting tabs (1997) Many $WebCat.exe processes (1998) FWD: Autoproxy Bug with WebCatalog and FireSite (1997) [OT] SSL security in browser (2005) Summary search -- speed (1997) 2.0 Info (1997) Help name our technology! I found it (1997) Summing fields (1997) Re:Version 2.0 and 1.6 simultaneous (1997) WebCat on 10.0.4 - iTools 6.0 (2001) Signal Raised Error (Part III) (1997) Signal Raised Error (Part III) (1997)