Re: Major Security Hole
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18824
interpreted = N
texte = How do you have your database extension preference set up in webcatalogspreferences?I am using webcat on webstar and webten and I simply cannot access thesefiles with any combination of your files.Bob MinorCybermill Communications-----Original Message-----From: Dan Tryon
To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PMSubject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user namesbut the passwords appear as a string of weird characters. Now I don't knowif the characters can be interpreted or if it is just garbage. I wouldprefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db:Here is the complete string that gets returned:user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONEZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESDGEOFF FULLER*QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻MRSKILLS,CESDI run a mac - webstar 2.1 and netcloakI do NOT allow all webcatalog commands!dan t.>>I thought that the $ was the problem too at first. But then it worked>with just a single :>>It worked on .db files which allowed ANYONE to find and look at our>users.db file. OUCH!>>I tried to do the same thing on the Pacific-Coast server and that of>several others that I know run WebCat or Typhoon, including some of our>other servers here. It only was valid in the one instance on this machine>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>WebStar to 2.1 and deleted Netcloak.>>Problem solved. But I sure was in a panic when I could type>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>of users, passwords and groups!>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>Macintosh should be made aware that their setup may not be secure. People>can get your admin passwords and then track down any credit card numbers>from online stores. I am not sure if this is a problem with WebStar or>Netcloak, but I am sure that the problem is real and it does not exist with>NetCloak removed and Webstar updated to 2.1 or greater.>>Thanks, Paul>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_> _/_/_/ Real Estate - _\_\_\_\_> _/_/_/Websites - Children _/ _\_\_\_>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>
Associated Messages, from the most recent to the oldest:
How do you have your database extension preference set up in webcatalogspreferences?I am using webcat on webstar and webten and I simply cannot access thesefiles with any combination of your files.Bob MinorCybermill Communications-----Original Message-----From: Dan Tryon To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PMSubject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user namesbut the passwords appear as a string of weird characters. Now I don't knowif the characters can be interpreted or if it is just garbage. I wouldprefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db:Here is the complete string that gets returned:user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONEZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESDGEOFF FULLER*QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻MRSKILLS,CESDI run a mac - webstar 2.1 and netcloakI do NOT allow all webcatalog commands!dan t.>>I thought that the $ was the problem too at first. But then it worked>with just a single :>>It worked on .db files which allowed ANYONE to find and look at our>users.db file. OUCH!>>I tried to do the same thing on the Pacific-Coast server and that of>several others that I know run WebCat or Typhoon, including some of our>other servers here. It only was valid in the one instance on this machine>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>WebStar to 2.1 and deleted Netcloak.>>Problem solved. But I sure was in a panic when I could type>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>of users, passwords and groups!>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>Macintosh should be made aware that their setup may not be secure. People>can get your admin passwords and then track down any credit card numbers>from online stores. I am not sure if this is a problem with WebStar or>Netcloak, but I am sure that the problem is real and it does not exist with>NetCloak removed and Webstar updated to 2.1 or greater.>>Thanks, Paul>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_> _/_/_/ Real Estate - _\_\_\_\_> _/_/_/Websites - Children _/ _\_\_\_>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>
Bob Minor
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
problems with 2 tags (1997)
[WebDNA] HTML Symbol Entities (2009)
special commerce fields (1997)
Multiple Selections in Pull-Down Menu (2000)
SSL and reg web* (1997)
[/application] error? (1997)
Subtotal help (1997)
[WebDNA] TcpConnect Help (2011)
converting tabs (1997)
Many $WebCat.exe processes (1998)
FWD: Autoproxy Bug with WebCatalog and FireSite (1997)
[OT] SSL security in browser (2005)
Summary search -- speed (1997)
2.0 Info (1997)
Help name our technology! I found it (1997)
Summing fields (1997)
Re:Version 2.0 and 1.6 simultaneous (1997)
WebCat on 10.0.4 - iTools 6.0 (2001)
Signal Raised Error (Part III) (1997)
Signal Raised Error (Part III) (1997)