Re: WebCatalog 4.0 has been released!

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 32834
interpreted = N
texte = Under existing 3.x sites, I can override _system variables_ like [IPADDRESS] by simply adding &ipaddress=192.168.000.001 to the command line. That is a big security hole, now plugged in 4.x.As near as I can tell, the primary use of overriding text variables with incoming form variables is so the programmer can neglect to idiot check the incoming variables. This is, IMNSHO, bad programming and I view the continued use of such lazy shortcuts as mistakes. The hierarchy was not documented, except on this list, as Grant explained how the code behaved under various circumstances.I suspect that everyone who stumbled across this behavior on their own did so while uncovering a mistake in their code. They had a text variable in play on a page and accidently passed a form variable with the same name and couldn't understand why they were getting the wrong value.Here's a constructive suggestion: if you want to ensure that your data is reasonable write an include file which does bounds-checking for numeric values. Call it for each of your form variables at the top of the next page like: [include file=nchk.inc&field=[fname]&max=30&min=1&ref=[referrer]]and within the include file, make sure the value is set, and lies within the bounds, otherwise redirect to an error page.It might take you a couple of minutes to set up the first time and program the error page to report the problem and then redirect to the original page. It will improve your code and get you thinking about what your data looks like.You young pups amaze me with your total disregard for declaring your variables properly, both for documentation and error checking purposes. I remember when you have to allocate a buffer or register, just to do anything ;~)I don't think that new users should flip that flag until they know what they are doing (and maybe even then). I suspect that WebCat may never have a problem with security holes like ColdFusion, Perl, ASP, IIS, etc. have had, because of the way the basic system operates. But I can just imagine some simple Denial Of Service hacks that could cripple a site; what happens if you pass the data from WebCat to a backend server and blow up your orderentry system by replacing the qty field with a string of 25000 nines.You know what you are doing; do what you want. Just don't make it seem like the security problems aren't important.John PeacockJoseph D'Andrea wrote: > > I guess we're all going to re-hash the same arguments that were made > on the beta list when this issue first came up only now everyone will > be involved instead of just the beta testers. > > First of all the use of overwriting text variables with incoming form > variables was not a mistake as you mention above. Nor does it have > anything to do with hidden form input fields. The technique was > dependent on the _documented_ WebCat variable hierarchy. The thing is > that the hierarchy has now changed in 4.0. >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  2. Re: WebCatalog 4.0 has been released! (Chris Brandt 2000)
  3. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  4. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  5. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  6. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  7. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  8. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  9. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  10. Re: WebCatalog 4.0 has been released! (John Butler 2000)
  11. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  12. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  13. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  14. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  15. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  16. Re: WebCatalog 4.0 has been released! (Paul Uttermohlen 2000)
  17. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  18. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  19. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  20. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  21. Re: WebCatalog 4.0 has been released! (Mike Heininger 2000)
  22. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  23. Re: WebCatalog 4.0 has been released! (Jesse Proudman 2000)
  24. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  25. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
Under existing 3.x sites, I can override _system variables_ like [ipaddress] by simply adding &ipaddress=192.168.000.001 to the command line. That is a big security hole, now plugged in 4.x.As near as I can tell, the primary use of overriding text variables with incoming form variables is so the programmer can neglect to idiot check the incoming variables. This is, IMNSHO, bad programming and I view the continued use of such lazy shortcuts as mistakes. The hierarchy was not documented, except on this list, as Grant explained how the code behaved under various circumstances.I suspect that everyone who stumbled across this behavior on their own did so while uncovering a mistake in their code. They had a text variable in play on a page and accidently passed a form variable with the same name and couldn't understand why they were getting the wrong value.Here's a constructive suggestion: if you want to ensure that your data is reasonable write an include file which does bounds-checking for numeric values. Call it for each of your form variables at the top of the next page like: [include file=nchk.inc&field=[fname]&max=30&min=1&ref=[referrer]]and within the include file, make sure the value is set, and lies within the bounds, otherwise redirect to an error page.It might take you a couple of minutes to set up the first time and program the error page to report the problem and then redirect to the original page. It will improve your code and get you thinking about what your data looks like.You young pups amaze me with your total disregard for declaring your variables properly, both for documentation and error checking purposes. I remember when you have to allocate a buffer or register, just to do anything ;~)I don't think that new users should flip that flag until they know what they are doing (and maybe even then). I suspect that WebCat may never have a problem with security holes like ColdFusion, Perl, ASP, IIS, etc. have had, because of the way the basic system operates. But I can just imagine some simple Denial Of Service hacks that could cripple a site; what happens if you pass the data from WebCat to a backend server and blow up your orderentry system by replacing the qty field with a string of 25000 nines.You know what you are doing; do what you want. Just don't make it seem like the security problems aren't important.John PeacockJoseph D'Andrea wrote: > > I guess we're all going to re-hash the same arguments that were made > on the beta list when this issue first came up only now everyone will > be involved instead of just the beta testers. > > First of all the use of overwriting text variables with incoming form > variables was not a mistake as you mention above. Nor does it have > anything to do with hidden form input fields. The technique was > dependent on the _documented_ WebCat variable hierarchy. The thing is > that the hierarchy has now changed in 4.0. >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ John Peacock

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Multiple prices (1997) New Command prefs ... (1997) Search Command, multiple dbs, etc. --still confused (2000) Allow-Deny: Solved with [Getchars] (1998) E-mailer error codes (1997) affiliate marketing program (1998) [convertchars] limits (1998) simple answer? [hideif] (1997) browser info.txt and SSL (1997) [WebDNA] [OT] DNS Services (2010) RePost: NAT and the CART (1999) Mac Vs WindowsNT (1997) # of real domains on 1 web server (1997) [WebDNA] Help with work-around format date (2013) Closing db's & caching templates (was: Shippingcalculations) (1997) Looking for a host (1997) Inprovement to listfiles ... (2003) WebDelivery downloads alias, not original ? (1997) Sku numbers (1997) Mime-Version in email header (1997)