Re: [bug] Technical Support Log Crashes Server

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 60591
interpreted = N
texte = On Dec 22, 2004, at 10:35 AM, Aaron Lynch wrote: >> There is a difference between just not starting, and spewing the >> content of memory. If it says "WebDNA Not Running: Disk Full", >> "WebDNA >> Not Running: System Error", "WebDNA Not Running: Look at Server", that >> would be more appropriate. Additionally, any WebDNA 5.0 server is >> vulnerable to a misinformed search statement being passed through a >> URL >> resulting in the dump of memory. > > ?? So don't run 5. > There are lots of old applications with bugs. There are lots of > applications that require a paid update to fix the bugs. > (every version of windows pops into mind) >> >> As I said, this error was my fault, no harm there, however, at this >> point I am more concerned about the security implications of memory >> being dumped to end users. > > Yes, but, you're overstating it a bit because the result is random, you > __MIGHT__ be able to use a vulnerability like that to get __A__ credit > card, > and I stress might, but you would be hard pressed to use it as a > coordinated > attack, and again, if you're running old software, or a full disk, or > otherwise running bad sysadmin practices you get what you deserve IMHO. If Smith Micro hasn't invalidated a previous platform when they went to 6, I would be running 6 right now. I already own the license, they just decided the SQL tags wouldn't work on anything before RH 9. An upgrade is planned for February 05, but that is not the point. Running WebDNA 5 is in no way "Bad SysAdmin" practices, rather using what is a stable application on a stable platform save for a few memory dumping issues. Additionally, I haven't bothered to test the memory dump problem with 6. THe problem *may* still exist there as well. My simple point is that an application, in no way shape or form should ever do a memory dump to an end user. That point is even more valid in a system that stores database information in memory. Keep in mind, not only are credit card #s stored in databases (Although I encrypt those on my system), the WebDNA Users database is there too (albeit with encrypted passwords), but additional, the simple concept of customer data in those databases being accessible is unacceptable. -- Jesse Williams-Proudman Blue Box Development :: Custom Web Solutions +1 (206) 347-0528 :: jesse@blueboxdev.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [bug] Technical Support Log Crashes Server ( 2004)
  2. Re: [bug] Technical Support Log Crashes Server ( Jesse Proudman 2004)
  3. Re: [bug] Technical Support Log Crashes Server ( Aaron Lynch 2004)
  4. Re: [bug] Technical Support Log Crashes Server ( Jesse Proudman 2004)
  5. Re: [bug] Technical Support Log Crashes Server ( 2004)
  6. Re: [bug] Technical Support Log Crashes Server ( Jesse Proudman 2004)
  7. Re: [bug] Technical Support Log Crashes Server ( John Peacock 2004)
  8. Re: [bug] Technical Support Log Crashes Server ( Jesse Proudman 2004)
  9. Re: [bug] Technical Support Log Crashes Server ( John Peacock 2004)
  10. [bug] Technical Support Log Crashes Server ( Jesse Proudman 2004)
On Dec 22, 2004, at 10:35 AM, Aaron Lynch wrote: >> There is a difference between just not starting, and spewing the >> content of memory. If it says "WebDNA Not Running: Disk Full", >> "WebDNA >> Not Running: System Error", "WebDNA Not Running: Look at Server", that >> would be more appropriate. Additionally, any WebDNA 5.0 server is >> vulnerable to a misinformed search statement being passed through a >> URL >> resulting in the dump of memory. > > ?? So don't run 5. > There are lots of old applications with bugs. There are lots of > applications that require a paid update to fix the bugs. > (every version of windows pops into mind) >> >> As I said, this error was my fault, no harm there, however, at this >> point I am more concerned about the security implications of memory >> being dumped to end users. > > Yes, but, you're overstating it a bit because the result is random, you > __MIGHT__ be able to use a vulnerability like that to get __A__ credit > card, > and I stress might, but you would be hard pressed to use it as a > coordinated > attack, and again, if you're running old software, or a full disk, or > otherwise running bad sysadmin practices you get what you deserve IMHO. If Smith Micro hasn't invalidated a previous platform when they went to 6, I would be running 6 right now. I already own the license, they just decided the SQL tags wouldn't work on anything before RH 9. An upgrade is planned for February 05, but that is not the point. Running WebDNA 5 is in no way "Bad SysAdmin" practices, rather using what is a stable application on a stable platform save for a few memory dumping issues. Additionally, I haven't bothered to test the memory dump problem with 6. THe problem *may* still exist there as well. My simple point is that an application, in no way shape or form should ever do a memory dump to an end user. That point is even more valid in a system that stores database information in memory. Keep in mind, not only are credit card #s stored in databases (Although I encrypt those on my system), the WebDNA Users database is there too (albeit with encrypted passwords), but additional, the simple concept of customer data in those databases being accessible is unacceptable. -- Jesse Williams-Proudman Blue Box Development :: Custom Web Solutions +1 (206) 347-0528 :: jesse@blueboxdev.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Jesse Proudman

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Secure server question (1997) can WC render sites out? (1997) [time] math Q (2003) Cart ID Duplication (2001) Hiding HTML and breaking the page (1997) WebCat2 several catalogs? (1997) [WebDNA] [OT] Apple iPad (2010) Explorer 3.0/ Access Denied! (1997) Bug in 4.5 - Needs to be fixed ASAP. (2002) Trigger: Only on Saturday (2001) Loop code problem (2000) Shopping Cart Problem (1998) searchable list archive (1997) [GROUPS] followup (1997) Providing hard copy of database to client (1997) WebCat2b12plugin - [search] is broken ... not! (1997) AJAX with WebDNA (2006) WebCat2b15MacPlugin - [protect] (1997) Last Minute addition to WildWebCAT98... (1999) Replace Statement (1997)