Re: [WebDNA] Putting '&search' into URL killing all search
This WebDNA talk-list message is from 2010
It keeps the original formatting.
numero = 105382
interpreted = N
texte = I am glad I checked the list today.This issue goes beyond WebDNA. I don't want get into too many details butsuffice to say anyone that uses DNA to access SQL data can realisticallyopen up large portions of their backend data because of how you pass logininformation in the SQL ODBC strings. This opens you up for all sorts of SQLhacks.And there is no fix for the winbox version we use so we have had to rewritehow we pass our SQL logins so that when the text bug hits the code that getsdisplayed was relatively harmless. It was a long and painful process oftrial and error to get the code sanitized.However, some quick testing has indeed shut most of this threat down usingthis preparse workaround. I will have to do some more testing and expandingon the problem variables. I will also probably do a redirection to amonitoring page that either writes the offending IP and browser info into adatabase or an email before redirecting to a "safe page".Still this is the first fix for something that I have asked to have fixedfor YEARS!You just wouldn't believe the scrutiny and fight I have had to make to keepDNA in place here. Luckily there are hundreds upon hundreds of pages and10's of thousands of lines of codes they would have to redo if they killedit. If it wasn't for that the security police would have shut me down longago.Thank god there is some relief!AlexOn 6/15/10 5:41 PM, "christophe.billiottet@webdna.us"
wrote:> This is true: this bug has been there for a very long time. There is no easy> fix as long as URL commands are active, because if we fix it, then URL> commands do not work anymore: we spent a large number of hours on this. The> bug has been fixed in the fastCGI version and the URL commands have been> removed. The fastCGI version is free to everyone.> > May i add we did not charge for 6.0 to 6.2 upgrades, meaning we globally> worked for the community, with scarce return. We now have to make difficult> decisions about were we spend our remaining resources, and the fastCGI version> is our choice.> > - chris> ============================> WebDNA Software Corporation> 16192 Coastal Highway> Lewes, DE 19958> > > > > > On Jun 15, 2010, at 17:53, Brian Fries wrote:> >> Before anyone panics (too late?) this has been a "feature" of WebCatalog />> WebDNA since the 90's. Your servers are in no more danger today than they>> were yesterday, aside from anybody trolling the list and learning about the>> hackability.>> >> That said, yes, indeed, this is a major security hole that should be patched>> ASAP.>> >> Brian Fries>> BrainScan Software>> >> >> On Jun 15, 2010, at 1:44 PM, Govinda wrote:>> >>>> Wow, this is a bit more serious than I had first imagined. Maybe WSC can>>>> take a break from their other work ... and create a patched version for 6.x>>>> users?>>>> >>>> Just a thought.>>>> >>>> Sincerely,>>>> Kenneth Grome>>> >>> >>> WSC, please!!>>> >>> -->>> Govinda>>> govinda.webdnatalk@gmail.com>>> >> > > > > > ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category(8-- Alex J. McCombie > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .> Adventure Skies Interactive> 479 County Route 35 Fulton, NY 13069> p. 315 .402 .6377> e. Alex@AdventureSkies.com> www.AdventureSkies.com
Associated Messages, from the most recent to the oldest:
I am glad I checked the list today.This issue goes beyond WebDNA. I don't want get into too many details butsuffice to say anyone that uses DNA to access SQL data can realisticallyopen up large portions of their backend data because of how you pass logininformation in the SQL ODBC strings. This opens you up for all sorts of SQLhacks.And there is no fix for the winbox version we use so we have had to rewritehow we pass our SQL logins so that when the text bug hits the code that getsdisplayed was relatively harmless. It was a long and painful process oftrial and error to get the code sanitized.However, some quick testing has indeed shut most of this threat down usingthis preparse workaround. I will have to do some more testing and expandingon the problem variables. I will also probably do a redirection to amonitoring page that either writes the offending IP and browser info into adatabase or an email before redirecting to a "safe page".Still this is the first fix for something that I have asked to have fixedfor YEARS!You just wouldn't believe the scrutiny and fight I have had to make to keepDNA in place here. Luckily there are hundreds upon hundreds of pages and10's of thousands of lines of codes they would have to redo if they killedit. If it wasn't for that the security police would have shut me down longago.Thank god there is some relief!AlexOn 6/15/10 5:41 PM, "christophe.billiottet@webdna.us" wrote:> This is true: this bug has been there for a very long time. There is no easy> fix as long as URL commands are active, because if we fix it, then URL> commands do not work anymore: we spent a large number of hours on this. The> bug has been fixed in the fastCGI version and the URL commands have been> removed. The fastCGI version is free to everyone.> > May i add we did not charge for 6.0 to 6.2 upgrades, meaning we globally> worked for the community, with scarce return. We now have to make difficult> decisions about were we spend our remaining resources, and the fastCGI version> is our choice.> > - chris> ============================> WebDNA Software Corporation> 16192 Coastal Highway> Lewes, DE 19958> > > > > > On Jun 15, 2010, at 17:53, Brian Fries wrote:> >> Before anyone panics (too late?) this has been a "feature" of WebCatalog />> WebDNA since the 90's. Your servers are in no more danger today than they>> were yesterday, aside from anybody trolling the list and learning about the>> hackability.>> >> That said, yes, indeed, this is a major security hole that should be patched>> ASAP.>> >> Brian Fries>> BrainScan Software>> >> >> On Jun 15, 2010, at 1:44 PM, Govinda wrote:>> >>>> Wow, this is a bit more serious than I had first imagined. Maybe WSC can>>>> take a break from their other work ... and create a patched version for 6.x>>>> users?>>>> >>>> Just a thought.>>>> >>>> Sincerely,>>>> Kenneth Grome>>> >>> >>> WSC, please!!>>> >>> -->>> Govinda>>> govinda.webdnatalk@gmail.com>>> >> > > > > > ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category(8-- Alex J. McCombie > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .> Adventure Skies Interactive> 479 County Route 35 Fulton, NY 13069> p. 315 .402 .6377> e. Alex@AdventureSkies.com> www.AdventureSkies.com
Alex McCombie
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Site Search Concepts (2003)
need help please (1997)
Multiple Pulldowns (1997)
Opinion: [input] should be called [output] ... (1997)
WebCat2b13MacPlugIn - [include] doesn't allow creator (1997)
Payment calculator ?? (2000)
Trigger alternatives please ... (2004)
A little help on e-mail (HELP!!! :-) ) (1998)
[append] vs. [appendfile] delta + question? (1997)
WebCat name recognition (was MacFinder -- a new WebDNA website) (1998)
WebDNA on Intel Mac? (2006)
WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997)
Prices coming up 0.00 (2001)
FYI: virus alert (1996)
searching for items that begin with a number (2004)
I give up!! (1997)
Alternative colors? (2000)
Date Sorting (1997)
Webcat & SIMS (1998)
WebCat2 as a chat server? (1997)