Re: [WebDNA] Putting '&search' into URL killing all search

This WebDNA talk-list message is from

2010


It keeps the original formatting.
numero = 105382
interpreted = N
texte = I am glad I checked the list today. This issue goes beyond WebDNA. I don't want get into too many details but suffice to say anyone that uses DNA to access SQL data can realistically open up large portions of their backend data because of how you pass login information in the SQL ODBC strings. This opens you up for all sorts of SQL hacks. And there is no fix for the winbox version we use so we have had to rewrite how we pass our SQL logins so that when the text bug hits the code that gets displayed was relatively harmless. It was a long and painful process of trial and error to get the code sanitized. However, some quick testing has indeed shut most of this threat down using this preparse workaround. I will have to do some more testing and expanding on the problem variables. I will also probably do a redirection to a monitoring page that either writes the offending IP and browser info into a database or an email before redirecting to a "safe page". Still this is the first fix for something that I have asked to have fixed for YEARS! You just wouldn't believe the scrutiny and fight I have had to make to keep DNA in place here. Luckily there are hundreds upon hundreds of pages and 10's of thousands of lines of codes they would have to redo if they killed it. If it wasn't for that the security police would have shut me down long ago. Thank god there is some relief! Alex On 6/15/10 5:41 PM, "christophe.billiottet@webdna.us" wrote: > This is true: this bug has been there for a very long time. There is no easy > fix as long as URL commands are active, because if we fix it, then URL > commands do not work anymore: we spent a large number of hours on this. The > bug has been fixed in the fastCGI version and the URL commands have been > removed. The fastCGI version is free to everyone. > > May i add we did not charge for 6.0 to 6.2 upgrades, meaning we globally > worked for the community, with scarce return. We now have to make difficult > decisions about were we spend our remaining resources, and the fastCGI version > is our choice. > > - chris > ============================ > WebDNA Software Corporation > 16192 Coastal Highway > Lewes, DE 19958 > > > > > > On Jun 15, 2010, at 17:53, Brian Fries wrote: > >> Before anyone panics (too late?) this has been a "feature" of WebCatalog / >> WebDNA since the 90's. Your servers are in no more danger today than they >> were yesterday, aside from anybody trolling the list and learning about the >> hackability. >> >> That said, yes, indeed, this is a major security hole that should be patched >> ASAP. >> >> Brian Fries >> BrainScan Software >> >> >> On Jun 15, 2010, at 1:44 PM, Govinda wrote: >> >>>> Wow, this is a bit more serious than I had first imagined. Maybe WSC can >>>> take a break from their other work ... and create a patched version for 6.x >>>> users? >>>> >>>> Just a thought. >>>> >>>> Sincerely, >>>> Kenneth Grome >>> >>> >>> WSC, please!! >>> >>> -- >>> Govinda >>> govinda.webdnatalk@gmail.com >>> >> > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category(8 -- Alex J. McCombie > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Adventure Skies Interactive > 479 County Route 35 Fulton, NY 13069 > p. 315 .402 .6377 > e. Alex@AdventureSkies.com > www.AdventureSkies.com Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Mr. Robert Minor Jr." 2010)
  2. Re: [WebDNA] Putting '&search' into URL killing all search (Alex McCombie 2010)
  3. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  4. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  5. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  6. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  7. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  8. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  9. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  10. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Marc Thompson 2010)
  11. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  12. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  13. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  14. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Brian Fries 2010)
  15. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  16. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Kenneth Grome 2010)
  17. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  18. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  19. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  20. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  21. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Mr. Robert Minor Jr." 2010)
  22. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  23. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  24. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Brian Fries 2010)
  25. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  26. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Kenneth Grome 2010)
  27. RE: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Olin Lagon" 2010)
  28. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  29. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Stuart Tremain 2010)
  30. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  31. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Stuart Tremain 2010)
  32. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  33. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  34. [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Tom Duke 2010)
I am glad I checked the list today. This issue goes beyond WebDNA. I don't want get into too many details but suffice to say anyone that uses DNA to access SQL data can realistically open up large portions of their backend data because of how you pass login information in the SQL ODBC strings. This opens you up for all sorts of SQL hacks. And there is no fix for the winbox version we use so we have had to rewrite how we pass our SQL logins so that when the text bug hits the code that gets displayed was relatively harmless. It was a long and painful process of trial and error to get the code sanitized. However, some quick testing has indeed shut most of this threat down using this preparse workaround. I will have to do some more testing and expanding on the problem variables. I will also probably do a redirection to a monitoring page that either writes the offending IP and browser info into a database or an email before redirecting to a "safe page". Still this is the first fix for something that I have asked to have fixed for YEARS! You just wouldn't believe the scrutiny and fight I have had to make to keep DNA in place here. Luckily there are hundreds upon hundreds of pages and 10's of thousands of lines of codes they would have to redo if they killed it. If it wasn't for that the security police would have shut me down long ago. Thank god there is some relief! Alex On 6/15/10 5:41 PM, "christophe.billiottet@webdna.us" wrote: > This is true: this bug has been there for a very long time. There is no easy > fix as long as URL commands are active, because if we fix it, then URL > commands do not work anymore: we spent a large number of hours on this. The > bug has been fixed in the fastCGI version and the URL commands have been > removed. The fastCGI version is free to everyone. > > May i add we did not charge for 6.0 to 6.2 upgrades, meaning we globally > worked for the community, with scarce return. We now have to make difficult > decisions about were we spend our remaining resources, and the fastCGI version > is our choice. > > - chris > ============================ > WebDNA Software Corporation > 16192 Coastal Highway > Lewes, DE 19958 > > > > > > On Jun 15, 2010, at 17:53, Brian Fries wrote: > >> Before anyone panics (too late?) this has been a "feature" of WebCatalog / >> WebDNA since the 90's. Your servers are in no more danger today than they >> were yesterday, aside from anybody trolling the list and learning about the >> hackability. >> >> That said, yes, indeed, this is a major security hole that should be patched >> ASAP. >> >> Brian Fries >> BrainScan Software >> >> >> On Jun 15, 2010, at 1:44 PM, Govinda wrote: >> >>>> Wow, this is a bit more serious than I had first imagined. Maybe WSC can >>>> take a break from their other work ... and create a patched version for 6.x >>>> users? >>>> >>>> Just a thought. >>>> >>>> Sincerely, >>>> Kenneth Grome >>> >>> >>> WSC, please!! >>> >>> -- >>> Govinda >>> govinda.webdnatalk@gmail.com >>> >> > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category(8 -- Alex J. McCombie > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Adventure Skies Interactive > 479 County Route 35 Fulton, NY 13069 > p. 315 .402 .6377 > e. Alex@AdventureSkies.com > www.AdventureSkies.com Alex McCombie

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Site Search Concepts (2003) need help please (1997) Multiple Pulldowns (1997) Opinion: [input] should be called [output] ... (1997) WebCat2b13MacPlugIn - [include] doesn't allow creator (1997) Payment calculator ?? (2000) Trigger alternatives please ... (2004) A little help on e-mail (HELP!!! :-) ) (1998) [append] vs. [appendfile] delta + question? (1997) WebCat name recognition (was MacFinder -- a new WebDNA website) (1998) WebDNA on Intel Mac? (2006) WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997) Prices coming up 0.00 (2001) FYI: virus alert (1996) searching for items that begin with a number (2004) I give up!! (1997) Alternative colors? (2000) Date Sorting (1997) Webcat & SIMS (1998) WebCat2 as a chat server? (1997)