Re: Execute Applescript

This WebDNA talk-list message is from

1997

It keeps the original formatting. numero = 10724
interpreted = N
texte = >This, however, brings up a security issue. If we use WebCat2 to build a >guestbook or anything that use database, dybamic data publishing, would >it be possible for someone just type in the>>[applescript] [/applescript] tag and execute an Applescript on the >server side?We are considering a global preference thay disables the tag entirely, but in the meantime you should know we have spent a great deal of time doing our best to make sure that remote users cannot execute AppleScripts unless that have the authority to create files on your web server (which usually means they can do a lot worse things that just execute an AppleScript).Here's how it works:1) There is no such thing as a $WriteFile command. So no one can create a text file on your server that contains [AppleScript] tags. The only way [WriteFile] works is if you, the webmaster, create a template containing the tag.2) Typing WebDNA tags into a database field: when database fields are displayed on a page, they are not executed as WebDNA. So no one can type some WebDNA [AppleScript] tags into your guestbook and have them executed by simply viewing the guestbook. Yes, by surrounding the [fieldname] with [Interpret]..[/Interpret] tags you can have the WebDNA executed, but again you control whether or not that is put in the template.3) Password protection: If you desire to have pages with 'dangerous' WebDNA on them, it is a simple matter to [protect admin] them so that the WebDNA does not get executed unless you have the password.4) SiteEdit Pro: Yes, you can do lots of damage with SiteEdit Pro. But that's what passwords are for -- no different than Unix.5) Tracking: If you do have pages with dangerous WebDNA on them, it is simple to put tracking tags in them that also track username/password, time of day, ip address, etc. of each person who accesses that page. Perhaps you can use this information (or fear of it) to catch bad guys.5) Multihoming and multiple administrators: You should be concerned when you have a Mac set up with more than one person allowed to edit HTML pages. For instance, in a multivendor mall situation, you may have more than one Store Owner who has rights to change their WebCatalog templates. Those people can write bad AppleScripts that can do anything to your entire Mac, including erasing the hard drive. This is a limitation of MacOS. Sorry.PLEASE notify us immediately of any holes or concerns you have with security. We intend to plug any holes that we or you find.Grant Hulbert, V.P. Engineering | Tools for WebWarriorsPacific Coast Software | WebCatalog, WebCommerce Solution11770 Bernardo Plaza Court, #462 | SiteEdit, SiteCheck, PhotoMasterSan Diego, CA 92128 |619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Associated Messages, from the most recent to the oldest:

Re: Execute Applescript (Kenneth Grome 1997)
Re: Execute Applescript (Grant Hulbert 1997)
Execute Applescript (Nelson Chen 1997)

>This, however, brings up a security issue. If we use WebCat2 to build a >guestbook or anything that use database, dybamic data publishing, would >it be possible for someone just type in the>>[applescript] [/applescript] tag and execute an Applescript on the >server side?We are considering a global preference thay disables the tag entirely, but in the meantime you should know we have spent a great deal of time doing our best to make sure that remote users cannot execute AppleScripts unless that have the authority to create files on your web server (which usually means they can do a lot worse things that just execute an AppleScript).Here's how it works:1) There is no such thing as a $WriteFile command. So no one can create a text file on your server that contains [AppleScript] tags. The only way [writefile] works is if you, the webmaster, create a template containing the tag.2) Typing WebDNA tags into a database field: when database fields are displayed on a page, they are not executed as WebDNA. So no one can type some WebDNA [AppleScript] tags into your guestbook and have them executed by simply viewing the guestbook. Yes, by surrounding the [fieldname] with [interpret]..[/Interpret] tags you can have the WebDNA executed, but again you control whether or not that is put in the template.3) Password protection: If you desire to have pages with 'dangerous' WebDNA on them, it is a simple matter to [protect admin] them so that the WebDNA does not get executed unless you have the password.4) SiteEdit Pro: Yes, you can do lots of damage with SiteEdit Pro. But that's what passwords are for -- no different than Unix.5) Tracking: If you do have pages with dangerous WebDNA on them, it is simple to put tracking tags in them that also track username/password, time of day, ip address, etc. of each person who accesses that page. Perhaps you can use this information (or fear of it) to catch bad guys.5) Multihoming and multiple administrators: You should be concerned when you have a Mac set up with more than one person allowed to edit HTML pages. For instance, in a multivendor mall situation, you may have more than one Store Owner who has rights to change their WebCatalog templates. Those people can write bad AppleScripts that can do anything to your entire Mac, including erasing the hard drive. This is a limitation of MacOS. Sorry.PLEASE notify us immediately of any holes or concerns you have with security. We intend to plug any holes that we or you find.Grant Hulbert, V.P. Engineering | Tools for WebWarriorsPacific Coast Software | WebCatalog, WebCommerce Solution11770 Bernardo Plaza Court, #462 | SiteEdit, SiteCheck, PhotoMasterSan Diego, CA 92128 |619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Grant Hulbert

DOWNLOAD WEBDNA NOW!

Re: Execute Applescript

1997

Top Articles:

Related Readings: