[WebDNA] Re: Search on database

This WebDNA talk-list message is from

2012

It keeps the original formatting. numero = 108776
interpreted = N
texte = ---1183615881-1045910440-1330826650=:51302Content-Type: text/plain; charset=us-asciiVery good stuff, Govinda. Thank you thank you thank you.Not discouraged... only grateful.Lori> The code change below worked, and when I opened the admin >page http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database >entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that appears on a >page. My example is harmless, but might have been malicious. Google 'XSS'.> > This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to open, a >malicious programmer could> cause harmyes ^^^ .> to my local machine>I think so, but don't assume anything from just my input; I don't specialize in >security.> when I open the page. Could damage also be done to the server on which this >page resides?>not that I am aware of, but again, I don't specialize in security.>You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead loaded some malicious code from a(nother) malicious site. Hackers are forever trying to get you (your browser, even if under the hood, via some javascript) to go to their webpages. If you do "go there" in your browser (or some underlying javascript does), then bad things can happen. I have not made the effort to learn what all they can do. I used to think that one was not susceptible to having malware loaded on their computer just from visiting a mean webpage, but now I do not assume that. I just protect myself. *At the minimum* (and don't assume I have brought to light everything you want to do to be "protected"), but *at the minimum*, you:>> 2. I have already wrapped the variables coming from the survey in [url][/url] >>tags. Do I wrap the variables like this?:>> >> [removehtml][url]...[/url][/removehtml]. >yes ^^^ .>You can strip the html tags (including the "..." which I >used to make my point), with [removehtml]...[/removehtml], either: as you are >saving their >input data *into* the db, or as you bring it back *out* of the db >to display on your secret admin page, for viewing.>BTW, secret admin pages are not so secret when their addresses are posted on >public lists.. but especially not when there is no "authentication" code >protecting >it.>Suggestion: how about sticking the following code at the top of your admin >page(s):>(use an [include...], and then you only have to maintain this code in ONE place, >but can use it at the top of the page every time you create another admin page):>(change the username and password to something secret only you know. >If you want to get even more serious .. then later you could write code to keep >track of how many times someone tries to guess the user/pass... and lock them >out >from even being allowed to try, in case they guess more than, e.g., 3 times >an hour.)-------------------------------------------------------------------------------->[!]---quickie realm method protection---[/!]>[showif [URL][username][/URL]!yourSecretUserName] > [AUTHENTICATE Hi govinda!]>[/showif]>[showif [URL][password][/URL]!yourSecretPassword] > [AUTHENTICATE Hi govinda!]>[/showif]-------------------------------------------------------------------------------->I don't mean to discourage you by all this extra work... ;-)---1183615881-1045910440-1330826650=:51302Content-Type: text/html; charset=us-ascii

Very good stuff, Govinda. Thank you thank you thank you.

Not discouraged... only grateful.

Lori

> The code change below worked, and when I opened the admin page http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database entries, I got an alert box with the following message:
> "You don't want users adding (non-whitelisted) HTML to data that appears on a page. My example is harmless, but might have been malicious. Google 'XSS'.
>
> This brings up 2 more questions:
> 1. I'm assuming that since you were able to program an alert box to open, a malicious programmer could

> cause harm
yes ^^^ .

> to my local machine

>I think so, but don't assume anything from just my input; I don't specialize in security.

> when I open the page. Could damage also be done to the server on which this page resides?

>not that I am aware of, but again, I don't specialize in security.

>You may be asking, what exactly IS the potential "harm"?

The javascript could have: not caused an alert message, but instead loaded some malicious code from a(nother) malicious site. Hackers are forever trying to get you (your browser, even if under the hood, via some javascript) to go to their webpages. If you do "go there" in your browser (or some underlying javascript does), then bad things can happen. I have not made the effort to learn what all they can do. I used to think that one was not susceptible to having malware loaded on their computer just from visiting a mean webpage, but now I do not assume that. I just protect myself. *At the minimum* (and don't assume I have brought to light everything you want to do to be "protected"), but *at the minimum*, you:

>> 2. I have already wrapped the variables coming from the survey in [url][/url] tags. Do I wrap the variables like this?:
>>
>> [removehtml][url]...[/url][/removehtml].

>yes ^^^ .

>You can strip the html tags (including the "<script...>...</script>" which I used to make my point), with [removehtml]...[/removehtml], either: as you are saving their >input data *into* the db, or as you bring it back *out* of the db to display on your secret admin page, for viewing.

>BTW, secret admin pages are not so secret when their addresses are posted on public lists.. but especially not when there is no "authentication" code protecting >it.

>Suggestion: how about sticking the following code at the top of your admin page(s):
>(use an [include...], and then you only have to maintain this code in ONE place, but can use it at the top of the page every time you create another admin page):
>(change the username and password to something secret only you know.
>If you want to get even more serious .. then later you could write code to keep track of how many times someone tries to guess the user/pass... and lock them out >from even being allowed to try, in case they guess more than, e.g., 3 times an hour.)

--------------------------------------------------------------------------------
>[!]---quickie realm method protection---[/!]
>[showif [URL][username][/URL]!yourSecretUserName]
> [AUTHENTICATE Hi govinda!]
>[/showif]
>[showif [URL][password][/URL]!yourSecretPassword]
> [AUTHENTICATE Hi govinda!]
>[/showif]
--------------------------------------------------------------------------------

>I don't mean to discourage you by all this extra work... ;-)

---1183615881-1045910440-1330826650=:51302-- Associated Messages, from the most recent to the oldest:

---1183615881-1045910440-1330826650=:51302Content-Type: text/plain; charset=us-asciiVery good stuff, Govinda. Thank you thank you thank you.Not discouraged... only grateful.Lori> The code change below worked, and when I opened the admin >page http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database >entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that appears on a >page. My example is harmless, but might have been malicious. Google 'XSS'.> > This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to open, a >malicious programmer could> cause harmyes ^^^ .> to my local machine>I think so, but don't assume anything from just my input; I don't specialize in >security.> when I open the page. Could damage also be done to the server on which this >page resides?>not that I am aware of, but again, I don't specialize in security.>You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead loaded some malicious code from a(nother) malicious site. Hackers are forever trying to get you (your browser, even if under the hood, via some javascript) to go to their webpages. If you do "go there" in your browser (or some underlying javascript does), then bad things can happen. I have not made the effort to learn what all they can do. I used to think that one was not susceptible to having malware loaded on their computer just from visiting a mean webpage, but now I do not assume that. I just protect myself. *At the minimum* (and don't assume I have brought to light everything you want to do to be "protected"), but *at the minimum*, you:>> 2. I have already wrapped the variables coming from the survey in [url][/url] >>tags. Do I wrap the variables like this?:>> >> [removehtml][url]...[/url][/removehtml]. >yes ^^^ .>You can strip the html tags (including the "..." which I >used to make my point), with [removehtml]...[/removehtml], either: as you are >saving their >input data *into* the db, or as you bring it back *out* of the db >to display on your secret admin page, for viewing.>BTW, secret admin pages are not so secret when their addresses are posted on >public lists.. but especially not when there is no "authentication" code >protecting >it.>Suggestion: how about sticking the following code at the top of your admin >page(s):>(use an [include...], and then you only have to maintain this code in ONE place, >but can use it at the top of the page every time you create another admin page):>(change the username and password to something secret only you know. >If you want to get even more serious .. then later you could write code to keep >track of how many times someone tries to guess the user/pass... and lock them >out >from even being allowed to try, in case they guess more than, e.g., 3 times >an hour.)-------------------------------------------------------------------------------->[!]---quickie realm method protection---[/!]>[showif [url][username][/URL]!yourSecretUserName] > [AUTHENTICATE Hi govinda!]>[/showif]>[showif [url][password][/URL]!yourSecretPassword] > [AUTHENTICATE Hi govinda!]>[/showif]-------------------------------------------------------------------------------->I don't mean to discourage you by all this extra work... ;-)---1183615881-1045910440-1330826650=:51302Content-Type: text/html; charset=us-ascii

Very good stuff, Govinda. Thank you thank you thank you.

Not discouraged... only grateful.

Lori

> The code change below worked, and when I opened the admin page http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database entries, I got an alert box with the following message:
> "You don't want users adding (non-whitelisted) HTML to data that appears on a page. My example is harmless, but might have been malicious. Google 'XSS'.
>
> This brings up 2 more questions:
> 1. I'm assuming that since you were able to program an alert box to open, a malicious programmer could

> cause harm
yes ^^^ .

> to my local machine

>I think so, but don't assume anything from just my input; I don't specialize in security.

> when I open the page. Could damage also be done to the server on which this page resides?

>not that I am aware of, but again, I don't specialize in security.

>You may be asking, what exactly IS the potential "harm"?

The javascript could have: not caused an alert message, but instead loaded some malicious code from a(nother) malicious site. Hackers are forever trying to get you (your browser, even if under the hood, via some javascript) to go to their webpages. If you do "go there" in your browser (or some underlying javascript does), then bad things can happen. I have not made the effort to learn what all they can do. I used to think that one was not susceptible to having malware loaded on their computer just from visiting a mean webpage, but now I do not assume that. I just protect myself. *At the minimum* (and don't assume I have brought to light everything you want to do to be "protected"), but *at the minimum*, you:

>> 2. I have already wrapped the variables coming from the survey in [url][/url] tags. Do I wrap the variables like this?:
>>
>> [removehtml][url]...[/url][/removehtml].

>yes ^^^ .

>You can strip the html tags (including the "<script...>...</script>" which I used to make my point), with [removehtml]...[/removehtml], either: as you are saving their >input data *into* the db, or as you bring it back *out* of the db to display on your secret admin page, for viewing.

>BTW, secret admin pages are not so secret when their addresses are posted on public lists.. but especially not when there is no "authentication" code protecting >it.

>Suggestion: how about sticking the following code at the top of your admin page(s):
>(use an [include...], and then you only have to maintain this code in ONE place, but can use it at the top of the page every time you create another admin page):
>(change the username and password to something secret only you know.
>If you want to get even more serious .. then later you could write code to keep track of how many times someone tries to guess the user/pass... and lock them out >from even being allowed to try, in case they guess more than, e.g., 3 times an hour.)

--------------------------------------------------------------------------------
>[!]---quickie realm method protection---[/!]
>[showif [url][username][/URL]!yourSecretUserName]
> [AUTHENTICATE Hi govinda!]
>[/showif]
>[showif [url][password][/URL]!yourSecretPassword]
> [AUTHENTICATE Hi govinda!]
>[/showif]
--------------------------------------------------------------------------------

>I don't mean to discourage you by all this extra work... ;-)

---1183615881-1045910440-1330826650=:51302-- Lori Palmquist

DOWNLOAD WEBDNA NOW!

[WebDNA] Re: Search on database

2012

Top Articles:

Related Readings: