Re: [WebDNA] WebDNA code displaying on page
This WebDNA talk-list message is from 2012
It keeps the original formatting.
numero = 110005
interpreted = N
texte = The webdna.us site is vulnerable.http://webdna.us/page.dna?search=3D-hacked-FWIW, I have this in my pre-parse script:[formvariables name=3Dsearch][redirect /][/formvariables][formvariables =name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect =/][/formvariables][formvariables name=3Dmath][redirect =/][/formvariables][formvariables name=3Dencrypt][redirect =/][/formvariables][formvariables name=3Ddecrypt][redirect =/][/formvariables][formvariables name=3Dauthenticate][redirect =/][/formvariables][formvariables name=3Dprotect][redirect =/][/formvariables][formvariables name=3Dtcpconnect][redirect =/][/formvariables]It doesn't cover all WebDNA keywords, but catches the primary ones that =concern me from a security standpoint. I don't like to add more code =than necessary, since it increases the processing time needed for every =page load, but you can extend the default list if desired, and can add =other keywords tests on specific pages if needed.- BrianOn Dec 12, 2012, at 11:55 AM, Steve Raslevich =
wrote:> Hi Chris,>=20> So is there a fix for 6.2? I am guessing then that the webdna.us site =is also still running 6.2?>=20> christophe.billiottet@webdna.us wrote:>> Exact, that was fixed in WebDNA.fcgi few years ago>>=20>> - chris>>=20>>=20>> On Dec 12, 2012, at 17:44, Terry Wilson wrote:>>=20>> =20>>> This exploit was discovered a few years back, but I thought it was>>> fixed, or a fix was announced or something. I forget.>>>=20>>> Terry>>>=20>>>=20>>> =20>>>> Hi,>>>>=20>>>> I am running V6.2 on CentOS 5.8 and have found instances where>>>> WebDNA code displays on a page if certain WebDNA tags are in the =URL.>>>>=20>>>> I thought it was something I was doing but this appears to happen =on>>>> the www.webdna.us site as well.>>>>=20>>>> http://www.webdna.us/page.dna?text=3D>>>> takes you to a page that shows only webdna code>>>>=20>>>> http://www.webdna.us/page.dna?numero=3D56&text=3D>>>> adds a line of text above the navigation row in the red background>>>> (need to mouse over to see it - text is same color as red =background)>>>>=20>>>>=20>>>> I first experienced this with !=3D and fixed it by putting a>>>> RewriteRule in an .htaccess file in the site's root folder>>>>=20>>>> Today I tried a few other tags and found others. I haven't checked>>>> all the tags just a handful.>>>>=20>>>> text=3D>>>> math=3D>>>> format=3D>>>>=20>>>> Anyone else experience this, have a fix or suggestion?>>>>=20>>>> Thanks,>>>> Steve>>>>=20>>>>=20>>>> --------------------------------------------------------->>>> This message is sent to you because you are subscribed to>>>> the mailing list.>>>> To unsubscribe, E-mail to:>>>> archives: http://mail.webdna.us/list/talk@webdna.us>>>> Bug Reporting: support@webdna.us>>>> =20>>>=20>>> --=20>>> Terry Wilson | terry@terryfic.com | http://terryfic.com>>> http://WhosComing.com - a simplified, affordable online reservation =system>>> iStockPhoto portfolio - =http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D>>> =--------------------------------------------------------------------------=>>> Attitude is the only difference between ordeal and adventure.>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list.>>> To unsubscribe, E-mail to:>>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>>> =20>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list.>> To unsubscribe, E-mail to:>> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>> =20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Associated Messages, from the most recent to the oldest:
The webdna.us site is vulnerable.http://webdna.us/page.dna?search=3D-hacked-FWIW, I have this in my pre-parse script:[formvariables name=3Dsearch][redirect /][/formvariables][formvariables =name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect =/][/formvariables][formvariables name=3Dmath][redirect =/][/formvariables][formvariables name=3Dencrypt][redirect =/][/formvariables][formvariables name=3Ddecrypt][redirect =/][/formvariables][formvariables name=3Dauthenticate][redirect =/][/formvariables][formvariables name=3Dprotect][redirect =/][/formvariables][formvariables name=3Dtcpconnect][redirect =/][/formvariables]It doesn't cover all WebDNA keywords, but catches the primary ones that =concern me from a security standpoint. I don't like to add more code =than necessary, since it increases the processing time needed for every =page load, but you can extend the default list if desired, and can add =other keywords tests on specific pages if needed.- BrianOn Dec 12, 2012, at 11:55 AM, Steve Raslevich = wrote:> Hi Chris,>=20> So is there a fix for 6.2? I am guessing then that the webdna.us site =is also still running 6.2?>=20> christophe.billiottet@webdna.us wrote:>> Exact, that was fixed in WebDNA.fcgi few years ago>>=20>> - chris>>=20>>=20>> On Dec 12, 2012, at 17:44, Terry Wilson wrote:>>=20>> =20>>> This exploit was discovered a few years back, but I thought it was>>> fixed, or a fix was announced or something. I forget.>>>=20>>> Terry>>>=20>>>=20>>> =20>>>> Hi,>>>>=20>>>> I am running V6.2 on CentOS 5.8 and have found instances where>>>> WebDNA code displays on a page if certain WebDNA tags are in the =URL.>>>>=20>>>> I thought it was something I was doing but this appears to happen =on>>>> the www.webdna.us site as well.>>>>=20>>>> http://www.webdna.us/page.dna?text=3D>>>> takes you to a page that shows only webdna code>>>>=20>>>> http://www.webdna.us/page.dna?numero=3D56&text=3D>>>> adds a line of text above the navigation row in the red background>>>> (need to mouse over to see it - text is same color as red =background)>>>>=20>>>>=20>>>> I first experienced this with !=3D and fixed it by putting a>>>> RewriteRule in an .htaccess file in the site's root folder>>>>=20>>>> Today I tried a few other tags and found others. I haven't checked>>>> all the tags just a handful.>>>>=20>>>> text=3D>>>> math=3D>>>> format=3D>>>>=20>>>> Anyone else experience this, have a fix or suggestion?>>>>=20>>>> Thanks,>>>> Steve>>>>=20>>>>=20>>>> --------------------------------------------------------->>>> This message is sent to you because you are subscribed to>>>> the mailing list.>>>> To unsubscribe, E-mail to:>>>> archives: http://mail.webdna.us/list/talk@webdna.us>>>> Bug Reporting: support@webdna.us>>>> =20>>>=20>>> --=20>>> Terry Wilson | terry@terryfic.com | http://terryfic.com>>> http://WhosComing.com - a simplified, affordable online reservation =system>>> iStockPhoto portfolio - =http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D>>> =--------------------------------------------------------------------------=>>> Attitude is the only difference between ordeal and adventure.>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list.>>> To unsubscribe, E-mail to:>>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>>> =20>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list.>> To unsubscribe, E-mail to:>> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>> =20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Brian Fries
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Variables for chat (1997)
(1997)
return missing item (was:WebCat Sales) (1997)
ShowNext (1997)
Database field limit? (1998)
Speed Test Results Dell 2650 Xeon 2.4ghz (2002)
Searching Numbers (ZIP Code, Distance-based, Store (2004)
random in arizona (2003)
OFF-TOPIC: Check www.godaddy.com for me ... (2003)
What does this error mean? (2000)
too many nested tags ... (1997)
headers (2000)
Error Log.db --however (1997)
Banner Ads (2000)
Multi-Row Tables from a search. (1997)
WebCatalog 4.0.1 has been released! (2000)
prefs file not being written to (2000)
Summing fields (1997)
Using Applescript to process WebCatalog functions (1998)
WCS Newbie question (1997)