numero = 110690
interpreted = N
texte = --Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Here is a version Donovan posted I think in Sept. 2011. = --------------------------------------------------------------------------= ------------------------------------------------------------------ [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|return|returnraw|scope|search|sendmail|setcookie= |setheader|setlineitem|setmimeheader|shell|showif|shownext|spawn|sql|sql|s= qlconnect|sqldisconnect|sqlexecute|sqlinfo|sqlrelease|sqlresult|switch|tab= le|tcpconnect|tcpsend|then|thisurl|time|unurl|uppercase|url|username|valid= card|version|waitforfile|writefile|xmlnode|xmlnodes|xmlnodesattributes|xml= parse|xsl|xslt|[/text] [formvariables] [showif [t_commands]^|[url][name][/url]|] [redirect url=3Dindex.html] [/showif] [/formvariables] = --------------------------------------------------------------------------= ------------------------------------------------------------------ The version you posted that started this thread looked fine, too, at = first glance. =20 -G On 2013-09-11, at 9:34 PM, Steve Graham wrote: > > Many of us placed other code to prevent this hole in the webdna = pre-parse script. >=20 > Can you send it to me or post here? >=20 >=20 >=20 >=20 >=20 >=20 > On Wed, Sep 11, 2013 at 6:57 PM, John Butler = wrote: > yes, it seems the coder was preventing the very thing I mentioned in = my last post on this thread. >=20 > -G >=20 >=20 > On 2013-09-11, at 7:54 PM, Steve Graham wrote: >=20 >> This is noHack.db: >>=20 >> contextName >> ! >> addfields >> addlineitem >> append >> appendfile >> applescript >> arrayget >> arrayset >> authenticate >> boldwords >> browsername >> calcfilecrc32 >> capitalize >> case >> clearlineitems >> closedatabase >> command >> commitdatabase >> convertchars >> convertwords >> copyfile >> copyfolder >> countchars >> countwords >> createfolder >> date >> ddeconnect >> ddesend >> decrypt >> delete >> deletefile >> deletefolder >> dos >> elapsedtime >> else >> encrypt >> exclusivelock >> filecompare >> fileinfo >> findstring >> flushcache >> flushdatabases >> format >> format >> formvariables >> founditems >> freememory >> function >> getchars >> getcookie >> getmimeheader >> grep >> hideif >> html1 >> html2 >> html3 >> httpmethod >> if >> include >> input >> interpret >> ipaddress >> issecureclient >> lastautonumner >> lastrandom >> lineitems >> listchars >> listcookies >> listdatabases >> listfields >> listfiles >> listmimeheaders >> listpath >> listvariables >> listwords >> lookup >> lookup >> loop >> lowercase >> math >> middle >> movefile >> object >> orderfile >> password >> platform >> product >> protect >> purchase >> random >> raw >> redirect >> referrer >> removehtml >> removelineitem >> replace >> replacefounditems >> return >> returnraw >> scope >> search >> sendmail >> setcookie >> setheader >> setlineitem >> setmimeheader >> shell >> showif >> shownext >> spawn >> sql >> sql >> sqlconnect >> sqldisconnect >> sqlexecute >> sqlinfo >> sqlrelease >> sqlresult >> switch >> table >> tcpconnect >> tcpsend >> text >> then >> thisurl >> time >> unurl >> uppercase >> url >> username >> validcard >> version >> version >> waitforfile >> writefile >> xmlnode >> xmlnodes >> xmlnodesattributes >> xmlparse >> xsl >> xslt >>=20 >>=20 >> On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke = wrote: >> Steve,=20 >> It appears the original coder was trying to stop anyone from trying a = context in the URL... however, I'm not sure why that would be desired. = We don't know the contents of "noHack.db" so we can't tell you exactly = what the coder was trying to protect the site from. >>=20 >> Donovan >> =20 >> =20 >>> --- Original message ---=20 >>> Subject: [WebDNA] Stop hacking=20 >>> From: Steve Graham =20 >>> To: =20 >>> Date: Wednesday, 11/09/2013 3:53 PM >>>=20 >>> I found this code in a webdna site I am fixing. Someone please say = if this is necessary or recommended to stop hackers in v7.x or v6.2.1: >>>=20 >>> [formvariables] >>> [search db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]] >>> [founditems] >>> [redirect /] >>> [/founditems] >>> [/search] >>> [/formvariables] >>>=20 >>> [!] include this file at the top of every page to block hacking when = a context name appears as a formvariable name [/!] >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: = archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1
Here is a version Donovan posted I think in Sept. = 2011.
contextName ! addfields addlineitem appendappendfile applescript arrayget arrayset authenticate bol= dwords browsername calcfilecrc32 capitalize = case clearlineitems closedatabase command commitdatabase co= nvertchars convertwords copyfile copyfolder countchars coun= twords createfolder date ddeconnect ddesend decrypt dele= te = deletefile deletefolder dos elapsedtime else encrypt exc= lusivelock filecompare fileinfo findstring flushcache flush= databases format format formvariables founditems freememory= = function getchars getcookie getmimeheader grep hideif ht= ml1 html2 html3 httpmethod if include input interpret= ipaddress issecureclient lastautonumner lastrandom lineite= ms = listchars listcookies listdatabases listfields listfiles li= stmimeheaders listpath listvariables listwords lookup looku= p loop lowercase math middle movefile object orderfil= e = password platform product protect purchase random rawredirect referrer removehtml removelineitem replace replac= efounditems return returnraw scope search sendmail setco= okie = setheader setlineitem setmimeheader shell showif shownextspawn sql sql sqlconnect sqldisconnect sqlexecute sqli= nfo sqlrelease sqlresult switch table tcpconnect tcpsend= = text then thisurl time unurl uppercase url usernamevalidcard version version waitforfile writefile xmlnodexmlnodes xmlnodesattributes xmlparse xsl xslt
On Wed, Sep 11, 2013 at 6:42 PM, = Donovan Brooke <dbrooke@webdna.us> wrote:
Steve, It appears the original coder was trying to stop anyone from = trying a context in the URL... however, I'm not sure why that would be = desired. We don't know the contents of "noHack.db" so we can't tell you = exactly what the coder was trying to protect the site from. = Donovan
--- Original message --- Subject: = [WebDNA] Stop hacking From: Steve Graham <skgrahamjr@gmail.com> To: <talk@webdna.us> Date: Wednesday, = 11/09/2013 3:53 PM
I found this code in a webdna site I am = fixing. Someone please say if this is necessary or recommended to = stop hackers in v7.x or v6.2.1:
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
=
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
= --Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF--
Associated Messages, from the most recent to the oldest:
--Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Here is a version Donovan posted I think in Sept. 2011. = --------------------------------------------------------------------------= ------------------------------------------------------------------ [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|return|returnraw|scope|search|sendmail|setcookie= |setheader|setlineitem|setmimeheader|shell|showif|shownext|spawn|sql|sql|s= qlconnect|sqldisconnect|sqlexecute|sqlinfo|sqlrelease|sqlresult|switch|tab= le|tcpconnect|tcpsend|then|thisurl|time|unurl|uppercase|url|username|valid= card|version|waitforfile|writefile|xmlnode|xmlnodes|xmlnodesattributes|xml= parse|xsl|xslt|[/text] [formvariables] [showif [t_commands]^|[url][name][/url]|] [redirect url=3Dindex.html] [/showif] [/formvariables] = --------------------------------------------------------------------------= ------------------------------------------------------------------ The version you posted that started this thread looked fine, too, at = first glance. =20 -G On 2013-09-11, at 9:34 PM, Steve Graham wrote: > > Many of us placed other code to prevent this hole in the webdna = pre-parse script. >=20 > Can you send it to me or post here? >=20 >=20 >=20 >=20 >=20 >=20 > On Wed, Sep 11, 2013 at 6:57 PM, John Butler = wrote: > yes, it seems the coder was preventing the very thing I mentioned in = my last post on this thread. >=20 > -G >=20 >=20 > On 2013-09-11, at 7:54 PM, Steve Graham wrote: >=20 >> This is noHack.db: >>=20 >> contextName >> ! >> addfields >> addlineitem >> append >> appendfile >> applescript >> arrayget >> arrayset >> authenticate >> boldwords >> browsername >> calcfilecrc32 >> capitalize >> case >> clearlineitems >> closedatabase >> command >> commitdatabase >> convertchars >> convertwords >> copyfile >> copyfolder >> countchars >> countwords >> createfolder >> date >> ddeconnect >> ddesend >> decrypt >> delete >> deletefile >> deletefolder >> dos >> elapsedtime >> else >> encrypt >> exclusivelock >> filecompare >> fileinfo >> findstring >> flushcache >> flushdatabases >> format >> format >> formvariables >> founditems >> freememory >> function >> getchars >> getcookie >> getmimeheader >> grep >> hideif >> html1 >> html2 >> html3 >> httpmethod >> if >> include >> input >> interpret >> ipaddress >> issecureclient >> lastautonumner >> lastrandom >> lineitems >> listchars >> listcookies >> listdatabases >> listfields >> listfiles >> listmimeheaders >> listpath >> listvariables >> listwords >> lookup >> lookup >> loop >> lowercase >> math >> middle >> movefile >> object >> orderfile >> password >> platform >> product >> protect >> purchase >> random >> raw >> redirect >> referrer >> removehtml >> removelineitem >> replace >> replacefounditems >> return >> returnraw >> scope >> search >> sendmail >> setcookie >> setheader >> setlineitem >> setmimeheader >> shell >> showif >> shownext >> spawn >> sql >> sql >> sqlconnect >> sqldisconnect >> sqlexecute >> sqlinfo >> sqlrelease >> sqlresult >> switch >> table >> tcpconnect >> tcpsend >> text >> then >> thisurl >> time >> unurl >> uppercase >> url >> username >> validcard >> version >> version >> waitforfile >> writefile >> xmlnode >> xmlnodes >> xmlnodesattributes >> xmlparse >> xsl >> xslt >>=20 >>=20 >> On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke = wrote: >> Steve,=20 >> It appears the original coder was trying to stop anyone from trying a = context in the URL... however, I'm not sure why that would be desired. = We don't know the contents of "noHack.db" so we can't tell you exactly = what the coder was trying to protect the site from. >>=20 >> Donovan >> =20 >> =20 >>> --- Original message ---=20 >>> Subject: [WebDNA] Stop hacking=20 >>> From: Steve Graham =20 >>> To: =20 >>> Date: Wednesday, 11/09/2013 3:53 PM >>>=20 >>> I found this code in a webdna site I am fixing. Someone please say = if this is necessary or recommended to stop hackers in v7.x or v6.2.1: >>>=20 >>> [formvariables] >>> [search db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]] >>> [founditems] >>> [redirect /] >>> [/founditems] >>> [/search] >>> [/formvariables] >>>=20 >>> [!] include this file at the top of every page to block hacking when = a context name appears as a formvariable name [/!] >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: = archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1
Here is a version Donovan posted I think in Sept. = 2011.
contextName ! addfields addlineitem appendappendfile applescript arrayget arrayset authenticate bol= dwords browsername calcfilecrc32 capitalize = case clearlineitems closedatabase command commitdatabase co= nvertchars convertwords copyfile copyfolder countchars coun= twords createfolder date ddeconnect ddesend decrypt dele= te = deletefile deletefolder dos elapsedtime else encrypt exc= lusivelock filecompare fileinfo findstring flushcache flush= databases format format formvariables founditems freememory= = function getchars getcookie getmimeheader grep hideif ht= ml1 html2 html3 httpmethod if include input interpret= ipaddress issecureclient lastautonumner lastrandom lineite= ms = listchars listcookies listdatabases listfields listfiles li= stmimeheaders listpath listvariables listwords lookup looku= p loop lowercase math middle movefile object orderfil= e = password platform product protect purchase random rawredirect referrer removehtml removelineitem replace replac= efounditems return returnraw scope search sendmail setco= okie = setheader setlineitem setmimeheader shell showif shownextspawn sql sql sqlconnect sqldisconnect sqlexecute sqli= nfo sqlrelease sqlresult switch table tcpconnect tcpsend= = text then thisurl time unurl uppercase url usernamevalidcard version version waitforfile writefile xmlnodexmlnodes xmlnodesattributes xmlparse xsl xslt
On Wed, Sep 11, 2013 at 6:42 PM, = Donovan Brooke <dbrooke@webdna.us> wrote:
Steve, It appears the original coder was trying to stop anyone from = trying a context in the URL... however, I'm not sure why that would be = desired. We don't know the contents of "noHack.db" so we can't tell you = exactly what the coder was trying to protect the site from. = Donovan
--- Original message --- Subject: = [WebDNA] Stop hacking From: Steve Graham <skgrahamjr@gmail.com> To: <talk@webdna.us> Date: Wednesday, = 11/09/2013 3:53 PM
I found this code in a webdna site I am = fixing. Someone please say if this is necessary or recommended to = stop hackers in v7.x or v6.2.1:
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
=
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
= --Apple-Mail=_33BC96A7-18BD-4C2C-9144-45BAAEF79AFF--
John Butler
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...