Re: mac hack

This WebDNA talk-list message is from

1997


It keeps the original formatting.
numero = 13061
interpreted = N
texte = >I saw that Lasso had the bad luck of being the cgi responsible for a mac >hack, and that PCS has had to repair siteedit for having the same hole. >What is the status of webcat? Although I know little of the actual >techinique used, I know it had to do with the serving of the omega files, >which webcat will not serve. So I assume we are completely safe!Lots of programs store their valuable information in plain text files on the hard disk (mail servers store all mail files that way, Eudora's inbox, even Apple's Users&Groups file has interesting plaintext info in it). PCS has always been very careful to set the special WWWOmega filetype information on sensitive files; this tells WebSTAR and other CGIs not to ever serve that file. Lasso ignores this information and serves the file anyway. Worse, it serves files *outside* your WebSTAR folder, so even your System Folder is not safe.The bottom line: If you have Lasso installed on a WebCatalog server, someone can use Lasso to get at your WebCatalog Users.db file (and Eudora, and EIMS and Users&Groups and secret Realm-protected files and on and on). I recommend you either get the new *fixed* version of Lasso, or disable it until you have a plan to prevent such attacks.WebCatalog itself cannot be used to display such files, because it does the right thing and looks for the WWWOmega filetype information, and prevents outsiders from viewing that URL. We encourage people to send us information about possible security holes in WebCatalog...if you think you find one, please let us know (privately) right away so we can get a fix out to the world.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors ===== Pacific Coast Software | WebCatalog Pro, WebCommerce Solution 11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMaster San Diego, CA 92128 | SiteGuard 619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Associated Messages, from the most recent to the oldest:

    
  1. Re: mac hack (Michael Winston 1997)
  2. Re: mac hack (Grant Hulbert 1997)
  3. Re:mac hack (Jay Van Vark 1997)
  4. mac hack (Bob Minor 1997)
>I saw that Lasso had the bad luck of being the cgi responsible for a mac >hack, and that PCS has had to repair siteedit for having the same hole. >What is the status of webcat? Although I know little of the actual >techinique used, I know it had to do with the serving of the omega files, >which webcat will not serve. So I assume we are completely safe!Lots of programs store their valuable information in plain text files on the hard disk (mail servers store all mail files that way, Eudora's inbox, even Apple's Users&Groups file has interesting plaintext info in it). PCS has always been very careful to set the special WWWOmega filetype information on sensitive files; this tells WebSTAR and other CGIs not to ever serve that file. Lasso ignores this information and serves the file anyway. Worse, it serves files *outside* your WebSTAR folder, so even your System Folder is not safe.The bottom line: If you have Lasso installed on a WebCatalog server, someone can use Lasso to get at your WebCatalog Users.db file (and Eudora, and EIMS and Users&Groups and secret Realm-protected files and on and on). I recommend you either get the new *fixed* version of Lasso, or disable it until you have a plan to prevent such attacks.WebCatalog itself cannot be used to display such files, because it does the right thing and looks for the WWWOmega filetype information, and prevents outsiders from viewing that URL. We encourage people to send us information about possible security holes in WebCatalog...if you think you find one, please let us know (privately) right away so we can get a fix out to the world.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors ===== Pacific Coast Software | WebCatalog Pro, WebCommerce Solution 11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMaster San Diego, CA 92128 | SiteGuard 619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Grant Hulbert

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

shipping costs (1997) All choices on IE different than Netscape (1997) Show based on date? (2007) Newbie Tax Question (1997) Help formatting search results w/ table (1997) resorting found set (2005) Keep away (1997) RE: ShowNext Command (1997) [TaxableTotal] - not working with AOL and IE (1997) Ram usage (1999) Major Security Hole IIS NT (1998) Limiting user access to .tmpl files (1997) WebCat2b12--[searchstring] bug (1997) problems with 2 tags (1997) Process SSI and WebCatalog.acgi (1998) unsubscribe (1997) WCS Newbie question (1997) Major Security Hole IIS NT (1998) problems with 2 tags shakur (1997) Happy Halloween - Check out the pumpkin (2002)