Re: Protect
This WebDNA talk-list message is from 1997
It keeps the original formatting.
numero = 14253
interpreted = N
texte = >>>So I want them to only be able to interact>>>with their own templates and databases in their directory.>>>>Anyone who has rights to change a template can create WebDNA that does>>lots of nasty things, roughly analogous to someone who has rights to>>upload a CGI. The best protection you have is to give vendors an>>administrative interface to modify their databases via forms, but don't>>let them change template files.>>>>Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====>>Pacific Coast Software | WebCatalog, WebMerchant>>11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster>>San Diego, CA 92128 | SiteGuard>>619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com>>>>>>>This is exactly what I thought. I don't think some of the others see the>ramifications with this. I have a couple of companies that do web design>in webcatalog. I am teaching them the basics. Being a programmer from way>back I seen the problem right away and wanted to protect it. Now that I>know I can't I will have to use other threats to them. Like crash>something and it costs you $25. So make sure your code is good and non>malicious.Of course, if you let other people program WebCatalog for you --instead of doing it yourself -- there's a huge possibility that oneof them (and more likely, *many* of them) will be creating templatesthat mess up things on your web site that you did not want messed up.How can you possibly trust novices to do the right thing with aprogram as powerful as WebCatalog?If you are as concerned about security as one might think you shouldbe, you would *NEVER* let anyone else create WebDNA templates andupload them to your server without your first checking each of thosetemplates individually.You're obviously in a unique situation in that you feel it's okayto let your users create their own WebDNA templates ... butWebCatalog was never designed to provide ANY kind of security forwebmasters who take your approach to running their web sites.Anyone feeling a little bit irritated with the way you're treatingthem could EASILY delete ALL the data in ALL the databases on yoursite, and completely wipe out all the text on all your web pages aswell ... not to mention using [AppleScript] contexts to trash anyother files they can find (and they can use WebDNA to find EVERY fileon your server -- I know, I've done it!).I think you should give some very serious thought to allowing ANY ofyour users to create WebDNA templates on your site. My personalopinion is that it is not worth the risk.Sincerely, Ken GromeWebDNA Solutions808-737-6499http://www.smithmicro.com/webdnasolutions/.
Associated Messages, from the most recent to the oldest:
>>>So I want them to only be able to interact>>>with their own templates and databases in their directory.>>>>Anyone who has rights to change a template can create WebDNA that does>>lots of nasty things, roughly analogous to someone who has rights to>>upload a CGI. The best protection you have is to give vendors an>>administrative interface to modify their databases via forms, but don't>>let them change template files.>>>>Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====>>Pacific Coast Software | WebCatalog, WebMerchant>>11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster>>San Diego, CA 92128 | SiteGuard>>619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com>>>>>>>This is exactly what I thought. I don't think some of the others see the>ramifications with this. I have a couple of companies that do web design>in webcatalog. I am teaching them the basics. Being a programmer from way>back I seen the problem right away and wanted to protect it. Now that I>know I can't I will have to use other threats to them. Like crash>something and it costs you $25. So make sure your code is good and non>malicious.Of course, if you let other people program WebCatalog for you --instead of doing it yourself -- there's a huge possibility that oneof them (and more likely, *many* of them) will be creating templatesthat mess up things on your web site that you did not want messed up.How can you possibly trust novices to do the right thing with aprogram as powerful as WebCatalog?If you are as concerned about security as one might think you shouldbe, you would *NEVER* let anyone else create WebDNA templates andupload them to your server without your first checking each of thosetemplates individually.You're obviously in a unique situation in that you feel it's okayto let your users create their own WebDNA templates ... butWebCatalog was never designed to provide ANY kind of security forwebmasters who take your approach to running their web sites.Anyone feeling a little bit irritated with the way you're treatingthem could EASILY delete ALL the data in ALL the databases on yoursite, and completely wipe out all the text on all your web pages aswell ... not to mention using [AppleScript] contexts to trash anyother files they can find (and they can use WebDNA to find EVERY fileon your server -- I know, I've done it!).I think you should give some very serious thought to allowing ANY ofyour users to create WebDNA templates on your site. My personalopinion is that it is not worth the risk.Sincerely, Ken GromeWebDNA Solutions808-737-6499http://www.smithmicro.com/webdnasolutions/.
Kenneth Grome
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Week # problem (1998)
security problem (1997)
WebCatalog for Postcards ? (1997)
Emailer & WebStar Mail and 551 Error (2000)
Database Options (1997)
RE: completed orders database (1997)
Case sensitivity and [showif] (1999)
Many $WebCat.exe processes (1998)
Migrating to NT (1997)
iTools WebDNA module keeps crashing (2006)
Re[2]: WebCatalog on Linux (2000)
Multiple Sendmail Tags on One Page (2008)
WebCatalog for guestbook ? (1997)
Re:Virtual hosting and webcatNT (1997)
WebCat2b15MacPlugin - [protect] (1997)
TCPConnect (2002)
Preventing Merchant Settling ? (1997)
Dumb Question about Docs (1997)
WebCat2 - Getting to the browser's username/password data (1997)
Need help with emailer- 2 issues (1997)