Re: Major Security Hole IIS NT
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18606
interpreted = N
texte = The NT BUG FIX list has been screaming about this all day too. So far thebest solutions that seems to be working is to map .tpl::$DATA to theappropiate handler, in our case $webcat.dllRayAt 03:49 PM 7/2/98, you wrote:>And who could possible do that to all of their sites and all the>tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention>the customers who lease space on our servers.>>>-----Original Message----->From: Raymond Hatch
>To: WebDNA-Talk@smithmicro.com >Date: Thursday, July 02, 1998 4:47 PM>Subject: Re: Major Security Hole IIS NT>>>>great idea but unfortunately the include tag will point to the file>>location that they can go to and look at it there.>>>>Ray>>>>At 04:04 PM 7/2/98, you wrote:>>>Another work around is to creat a file that has the search code it it and>>>use the include tad. That way all they will see is the tag.>>>>>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>>IIS reveals all special CGI Code>>>>>>>>Think no one can read your contextual searches, think again.>>>>>>>>Hit your webpage on an IIS server>>>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>>>now try it like this>>>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>>>All source code is revealed, even the special webdna data,>>>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try>it.>>>>Hit your favorite microsoft server and add the url ::$DATA and you will>see>>>>the special source code.>>>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>>>heheheh Pretty cool>>>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>>>bummer is it also works on .tpl and the rest as well, I don't know about>the>>>>encrypted pages available with 3.0 but I would be interested in hearing>from>>>>others.>>>>>>>>Robert Minor>>>>Cybermill Communications>>>>>>>>>>>Webmaster>>Mind Information Systems>>>>>>http://www.mindinfo.com>>> WebmasterMind Information Systemshttp://www.mindinfo.com
Associated Messages, from the most recent to the oldest:
The NT BUG FIX list has been screaming about this all day too. So far thebest solutions that seems to be working is to map .tpl::$DATA to theappropiate handler, in our case $webcat.dllRayAt 03:49 PM 7/2/98, you wrote:>And who could possible do that to all of their sites and all the>tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention>the customers who lease space on our servers.>>>-----Original Message----->From: Raymond Hatch >To: WebDNA-Talk@smithmicro.com >Date: Thursday, July 02, 1998 4:47 PM>Subject: Re: Major Security Hole IIS NT>>>>great idea but unfortunately the include tag will point to the file>>location that they can go to and look at it there.>>>>Ray>>>>At 04:04 PM 7/2/98, you wrote:>>>Another work around is to creat a file that has the search code it it and>>>use the include tad. That way all they will see is the tag.>>>>>>>>>>>>At 11:13 AM 7/2/98, you wrote:>>>>IIS reveals all special CGI Code>>>>>>>>Think no one can read your contextual searches, think again.>>>>>>>>Hit your webpage on an IIS server>>>>>>>>like http://www.yourdomain.com/special.tpl>>>>>>>>now try it like this>>>>>>>>http://www.yourdomain.com/special.tpl::$DATA>>>>>>>>All source code is revealed, even the special webdna data,>>>>>>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try>it.>>>>Hit your favorite microsoft server and add the url ::$DATA and you will>see>>>>the special source code.>>>>>>>>Look here, this page is running Microsofts ASP and you can read it all.>>>>>>>>heheheh Pretty cool>>>>>>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA>>>>>>>>bummer is it also works on .tpl and the rest as well, I don't know about>the>>>>encrypted pages available with 3.0 but I would be interested in hearing>from>>>>others.>>>>>>>>Robert Minor>>>>Cybermill Communications>>>>>>>>>>>Webmaster>>Mind Information Systems>>>>>>http://www.mindinfo.com>>> WebmasterMind Information Systemshttp://www.mindinfo.com
Raymond Hatch
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WebCat2b15MacPlugin - showing [math] (1997)
PSC recommends what date format yr 2000??? (1997)
Another question about credit cards (1997)
Size limit for tmpl editor ? (1997)
Problem upgrading from 3.0.8 to 4.0 on MS Windoze 98 / PWS (2000)
WebDNA with WebStar V (2003)
Multiple Merchant Accounts? (1997)
form data submission gets truncated (1997)
Enhancement Request for WebCatalog-NT (1996)
Multi-processor Mac info ... (1997)
Setting up WebCatalog with Retail Pro data (1996)
WebCat2 - Getting to the browser's username/password data (1997)
Changes to the List (1997)
[WebDNA] Ubuntu 14.04 & WebDNA (2017)
Great product and great job ! (1997)
WebCat 3.0 Serial Numbers (1999)
WebDNA 4.5 (2004)
Tags not being Interpreted-Resending (1999)
Add to a field (1998)
[WebDNA] Easy Grep Question (2012)