Re: Major Security Hole IIS NT

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18606
interpreted = N
texte = The NT BUG FIX list has been screaming about this all day too. So far the best solutions that seems to be working is to map .tpl::$DATA to the appropiate handler, in our case $webcat.dllRay At 03:49 PM 7/2/98, you wrote: >And who could possible do that to all of their sites and all the >tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention >the customers who lease space on our servers. > > >-----Original Message----- >From: Raymond Hatch >To: WebDNA-Talk@smithmicro.com >Date: Thursday, July 02, 1998 4:47 PM >Subject: Re: Major Security Hole IIS NT > > >>great idea but unfortunately the include tag will point to the file >>location that they can go to and look at it there. >> >>Ray >> >>At 04:04 PM 7/2/98, you wrote: >>>Another work around is to creat a file that has the search code it it and >>>use the include tad. That way all they will see is the tag. >>> >>> >>> >>>At 11:13 AM 7/2/98, you wrote: >>>>IIS reveals all special CGI Code >>>> >>>>Think no one can read your contextual searches, think again. >>>> >>>>Hit your webpage on an IIS server >>>> >>>>like http://www.yourdomain.com/special.tpl >>>> >>>>now try it like this >>>> >>>>http://www.yourdomain.com/special.tpl::$DATA >>>> >>>>All source code is revealed, even the special webdna data, >>>> >>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try >it. >>>>Hit your favorite microsoft server and add the url ::$DATA and you will >see >>>>the special source code. >>>> >>>>Look here, this page is running Microsofts ASP and you can read it all. >>>> >>>>heheheh Pretty cool >>>> >>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA >>>> >>>>bummer is it also works on .tpl and the rest as well, I don't know about >the >>>>encrypted pages available with 3.0 but I would be interested in hearing >from >>>>others. >>>> >>>>Robert Minor >>>>Cybermill Communications >>>> >>> >> >>Webmaster >>Mind Information Systems >> >> >>http://www.mindinfo.com >> > Webmaster Mind Information Systems http://www.mindinfo.com Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole IIS NT (Bob Minor 1998)
  2. Re: Major Security Hole IIS NT (greg 1998)
  3. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  4. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  5. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  6. RE: Major Security Hole IIS NT (Olin 1998)
  7. Re: Major Security Hole IIS NT (Bob Minor 1998)
  8. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  9. Re: Major Security Hole IIS NT (Bob Minor 1998)
  10. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  11. Re: Major Security Hole IIS NT (Bob Minor 1998)
  12. Re: Major Security Hole IIS NT (Bob Minor 1998)
  13. Major Security Hole IIS NT (Bob Minor 1998)
  14. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  15. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  16. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  17. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  18. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  19. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  20. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
The NT BUG FIX list has been screaming about this all day too. So far the best solutions that seems to be working is to map .tpl::$DATA to the appropiate handler, in our case $webcat.dllRay At 03:49 PM 7/2/98, you wrote: >And who could possible do that to all of their sites and all the >tpl/asp/etc. My god what an awful patch to an ugly problem. Not to mention >the customers who lease space on our servers. > > >-----Original Message----- >From: Raymond Hatch >To: WebDNA-Talk@smithmicro.com >Date: Thursday, July 02, 1998 4:47 PM >Subject: Re: Major Security Hole IIS NT > > >>great idea but unfortunately the include tag will point to the file >>location that they can go to and look at it there. >> >>Ray >> >>At 04:04 PM 7/2/98, you wrote: >>>Another work around is to creat a file that has the search code it it and >>>use the include tad. That way all they will see is the tag. >>> >>> >>> >>>At 11:13 AM 7/2/98, you wrote: >>>>IIS reveals all special CGI Code >>>> >>>>Think no one can read your contextual searches, think again. >>>> >>>>Hit your webpage on an IIS server >>>> >>>>like http://www.yourdomain.com/special.tpl >>>> >>>>now try it like this >>>> >>>>http://www.yourdomain.com/special.tpl::$DATA >>>> >>>>All source code is revealed, even the special webdna data, >>>> >>>>this applies to all special CGI's running on IIS like ASP and Pearl. Try >it. >>>>Hit your favorite microsoft server and add the url ::$DATA and you will >see >>>>the special source code. >>>> >>>>Look here, this page is running Microsofts ASP and you can read it all. >>>> >>>>heheheh Pretty cool >>>> >>>>http://backoffice.microsoft.com/downtrial/default.asp::$DATA >>>> >>>>bummer is it also works on .tpl and the rest as well, I don't know about >the >>>>encrypted pages available with 3.0 but I would be interested in hearing >from >>>>others. >>>> >>>>Robert Minor >>>>Cybermill Communications >>>> >>> >> >>Webmaster >>Mind Information Systems >> >> >>http://www.mindinfo.com >> > Webmaster Mind Information Systems http://www.mindinfo.com Raymond Hatch

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2b15MacPlugin - showing [math] (1997) PSC recommends what date format yr 2000??? (1997) Another question about credit cards (1997) Size limit for tmpl editor ? (1997) Problem upgrading from 3.0.8 to 4.0 on MS Windoze 98 / PWS (2000) WebDNA with WebStar V (2003) Multiple Merchant Accounts? (1997) form data submission gets truncated (1997) Enhancement Request for WebCatalog-NT (1996) Multi-processor Mac info ... (1997) Setting up WebCatalog with Retail Pro data (1996) WebCat2 - Getting to the browser's username/password data (1997) Changes to the List (1997) [WebDNA] Ubuntu 14.04 & WebDNA (2017) Great product and great job ! (1997) WebCat 3.0 Serial Numbers (1999) WebDNA 4.5 (2004) Tags not being Interpreted-Resending (1999) Add to a field (1998) [WebDNA] Easy Grep Question (2012)