Re: Major Security Hole
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18819
interpreted = N
texte = >>BUT Macs are susceptible to this as well! And you can't, or at least I>>couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags.>>NOT good if you are showing and hiding text based on passwords like [showif>>[password]=3294.bob]. Now it becomes simple to find the once hidden>>passwords.>>Yes, the $ is the problem here, but I don't see your symptom. When I type>a URL like that I get password-challenged (because $DATA is not one of the>commands WebCatalog allows without a password). Do you have your>WebCatalog preferences set up to only allow certain $commands, or do you>let them all thru?>>Technical Support | ==== eCommerce and Beyond ====I thought that the $ was the problem too at first. But then it workedwith just a single :It worked on .db files which allowed ANYONE to find and look at ourusers.db file. OUCH!I tried to do the same thing on the Pacific-Coast server and that ofseveral others that I know run WebCat or Typhoon, including some of ourother servers here. It only was valid in the one instance on this machinethat we were still running Webstar 2.0 on along with Netcloak. I upgradedWebStar to 2.1 and deleted Netcloak.Problem solved. But I sure was in a panic when I could typehttp://secure.ims1.com/webcatalog/users.db::$data and get a complete listof users, passwords and groups!Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on aMacintosh should be made aware that their setup may not be secure. Peoplecan get your admin passwords and then track down any credit card numbersfrom online stores. I am not sure if this is a problem with WebStar orNetcloak, but I am sure that the problem is real and it does not exist withNetCloak removed and Webstar updated to 2.1 or greater.Thanks, Paul _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business -
_\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Associated Messages, from the most recent to the oldest:
>>BUT Macs are susceptible to this as well! And you can't, or at least I>>couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags.>>NOT good if you are showing and hiding text based on passwords like [showif>>[password]=3294.bob]. Now it becomes simple to find the once hidden>>passwords.>>Yes, the $ is the problem here, but I don't see your symptom. When I type>a URL like that I get password-challenged (because $DATA is not one of the>commands WebCatalog allows without a password). Do you have your>WebCatalog preferences set up to only allow certain $commands, or do you>let them all thru?>>Technical Support | ==== eCommerce and Beyond ====I thought that the $ was the problem too at first. But then it workedwith just a single :It worked on .db files which allowed ANYONE to find and look at ourusers.db file. OUCH!I tried to do the same thing on the Pacific-Coast server and that ofseveral others that I know run WebCat or Typhoon, including some of ourother servers here. It only was valid in the one instance on this machinethat we were still running Webstar 2.0 on along with Netcloak. I upgradedWebStar to 2.1 and deleted Netcloak.Problem solved. But I sure was in a panic when I could typehttp://secure.ims1.com/webcatalog/users.db::$data and get a complete listof users, passwords and groups!Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on aMacintosh should be made aware that their setup may not be secure. Peoplecan get your admin passwords and then track down any credit card numbersfrom online stores. I am not sure if this is a problem with WebStar orNetcloak, but I am sure that the problem is real and it does not exist withNetCloak removed and Webstar updated to 2.1 or greater.Thanks, Paul _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Paul Uttermohlen
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Re:[ShowIf] and empty fields (1997)
Snake Bites (1997)
Not really WebCat (1997)
tabs as delimiters (2004)
HTML Editors (1997)
.. more on sliding discounts... (1997)
[WriteFile] problems (1997)
[ShowNext] (2007)
WC Database Format (1997)
Possible Bug in 2.0b15.acgi (1997)
SiteGaurd file Cache vs webcatalog cache (1997)
Webstar 1.3.1 PPC (1997)
[WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009)
WebCat2 - [format thousands] (1997)
Bug? (1997)
[WebDNA] Innovative Merchant Solutions (2008)
webcat license???? (1997)
More questions about serial number dishing (1997)
New public beta available (1997)
Locking up with WebCatalog... (1997)