Re: Major Security Hole

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18819
interpreted = N
texte = >>BUT Macs are susceptible to this as well! And you can't, or at least I >>couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags. >>NOT good if you are showing and hiding text based on passwords like [showif >>[password]=3294.bob]. Now it becomes simple to find the once hidden >>passwords. > >Yes, the $ is the problem here, but I don't see your symptom. When I type >a URL like that I get password-challenged (because $DATA is not one of the >commands WebCatalog allows without a password). Do you have your >WebCatalog preferences set up to only allow certain $commands, or do you >let them all thru? > >Technical Support | ==== eCommerce and Beyond ====I thought that the $ was the problem too at first. But then it worked with just a single :It worked on .db files which allowed ANYONE to find and look at our users.db file. OUCH!I tried to do the same thing on the Pacific-Coast server and that of several others that I know run WebCat or Typhoon, including some of our other servers here. It only was valid in the one instance on this machine that we were still running Webstar 2.0 on along with Netcloak. I upgraded WebStar to 2.1 and deleted Netcloak.Problem solved. But I sure was in a panic when I could type http://secure.ims1.com/webcatalog/users.db::$data and get a complete list of users, passwords and groups!Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a Macintosh should be made aware that their setup may not be secure. People can get your admin passwords and then track down any credit card numbers from online stores. I am not sure if this is a problem with WebStar or Netcloak, but I am sure that the problem is real and it does not exist with NetCloak removed and Webstar updated to 2.1 or greater.Thanks, Paul _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\_ _/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  2. Re: Major Security Hole (Kenneth Grome 1998)
  3. Re: Major Security Hole (Peter Ostry 1998)
  4. Re: Major Security Hole (Paul Uttermohlen 1998)
  5. Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998)
  6. Re: Major Security Hole (Charles Kefauver 1998)
  7. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  8. Re: Major Security Hole (PCS Technical Support 1998)
  9. Re: Major Security Hole (Peter Ostry 1998)
  10. Re: Major Security Hole (Dan Tryon 1998)
  11. Re: Major Security Hole (Jim Turney 1998)
  12. Re: Major Security Hole (Peter Ostry 1998)
  13. Re: Major Security Hole (Paul Uttermohlen 1998)
  14. Re: Major Security Hole (Bob Minor 1998)
  15. Re: Major Security Hole (Dan Tryon 1998)
  16. Re: Major Security Hole (Brian Willson 1998)
  17. Re: Major Security Hole (Britt T. 1998)
  18. Re: Major Security Hole (Paul Uttermohlen 1998)
  19. Re: Major Security Hole (Dave MacLeay 1998)
  20. Re: Major Security Hole (Bob Minor 1998)
  21. Re: Major Security Hole (Peter Ostry 1998)
  22. Re: Major Security Hole (PCS Technical Support 1998)
  23. Major Security Hole (Paul Uttermohlen 1998)
  24. Re: Major Security Hole IIS NT (Bob Minor 1998)
  25. Re: Major Security Hole IIS NT (greg 1998)
  26. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  27. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  28. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  29. RE: Major Security Hole IIS NT (Olin 1998)
  30. Re: Major Security Hole IIS NT (Bob Minor 1998)
  31. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  32. Re: Major Security Hole IIS NT (Bob Minor 1998)
  33. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  34. Re: Major Security Hole IIS NT (Bob Minor 1998)
  35. Re: Major Security Hole IIS NT (Bob Minor 1998)
  36. Major Security Hole IIS NT (Bob Minor 1998)
  37. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  38. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  39. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  40. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  41. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  42. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  43. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
>>BUT Macs are susceptible to this as well! And you can't, or at least I >>couldn't, map .tmpl::$DATA to webcatalog. It still reveals the WebDNA tags. >>NOT good if you are showing and hiding text based on passwords like [showif >>[password]=3294.bob]. Now it becomes simple to find the once hidden >>passwords. > >Yes, the $ is the problem here, but I don't see your symptom. When I type >a URL like that I get password-challenged (because $DATA is not one of the >commands WebCatalog allows without a password). Do you have your >WebCatalog preferences set up to only allow certain $commands, or do you >let them all thru? > >Technical Support | ==== eCommerce and Beyond ====I thought that the $ was the problem too at first. But then it worked with just a single :It worked on .db files which allowed ANYONE to find and look at our users.db file. OUCH!I tried to do the same thing on the Pacific-Coast server and that of several others that I know run WebCat or Typhoon, including some of our other servers here. It only was valid in the one instance on this machine that we were still running Webstar 2.0 on along with Netcloak. I upgraded WebStar to 2.1 and deleted Netcloak.Problem solved. But I sure was in a panic when I could type http://secure.ims1.com/webcatalog/users.db::$data and get a complete list of users, passwords and groups!Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a Macintosh should be made aware that their setup may not be secure. People can get your admin passwords and then track down any credit card numbers from online stores. I am not sure if this is a problem with WebStar or Netcloak, but I am sure that the problem is real and it does not exist with NetCloak removed and Webstar updated to 2.1 or greater.Thanks, Paul _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\_ _/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Paul Uttermohlen

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Re:[ShowIf] and empty fields (1997) Snake Bites (1997) Not really WebCat (1997) tabs as delimiters (2004) HTML Editors (1997) .. more on sliding discounts... (1997) [WriteFile] problems (1997) [ShowNext] (2007) WC Database Format (1997) Possible Bug in 2.0b15.acgi (1997) SiteGaurd file Cache vs webcatalog cache (1997) Webstar 1.3.1 PPC (1997) [WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009) WebCat2 - [format thousands] (1997) Bug? (1997) [WebDNA] Innovative Merchant Solutions (2008) webcat license???? (1997) More questions about serial number dishing (1997) New public beta available (1997) Locking up with WebCatalog... (1997)