Re: Major Security Hole

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18837
interpreted = N
texte = >>Oh crap! I get someting similar I can see all of my groups and user >>names but the passwords appear as a string of weird characters. Now I >>don't know if the characters can be interpreted or if it is just garbage. >>I would prefer that nothing gets returned. >> >>I get the user group text string returned if I request: >> >>http://server.com/webcatalog/users.db::$data >> >>I also get the text string returned if I only request: >> >>http://server.com/webcatalog/users.db: >> >>I run a mac - webstar 2.1 and netcloak >>I do NOT allow all webcatalog commands!Although this is a *real* security issue, you guys surprise me: you are too trusting. The first thing I did when I installed WebCatalog was to create two new WebStar realms:.db webcatalogI created no users for the .db realm: I don't want anyone to access any .db files.I created the webcatalog realm with the SAME name and password as the ADMIN user in WebCatalog, otherwise it won't work. This way no one but me has access to the webcatalog folder, and WebStar catches the realm before WebCatalog has a chance to execute it. This way security is doubled.I have tried your ::$Data URLs on my servers, and I get an authentication dialog.By the way, I also have realms for.logand any other configuration or password file that resides on my server.Security is a very complex issue, and you can't just trust the default configuration of the vendor. Paranoia is the keyword here...Hope this helps, Charles_______________________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain _____________________________________________ Tel: +34 971.43.12.77 Fax: +34 971.43.08.18 E-mail: ckefauver@ibacom.es URL: http://www.ibacom.es/ _____________________________________________ Public PGP signature (Clave publica PGP): http://www.ibacom.es/PGP/kefauver.txt _______________________________________________________________ Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  2. Re: Major Security Hole (Kenneth Grome 1998)
  3. Re: Major Security Hole (Peter Ostry 1998)
  4. Re: Major Security Hole (Paul Uttermohlen 1998)
  5. Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998)
  6. Re: Major Security Hole (Charles Kefauver 1998)
  7. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  8. Re: Major Security Hole (PCS Technical Support 1998)
  9. Re: Major Security Hole (Peter Ostry 1998)
  10. Re: Major Security Hole (Dan Tryon 1998)
  11. Re: Major Security Hole (Jim Turney 1998)
  12. Re: Major Security Hole (Peter Ostry 1998)
  13. Re: Major Security Hole (Paul Uttermohlen 1998)
  14. Re: Major Security Hole (Bob Minor 1998)
  15. Re: Major Security Hole (Dan Tryon 1998)
  16. Re: Major Security Hole (Brian Willson 1998)
  17. Re: Major Security Hole (Britt T. 1998)
  18. Re: Major Security Hole (Paul Uttermohlen 1998)
  19. Re: Major Security Hole (Dave MacLeay 1998)
  20. Re: Major Security Hole (Bob Minor 1998)
  21. Re: Major Security Hole (Peter Ostry 1998)
  22. Re: Major Security Hole (PCS Technical Support 1998)
  23. Major Security Hole (Paul Uttermohlen 1998)
  24. Re: Major Security Hole IIS NT (Bob Minor 1998)
  25. Re: Major Security Hole IIS NT (greg 1998)
  26. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  27. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  28. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  29. RE: Major Security Hole IIS NT (Olin 1998)
  30. Re: Major Security Hole IIS NT (Bob Minor 1998)
  31. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  32. Re: Major Security Hole IIS NT (Bob Minor 1998)
  33. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  34. Re: Major Security Hole IIS NT (Bob Minor 1998)
  35. Re: Major Security Hole IIS NT (Bob Minor 1998)
  36. Major Security Hole IIS NT (Bob Minor 1998)
  37. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  38. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  39. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  40. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  41. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  42. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  43. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
>>Oh crap! I get someting similar I can see all of my groups and user >>names but the passwords appear as a string of weird characters. Now I >>don't know if the characters can be interpreted or if it is just garbage. >>I would prefer that nothing gets returned. >> >>I get the user group text string returned if I request: >> >>http://server.com/webcatalog/users.db::$data >> >>I also get the text string returned if I only request: >> >>http://server.com/webcatalog/users.db: >> >>I run a mac - webstar 2.1 and netcloak >>I do NOT allow all webcatalog commands!Although this is a *real* security issue, you guys surprise me: you are too trusting. The first thing I did when I installed WebCatalog was to create two new WebStar realms:.db webcatalogI created no users for the .db realm: I don't want anyone to access any .db files.I created the webcatalog realm with the SAME name and password as the ADMIN user in WebCatalog, otherwise it won't work. This way no one but me has access to the webcatalog folder, and WebStar catches the realm before WebCatalog has a chance to execute it. This way security is doubled.I have tried your ::$Data URLs on my servers, and I get an authentication dialog.By the way, I also have realms for.logand any other configuration or password file that resides on my server.Security is a very complex issue, and you can't just trust the default configuration of the vendor. Paranoia is the keyword here...Hope this helps, Charles_______________________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain _____________________________________________ Tel: +34 971.43.12.77 Fax: +34 971.43.08.18 E-mail: ckefauver@ibacom.es URL: http://www.ibacom.es/ _____________________________________________ Public PGP signature (Clave publica PGP): http://www.ibacom.es/PGP/kefauver.txt _______________________________________________________________ Charles Kefauver

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebDNA on Red Hat Enterprise Linux 4 x64 (2006) Final Receipt (1999) Not really WebCat - need HTML Grider (1997) RE: protect tag on NT (1997) Template Security error (1997) multi-paragraph fields (1997) Still online from NY (2003) Re:WebCatalog/WebMerchant III (1998) WebCatalog can't find database (1997) ShowNext Questions (2000) WebCat2 as a chat server? (1997) Online expense management tool (2004) Using Plug-In while running 1.6.1 (1997) Multiple prices (1997) Secure server question (1997) Secure server question (1997) Textarea (1998) Upgrade to WebCat2 from Commerce Lite (1997) using showpage and showcart commands (1996) SERIAL NUMBER PROBLEM *AGAIN*!!! (1998)