Re: Denying access by IP address

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 27996
interpreted = N
texte = > Don't want to burst your bubble, but there is a security problem with >your solution. You should use some other method to block IP addresses such >as any built in to your web server. The problem is, and this has been >brought to the attention of SM already, session values such as ipaddress and >referrer that *should not* be editable, can be overridden by adding >formvariables with the same name. Try this on for size... >http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr >er=http://gonzo.ofthedayclub.com/ > >Someone in your unwanted class C could override the [ipaddress] value and >get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [FormVariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested) [HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=]

You're trying to hack in!

[redirect http://someURL] [/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support ********************************** Smith Micro, Internet Solutions Div | eCommerce (WebCatalog) 16855 West Bernardo Drive, #380 | ------------------------- San Diego, CA 92127 | Software & Site Development WebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: Denying access by IP address (Kenneth Grome 2000)
  2. Re: Denying access by IP address (Dale Therio 2000)
  3. Re: Denying access by IP address (Kenneth Grome 2000)
  4. Re: Denying access by IP address (Kenneth Grome 2000)
  5. Re: Denying access by IP address (Mike Davis 2000)
  6. Re: Denying access by IP address (WebDNA Support 2000)
  7. Re: Denying access by IP address (WebDNA Support 2000)
  8. Re: Denying access by IP address (Scott Nelsen 2000)
  9. Re: Denying access by IP address (Bob Minor 2000)
  10. Re: Denying access by IP address (Scott Nelsen 2000)
  11. Re: Denying access by IP address (Mike Davis 2000)
  12. Re: Denying access by IP address (Peter Ostry 2000)
  13. Re: Denying access by IP address (JHowarth@smithmicro.com 2000)
  14. Denying access by IP address (Scott Nelsen 2000)
> Don't want to burst your bubble, but there is a security problem with >your solution. You should use some other method to block IP addresses such >as any built in to your web server. The problem is, and this has been >brought to the attention of SM already, session values such as ipaddress and >referrer that *should not* be editable, can be overridden by adding >formvariables with the same name. Try this on for size... >http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr >er=http://gonzo.ofthedayclub.com/ > >Someone in your unwanted class C could override the [ipaddress] value and >get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [formvariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested) [HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=]

You're trying to hack in!

[redirect http://someURL] [/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support ********************************** Smith Micro, Internet Solutions Div | eCommerce (WebCatalog) 16855 West Bernardo Drive, #380 | ------------------------- San Diego, CA 92127 | Software & Site Development WebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to WebDNA Support

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Secure Server (1997) Can ShowNext do this? (2000) Re[2]: Feature: TCPconnect via SSL (1999) Fun with Dates - revisited (again) (1997) [WebDNA] 2nd pair of eyes on redirect please (2011) problem with applets embedded in tpl files (1997) Webmessage Hyperboard (1998) nesting limits? (1998) WebDNA Solutions ... sorry! (1997) New Plug-in and Type 11 errors (1997) PROBLEM (1997) What file? (1997) New Lawsuit Alleges Unitedhealth/Pacificare Deceived (2006) Price problem (1997) profiles (1999) Color options for items (1999) PIXO support (1997) Dr.Watson Error (1999) Bug? (1997) [Shownext] [whynot] (2000)