Re: Denying access by IP address
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 27996
interpreted = N
texte = > Don't want to burst your bubble, but there is a security problem with>your solution. You should use some other method to block IP addresses such>as any built in to your web server. The problem is, and this has been>brought to the attention of SM already, session values such as ipaddress and>referrer that *should not* be editable, can be overridden by adding>formvariables with the same name. Try this on for size...>http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr>er=http://gonzo.ofthedayclub.com/>>Someone in your unwanted class C could override the [ipaddress] value and>get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [FormVariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested)[HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=]
You're trying to hack in!
[redirect http://someURL][/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support **********************************Smith Micro, Internet Solutions Div | eCommerce (WebCatalog)16855 West Bernardo Drive, #380 | -------------------------San Diego, CA 92127 | Software & Site DevelopmentWebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to
.This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
> Don't want to burst your bubble, but there is a security problem with>your solution. You should use some other method to block IP addresses such>as any built in to your web server. The problem is, and this has been>brought to the attention of SM already, session values such as ipaddress and>referrer that *should not* be editable, can be overridden by adding>formvariables with the same name. Try this on for size...>http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr>er=http://gonzo.ofthedayclub.com/>>Someone in your unwanted class C could override the [ipaddress] value and>get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [formvariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested)[HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=] You're trying to hack in!
[redirect http://someURL][/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support **********************************Smith Micro, Internet Solutions Div | eCommerce (WebCatalog)16855 West Bernardo Drive, #380 | -------------------------San Diego, CA 92127 | Software & Site DevelopmentWebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
WebDNA Support
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Secure Server (1997)
Can ShowNext do this? (2000)
Re[2]: Feature: TCPconnect via SSL (1999)
Fun with Dates - revisited (again) (1997)
[WebDNA] 2nd pair of eyes on redirect please (2011)
problem with applets embedded in tpl files (1997)
Webmessage Hyperboard (1998)
nesting limits? (1998)
WebDNA Solutions ... sorry! (1997)
New Plug-in and Type 11 errors (1997)
PROBLEM (1997)
What file? (1997)
New Lawsuit Alleges Unitedhealth/Pacificare Deceived (2006)
Price problem (1997)
profiles (1999)
Color options for items (1999)
PIXO support (1997)
Dr.Watson Error (1999)
Bug? (1997)
[Shownext] [whynot] (2000)