Re: WebCatalog 4.0 has been released!

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 32834
interpreted = N
texte = Under existing 3.x sites, I can override _system variables_ like [IPADDRESS] by simply adding &ipaddress=192.168.000.001 to the command line. That is a big security hole, now plugged in 4.x.As near as I can tell, the primary use of overriding text variables with incoming form variables is so the programmer can neglect to idiot check the incoming variables. This is, IMNSHO, bad programming and I view the continued use of such lazy shortcuts as mistakes. The hierarchy was not documented, except on this list, as Grant explained how the code behaved under various circumstances.I suspect that everyone who stumbled across this behavior on their own did so while uncovering a mistake in their code. They had a text variable in play on a page and accidently passed a form variable with the same name and couldn't understand why they were getting the wrong value.Here's a constructive suggestion: if you want to ensure that your data is reasonable write an include file which does bounds-checking for numeric values. Call it for each of your form variables at the top of the next page like: [include file=nchk.inc&field=[fname]&max=30&min=1&ref=[referrer]]and within the include file, make sure the value is set, and lies within the bounds, otherwise redirect to an error page.It might take you a couple of minutes to set up the first time and program the error page to report the problem and then redirect to the original page. It will improve your code and get you thinking about what your data looks like.You young pups amaze me with your total disregard for declaring your variables properly, both for documentation and error checking purposes. I remember when you have to allocate a buffer or register, just to do anything ;~)I don't think that new users should flip that flag until they know what they are doing (and maybe even then). I suspect that WebCat may never have a problem with security holes like ColdFusion, Perl, ASP, IIS, etc. have had, because of the way the basic system operates. But I can just imagine some simple Denial Of Service hacks that could cripple a site; what happens if you pass the data from WebCat to a backend server and blow up your orderentry system by replacing the qty field with a string of 25000 nines.You know what you are doing; do what you want. Just don't make it seem like the security problems aren't important.John PeacockJoseph D'Andrea wrote: > > I guess we're all going to re-hash the same arguments that were made > on the beta list when this issue first came up only now everyone will > be involved instead of just the beta testers. > > First of all the use of overwriting text variables with incoming form > variables was not a mistake as you mention above. Nor does it have > anything to do with hidden form input fields. The technique was > dependent on the _documented_ WebCat variable hierarchy. The thing is > that the hierarchy has now changed in 4.0. >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  2. Re: WebCatalog 4.0 has been released! (Chris Brandt 2000)
  3. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  4. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  5. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  6. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  7. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  8. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  9. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  10. Re: WebCatalog 4.0 has been released! (John Butler 2000)
  11. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  12. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  13. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  14. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  15. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  16. Re: WebCatalog 4.0 has been released! (Paul Uttermohlen 2000)
  17. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  18. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  19. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  20. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  21. Re: WebCatalog 4.0 has been released! (Mike Heininger 2000)
  22. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  23. Re: WebCatalog 4.0 has been released! (Jesse Proudman 2000)
  24. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  25. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
Under existing 3.x sites, I can override _system variables_ like [ipaddress] by simply adding &ipaddress=192.168.000.001 to the command line. That is a big security hole, now plugged in 4.x.As near as I can tell, the primary use of overriding text variables with incoming form variables is so the programmer can neglect to idiot check the incoming variables. This is, IMNSHO, bad programming and I view the continued use of such lazy shortcuts as mistakes. The hierarchy was not documented, except on this list, as Grant explained how the code behaved under various circumstances.I suspect that everyone who stumbled across this behavior on their own did so while uncovering a mistake in their code. They had a text variable in play on a page and accidently passed a form variable with the same name and couldn't understand why they were getting the wrong value.Here's a constructive suggestion: if you want to ensure that your data is reasonable write an include file which does bounds-checking for numeric values. Call it for each of your form variables at the top of the next page like: [include file=nchk.inc&field=[fname]&max=30&min=1&ref=[referrer]]and within the include file, make sure the value is set, and lies within the bounds, otherwise redirect to an error page.It might take you a couple of minutes to set up the first time and program the error page to report the problem and then redirect to the original page. It will improve your code and get you thinking about what your data looks like.You young pups amaze me with your total disregard for declaring your variables properly, both for documentation and error checking purposes. I remember when you have to allocate a buffer or register, just to do anything ;~)I don't think that new users should flip that flag until they know what they are doing (and maybe even then). I suspect that WebCat may never have a problem with security holes like ColdFusion, Perl, ASP, IIS, etc. have had, because of the way the basic system operates. But I can just imagine some simple Denial Of Service hacks that could cripple a site; what happens if you pass the data from WebCat to a backend server and blow up your orderentry system by replacing the qty field with a string of 25000 nines.You know what you are doing; do what you want. Just don't make it seem like the security problems aren't important.John PeacockJoseph D'Andrea wrote: > > I guess we're all going to re-hash the same arguments that were made > on the beta list when this issue first came up only now everyone will > be involved instead of just the beta testers. > > First of all the use of overwriting text variables with incoming form > variables was not a mistake as you mention above. Nor does it have > anything to do with hidden form input fields. The technique was > dependent on the _documented_ WebCat variable hierarchy. The thing is > that the hierarchy has now changed in 4.0. >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ John Peacock

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

How big can WebCat go? (1999) Date search - yes or no (1997) 2nd WebCatalog2 Feature Request (1996) [delete] problem (1997) Bug or syntax error on my part? (1997) Generating Report Totals (1997) request for new command (1997) Time for a hard questions. (1997) Sorting Problems (2004) frames & carts (1997) [WebDNA] Set UID/GID/Permissions (2009) Thanks Grant (1997) [WebDNA] Help with ReplaceFoundItems (2009) WebCat2: Items xx to xx shown, etc. (1997) Trouble Searching (1999) Store builder question (2003) Showif, Hideif reverse logic ? (1997) Counting LineItems (2000) problem serving foreign languages text (1997) Help name our technology! (1997)