Re: math variable security [MEDIUM LONG]

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33502
interpreted = N
texte = Bob -I'm sorry that you didn't even read my discussion of form variables vs page variables; it is clear that the distinction eludes you still. The code you posted still will not work, under any version of WebCat, due to errors in the logic. You also do not seem to get the idea that you can take out the [math secure=f]error=0[/math] on the first page and it does nothing to the program flow. You still do not understand that the [math show=f]errors=... does not in any way refer to the variable [errors] on the first page; you are not overriding the value, ever.Just because _you_ cannot see that there is a security problem in allowing users to arbitrarily override page variables, doesn't mean that there isn't. Unlike Perl and ColdFusion, the kind of security breach possible under WebDNA is largely dependent on the programmer; I know of no way to use a buffer overflow to execute arbitrary code on the server. But don't you think that it is a bad idea to allow users to override system variables like [ipaddress], simply by including ?ipaddress=127.000.000.000 in the URL? That was the initial origin of the changes that were made for 4.x. It shouldn't too much imagination to come up with ways to mess with the sites of almost anyone who has posted example code on this list. You may not care if some user can override your variable [IsHighSecurityUser] with something you hadn't considered; I do and Smith Micro does.Grant has stated that it is very difficult, if not impossible, to make math variables insecure; he would have to post the C++ code to prove it, but I can believe that it is likely to be difficult. Get over it; it's not going to be fixed in the next version because it is not a problem now.I don't want you to rewrite your templates in my style. I was trying to show that there is no need to use the secure=f mode at all for new sites, if only because you cannot use it for math variables. I can also report how many errors were found (it's called [countwords]), as well as do lots of neat things that you may not have even dreamed of.You might be interested in reading chapter 5 of Programming Perl (usually referred to as the Camel book, for obvious reasons). It includes a discussion of the importance of Laziness, Impatience, and Hubris in good software design. Laziness is good; False Laziness is bad. John PeacockBob Minor wrote: > > Sorry I don't have an ego so it cannot seem like you are picking on me. I > just like to fix my problems, work logically and build on what I already > have. > > So regardless of wether you see it as lazy or not I don't care, it was a > function of webcat in version 3 and it has been stripped out for no real > reason, other than your supposed security flaw. Regardless of the fact > that I did not use it in critical situations. In fact I claim to be a lazy > programmer. If I can find a better, shorter, way to code then I will use it. > > The code I posted was an example I hacked up to illustrate the point that > there was NO security hole in this. Of course we can pick the code over, or > look at it as a whole. Is there a security hole? Is there a reason to plug a > non-existent(My interpretation) security hole and make previously written > code unusable. > > Here is the code written to compensate for johns corrections and provide a > small amount of comment for arguing logic not the specifics of the code. > > [!]Text Variables set so that other pages can post this information or that > cookies can pull this information and override or reset the variables. I > could post all of my pages here but it has nothing to do with the > concept.[/!] > [text secure=f&multi=t]fname=&lname=[/text] > [!]math variable chosen because thats the way it was in legacy code. The > fact is math and text variables should not function different except for > there obvious problem.[/!] > [math secure=f]error=0[/math] >
> [showif [error]>1][showif > [fname]=]oops this one is blank[/showif][/showif]
> [showif [error]>1][showif > [lname]=]oops this one is blank[/showif][/showif]
> >
> > then on my submitted page I do: > [!]since john couldn't assume that my variable was defined earlier in the > page here it is[/showif] > [formvariables] > [showif [value]=][math show=f]error=error+1[/math][/showif] > [/formvariables] > [showif [error]>0] > [redirect > thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] > [showif] > [fname] [lname] you done good digging through that form. > > why is this insecure. Who cares if they override my variables? My shovel > works fine. If I decide to make a security program I will be sure to avoid > this possible security hole, but on non secure/unimportant areas, why should > I protect them like fort knox. This is just one example I have hundreds that > work. > > Why would having a feature that is adjustable be a bad thing? > > >> The problem here is that Bob is trying to use the [error] variable to > >> flag which field is missing, but is really only flagging that there is > >> _some_ field missing. To redesign this page, I am going to use WebDNA > >> 3.x logic, nothing fancy. I am going to walk though how I would design > >> this page, rather than just laying it out in a finished form. > > Except I can say We found 7 errors on your page and a host of other > functionality that can exist. My example illustrated the non security issue > of this. Problem is your are picking apart the example code rather than > answering the questions above. > > If WebCat 4.0 can accommodate legacy code without leaving a security hole > then I think it should. It would provide the best of both worlds. Just > because you don't mind making me revisit all of my sites and rewriting the > code to your programming style, doesn't mean I don't. (Picking on you just a > little bit) > > Robert Minor > Director of Internet Services > ------------------------------------------------------------ > Cybermill Communications > http://www.cybermill.com http://www.merchantmaker.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
Bob -I'm sorry that you didn't even read my discussion of form variables vs page variables; it is clear that the distinction eludes you still. The code you posted still will not work, under any version of WebCat, due to errors in the logic. You also do not seem to get the idea that you can take out the [math secure=f]error=0[/math] on the first page and it does nothing to the program flow. You still do not understand that the [math show=f]errors=... does not in any way refer to the variable [errors] on the first page; you are not overriding the value, ever.Just because _you_ cannot see that there is a security problem in allowing users to arbitrarily override page variables, doesn't mean that there isn't. Unlike Perl and ColdFusion, the kind of security breach possible under WebDNA is largely dependent on the programmer; I know of no way to use a buffer overflow to execute arbitrary code on the server. But don't you think that it is a bad idea to allow users to override system variables like [ipaddress], simply by including ?ipaddress=127.000.000.000 in the URL? That was the initial origin of the changes that were made for 4.x. It shouldn't too much imagination to come up with ways to mess with the sites of almost anyone who has posted example code on this list. You may not care if some user can override your variable [IsHighSecurityUser] with something you hadn't considered; I do and Smith Micro does.Grant has stated that it is very difficult, if not impossible, to make math variables insecure; he would have to post the C++ code to prove it, but I can believe that it is likely to be difficult. Get over it; it's not going to be fixed in the next version because it is not a problem now.I don't want you to rewrite your templates in my style. I was trying to show that there is no need to use the secure=f mode at all for new sites, if only because you cannot use it for math variables. I can also report how many errors were found (it's called [countwords]), as well as do lots of neat things that you may not have even dreamed of.You might be interested in reading chapter 5 of Programming Perl (usually referred to as the Camel book, for obvious reasons). It includes a discussion of the importance of Laziness, Impatience, and Hubris in good software design. Laziness is good; False Laziness is bad. John PeacockBob Minor wrote: > > Sorry I don't have an ego so it cannot seem like you are picking on me. I > just like to fix my problems, work logically and build on what I already > have. > > So regardless of wether you see it as lazy or not I don't care, it was a > function of webcat in version 3 and it has been stripped out for no real > reason, other than your supposed security flaw. Regardless of the fact > that I did not use it in critical situations. In fact I claim to be a lazy > programmer. If I can find a better, shorter, way to code then I will use it. > > The code I posted was an example I hacked up to illustrate the point that > there was NO security hole in this. Of course we can pick the code over, or > look at it as a whole. Is there a security hole? Is there a reason to plug a > non-existent(My interpretation) security hole and make previously written > code unusable. > > Here is the code written to compensate for johns corrections and provide a > small amount of comment for arguing logic not the specifics of the code. > > [!]Text Variables set so that other pages can post this information or that > cookies can pull this information and override or reset the variables. I > could post all of my pages here but it has nothing to do with the > concept.[/!] > [text secure=f&multi=t]fname=&lname=[/text] > [!]math variable chosen because thats the way it was in legacy code. The > fact is math and text variables should not function different except for > there obvious problem.[/!] > [math secure=f]error=0[/math] >
> [showif [error]>1][showif > [fname]=]oops this one is blank[/showif][/showif]
> [showif [error]>1][showif > [lname]=]oops this one is blank[/showif][/showif]
> >
> > then on my submitted page I do: > [!]since john couldn't assume that my variable was defined earlier in the > page here it is[/showif] > [formvariables] > [showif [value]=][math show=f]error=error+1[/math][/showif] > [/formvariables] > [showif [error]>0] > [redirect > thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] > [showif] > [fname] [lname] you done good digging through that form. > > why is this insecure. Who cares if they override my variables? My shovel > works fine. If I decide to make a security program I will be sure to avoid > this possible security hole, but on non secure/unimportant areas, why should > I protect them like fort knox. This is just one example I have hundreds that > work. > > Why would having a feature that is adjustable be a bad thing? > > >> The problem here is that Bob is trying to use the [error] variable to > >> flag which field is missing, but is really only flagging that there is > >> _some_ field missing. To redesign this page, I am going to use WebDNA > >> 3.x logic, nothing fancy. I am going to walk though how I would design > >> this page, rather than just laying it out in a finished form. > > Except I can say We found 7 errors on your page and a host of other > functionality that can exist. My example illustrated the non security issue > of this. Problem is your are picking apart the example code rather than > answering the questions above. > > If WebCat 4.0 can accommodate legacy code without leaving a security hole > then I think it should. It would provide the best of both worlds. Just > because you don't mind making me revisit all of my sites and rewriting the > code to your programming style, doesn't mean I don't. (Picking on you just a > little bit) > > Robert Minor > Director of Internet Services > ------------------------------------------------------------ > Cybermill Communications > http://www.cybermill.com http://www.merchantmaker.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ John Peacock

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

all records returned. (1997) Bug? (1997) Re:Emailer and encryption (1997) Your Pay XML / LinkPoint (2005) listfiles-looking for slick solution (1997) Banners (1997) Erotic Sites (1997) WebCat2 several catalogs? (1997) Help: server change went wrong! (2006) Session ID Equivalent (2003) WebCat2 beta 11 - new prefs ... (1997) Archives... (1997) WebDNA SpeedTest Update (2006) Changing price for a SLU based on options (size, etc.) (1997) SSL PROBLEM (1999) First postarg not taking in $Commands (1997) Tech support (2000) [Webcat 2]Next (1997) upgrade? (1997) ShoppingCart removal (2002)