Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites
This WebDNA talk-list message is from 2010
It keeps the original formatting.
numero = 105340
interpreted = N
texte = Nice, Olin. Got me thinking, and I extended the concept thusly, checking =for several bad formvariables that may compromise your site's security:[formvariables name=3Dsearch][redirect /][/formvariables][formvariables name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect /][/formvariables][formvariables name=3Dmath][redirect /][/formvariables][formvariables name=3Dencrypt][redirect /][/formvariables][formvariables name=3Ddecrypt][redirect /][/formvariables]Brian FriesBrainScan SoftwareOn Jun 15, 2010, at 1:50 AM, Olin Lagon wrote:> If you are not using commands in the URL (ex:> =http://yourserver.com/xx.tpl?command=3DSearch&db=3DSomeDatabase.db&eqNAMEd=ata=3DGr> ant), you can fix this easily by putting the following into your =Pre-Parse> Script:>=20> [showif [search]![raw][search][/raw]]> [redirect /]> [/showif]>=20> If the variable search is defined at all, the request is rerouted to =the> page of your choice, in this case your homepage.>=20> -----Original Message-----> From: Donovan Brooke [mailto:dbrooke@euca.us]=20> Sent: Monday, June 14, 2010 1:56 PM> To: talk@webdna.us> Subject: Re: [WebDNA] Putting '&search' into URL killing all search =contexts> on my sites>=20> Stuart Tremain wrote:>> I can't replicate that on my sites served from IIS.>>=20>> Regards>>=20>> Stuart Tremain>> IDFK Web Developments>> AUSTRALIA>> webdna@idfk.com.au
>=20>=20> http://www.idfk.com.au/ourwork.html?search=3D>=20> It's a bug we should not talk much about publicly.> The scope of the compromise is definitely limited and depends on> how one codes their site.. but, as developers, we don't want to spread> the awareness if we can help it.>=20> I would guess that for most of you and the way you code, your =sensitive> content is safe. If you are really concerned/paranoid, I can offer to=20=> run some quick tests (when time permits) on a few key templates to let=20=> you know if I can see any concerns. I don't work for WSC anymore, but> this was a bug I put on the list quite some time ago.>=20> I suggest this be the last public post about this for the good> of all of us.>=20> Donovan>=20>=20> --=20> Donovan Brooke> Euca Design Center> [Practical-Ethical-Efficient]> www.euca.us> egg.bz> artglass-forum.com> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: =http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: =http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288
Associated Messages, from the most recent to the oldest:
Nice, Olin. Got me thinking, and I extended the concept thusly, checking =for several bad formvariables that may compromise your site's security:[formvariables name=3Dsearch][redirect /][/formvariables][formvariables name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect /][/formvariables][formvariables name=3Dmath][redirect /][/formvariables][formvariables name=3Dencrypt][redirect /][/formvariables][formvariables name=3Ddecrypt][redirect /][/formvariables]Brian FriesBrainScan SoftwareOn Jun 15, 2010, at 1:50 AM, Olin Lagon wrote:> If you are not using commands in the URL (ex:> =http://yourserver.com/xx.tpl?command=3DSearch&db=3DSomeDatabase.db&eqNAMEd=ata=3DGr> ant), you can fix this easily by putting the following into your =Pre-Parse> Script:>=20> [showif [search]![raw][search][/raw]]> [redirect /]> [/showif]>=20> If the variable search is defined at all, the request is rerouted to =the> page of your choice, in this case your homepage.>=20> -----Original Message-----> From: Donovan Brooke [mailto:dbrooke@euca.us]=20> Sent: Monday, June 14, 2010 1:56 PM> To: talk@webdna.us> Subject: Re: [WebDNA] Putting '&search' into URL killing all search =contexts> on my sites>=20> Stuart Tremain wrote:>> I can't replicate that on my sites served from IIS.>>=20>> Regards>>=20>> Stuart Tremain>> IDFK Web Developments>> AUSTRALIA>> webdna@idfk.com.au >=20>=20> http://www.idfk.com.au/ourwork.html?search=3D>=20> It's a bug we should not talk much about publicly.> The scope of the compromise is definitely limited and depends on> how one codes their site.. but, as developers, we don't want to spread> the awareness if we can help it.>=20> I would guess that for most of you and the way you code, your =sensitive> content is safe. If you are really concerned/paranoid, I can offer to=20=> run some quick tests (when time permits) on a few key templates to let=20=> you know if I can see any concerns. I don't work for WSC anymore, but> this was a bug I put on the list quite some time ago.>=20> I suggest this be the last public post about this for the good> of all of us.>=20> Donovan>=20>=20> --=20> Donovan Brooke> Euca Design Center> [Practical-Ethical-Efficient]> www.euca.us> egg.bz> artglass-forum.com> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: =http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> Bug Reporting: =http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288
Brian Fries
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Help with searching dates from mysql dump & searching (2006)
File Upload (1997)
TCPSend / Netscape Server 4.1 (2003)
Migrating to NT (1997)
Help! WebCat2 bug (1997)
RAM problems, [appendfile] problems (1998)
pc (1997)
Off Topic: Help Wanted (1997)
Quit revisited (1997)
Emailer Error 550 (Was Strange Crash) (1998)
Not seeing cart info on Invoice.tmpl (was PROBLEM) (1997)
international time (1997)
Re:Cookies and WebCat?? (1999)
The old multiple selection bit (2000)
[item] appears after 'remove last item' ... (1997)
Resume Catalog ? (1997)
RE: Can a database get stomped by simultaneous access? (1997)
two domains and one cart and database (2000)
Text in coloums... (2000)
searchable list archive (1997)