Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites

This WebDNA talk-list message is from

2010


It keeps the original formatting.
numero = 105340
interpreted = N
texte = Nice, Olin. Got me thinking, and I extended the concept thusly, checking = for several bad formvariables that may compromise your site's security: [formvariables name=3Dsearch][redirect /][/formvariables] [formvariables name=3D!][redirect /][/formvariables] [formvariables name=3Dtext][redirect /][/formvariables] [formvariables name=3Dmath][redirect /][/formvariables] [formvariables name=3Dencrypt][redirect /][/formvariables] [formvariables name=3Ddecrypt][redirect /][/formvariables] Brian Fries BrainScan Software On Jun 15, 2010, at 1:50 AM, Olin Lagon wrote: > If you are not using commands in the URL (ex: > = http://yourserver.com/xx.tpl?command=3DSearch&db=3DSomeDatabase.db&eqNAMEd= ata=3DGr > ant), you can fix this easily by putting the following into your = Pre-Parse > Script: >=20 > [showif [search]![raw][search][/raw]] > [redirect /] > [/showif] >=20 > If the variable search is defined at all, the request is rerouted to = the > page of your choice, in this case your homepage. >=20 > -----Original Message----- > From: Donovan Brooke [mailto:dbrooke@euca.us]=20 > Sent: Monday, June 14, 2010 1:56 PM > To: talk@webdna.us > Subject: Re: [WebDNA] Putting '&search' into URL killing all search = contexts > on my sites >=20 > Stuart Tremain wrote: >> I can't replicate that on my sites served from IIS. >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >=20 >=20 > http://www.idfk.com.au/ourwork.html?search=3D >=20 > It's a bug we should not talk much about publicly. > The scope of the compromise is definitely limited and depends on > how one codes their site.. but, as developers, we don't want to spread > the awareness if we can help it. >=20 > I would guess that for most of you and the way you code, your = sensitive > content is safe. If you are really concerned/paranoid, I can offer to=20= > run some quick tests (when time permits) on a few key templates to let=20= > you know if I can see any concerns. I don't work for WSC anymore, but > this was a bug I put on the list quite some time ago. >=20 > I suggest this be the last public post about this for the good > of all of us. >=20 > Donovan >=20 >=20 > --=20 > Donovan Brooke > Euca Design Center > [Practical-Ethical-Efficient] > www.euca.us > egg.bz > artglass-forum.com > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: = http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288 >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: = http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288 Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Mr. Robert Minor Jr." 2010)
  2. Re: [WebDNA] Putting '&search' into URL killing all search (Alex McCombie 2010)
  3. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  4. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  5. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  6. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  7. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  8. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  9. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  10. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Marc Thompson 2010)
  11. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  12. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  13. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  14. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Brian Fries 2010)
  15. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  16. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Kenneth Grome 2010)
  17. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Govinda 2010)
  18. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  19. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  20. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  21. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Mr. Robert Minor Jr." 2010)
  22. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  23. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  24. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Brian Fries 2010)
  25. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  26. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Kenneth Grome 2010)
  27. RE: [WebDNA] Putting '&search' into URL killing all search contexts on my sites ("Olin Lagon" 2010)
  28. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  29. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Stuart Tremain 2010)
  30. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Donovan Brooke 2010)
  31. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Stuart Tremain 2010)
  32. Re: [WebDNA] Putting '&search' into URL killing all search contexts (Tom Duke 2010)
  33. Re: [WebDNA] Putting '&search' into URL killing all search contexts on my sites (christophe.billiottet@webdna.us 2010)
  34. [WebDNA] Putting '&search' into URL killing all search contexts on my sites (Tom Duke 2010)
Nice, Olin. Got me thinking, and I extended the concept thusly, checking = for several bad formvariables that may compromise your site's security: [formvariables name=3Dsearch][redirect /][/formvariables] [formvariables name=3D!][redirect /][/formvariables] [formvariables name=3Dtext][redirect /][/formvariables] [formvariables name=3Dmath][redirect /][/formvariables] [formvariables name=3Dencrypt][redirect /][/formvariables] [formvariables name=3Ddecrypt][redirect /][/formvariables] Brian Fries BrainScan Software On Jun 15, 2010, at 1:50 AM, Olin Lagon wrote: > If you are not using commands in the URL (ex: > = http://yourserver.com/xx.tpl?command=3DSearch&db=3DSomeDatabase.db&eqNAMEd= ata=3DGr > ant), you can fix this easily by putting the following into your = Pre-Parse > Script: >=20 > [showif [search]![raw][search][/raw]] > [redirect /] > [/showif] >=20 > If the variable search is defined at all, the request is rerouted to = the > page of your choice, in this case your homepage. >=20 > -----Original Message----- > From: Donovan Brooke [mailto:dbrooke@euca.us]=20 > Sent: Monday, June 14, 2010 1:56 PM > To: talk@webdna.us > Subject: Re: [WebDNA] Putting '&search' into URL killing all search = contexts > on my sites >=20 > Stuart Tremain wrote: >> I can't replicate that on my sites served from IIS. >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >=20 >=20 > http://www.idfk.com.au/ourwork.html?search=3D >=20 > It's a bug we should not talk much about publicly. > The scope of the compromise is definitely limited and depends on > how one codes their site.. but, as developers, we don't want to spread > the awareness if we can help it. >=20 > I would guess that for most of you and the way you code, your = sensitive > content is safe. If you are really concerned/paranoid, I can offer to=20= > run some quick tests (when time permits) on a few key templates to let=20= > you know if I can see any concerns. I don't work for WSC anymore, but > this was a bug I put on the list quite some time ago. >=20 > I suggest this be the last public post about this for the good > of all of us. >=20 > Donovan >=20 >=20 > --=20 > Donovan Brooke > Euca Design Center > [Practical-Ethical-Efficient] > www.euca.us > egg.bz > artglass-forum.com > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: = http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288 >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: = http://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288 Brian Fries

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Help with searching dates from mysql dump & searching (2006) File Upload (1997) TCPSend / Netscape Server 4.1 (2003) Migrating to NT (1997) Help! WebCat2 bug (1997) RAM problems, [appendfile] problems (1998) pc (1997) Off Topic: Help Wanted (1997) Quit revisited (1997) Emailer Error 550 (Was Strange Crash) (1998) Not seeing cart info on Invoice.tmpl (was PROBLEM) (1997) international time (1997) Re:Cookies and WebCat?? (1999) The old multiple selection bit (2000) [item] appears after 'remove last item' ... (1997) Resume Catalog ? (1997) RE: Can a database get stomped by simultaneous access? (1997) two domains and one cart and database (2000) Text in coloums... (2000) searchable list archive (1997)