[WebDNA] heads up - are your sandbox prefs broken? (If not, are you vulnerable to formvar hacks?)

This WebDNA talk-list message is from

2011


It keeps the original formatting.
numero = 107351
interpreted = N
texte = Hey guys You well remember the security hole when someone passes a get or post = formvar named after a webdna wrapper tag.. well someone (or everyone) = please help me confirm an issue that I am amazed that I seem to be the = first one to discover, and which I am guessing is affecting more than = just my 3 clients I have on one host (have not checked my other = clients/hosts yet): ** Step 1.) Install (input and *save*) some version of the security = patch code in your pre-parse script (if you have not already), like e.g. = this one Donovan came up with (which is more compact and likely less-CPU = intensive than the other one that was floating on this list before) : [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] [formvariables] [showif [t_commands]^|[url][name][/url]|] [redirect url=3Dindex.html] [/showif] [/formvariables] ** Step 2.) Now try to alter one of your sandbox preferences, and save = them. You can even just leave every pref. set as it is... just save = them. If you experience what I seem to be experiencing.. then you find that = instead of saving, you got redirected to wherever your patch (above) = said to redirect when an 'illegal' formvar was passed. ?! The = internal pref-saving sandbox form submits a form var named after a = webdna tag?? =20 I have not tried this on my webdna 7 local install yet.. nor on any = version 6- install that does not use a sandbox.. but so far the issue = is confirmed on one machine running webdna version 6 , and on another = machine running webdna version 6.2 - both using sandboxes. IIRC the host I am lately working with told me that he tried it on his = master webdna pref-saving form and the issue arises there too.. implying = the issue is not only in sandboxes. My first thought was just to confirm the issue with you all here. = Please try it! My second thought, as workaround, was to set up a conditional in the = pre-parse script that checks [thisurl] to see if we are in the sandbox = admin area or not.. before applying our patch. My third thought is to = look again if I can find the formvar in the pref-saving form which is = actually causing the patch to fire a [redirect] (my first glance did not = find it), and where. Your thoughts? -Govinda= Associated Messages, from the most recent to the oldest:

    
  1. [WebDNA] heads up - are your sandbox prefs broken? (If not, are you vulnerable to formvar hacks?) (Govinda 2011)
Hey guys You well remember the security hole when someone passes a get or post = formvar named after a webdna wrapper tag.. well someone (or everyone) = please help me confirm an issue that I am amazed that I seem to be the = first one to discover, and which I am guessing is affecting more than = just my 3 clients I have on one host (have not checked my other = clients/hosts yet): ** Step 1.) Install (input and *save*) some version of the security = patch code in your pre-parse script (if you have not already), like e.g. = this one Donovan came up with (which is more compact and likely less-CPU = intensive than the other one that was floating on this list before) : [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|retu = rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime= header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe= cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi= surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write= file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text] [formvariables] [showif [t_commands]^|[url][name][/url]|] [redirect url=3Dindex.html] [/showif] [/formvariables] ** Step 2.) Now try to alter one of your sandbox preferences, and save = them. You can even just leave every pref. set as it is... just save = them. If you experience what I seem to be experiencing.. then you find that = instead of saving, you got redirected to wherever your patch (above) = said to redirect when an 'illegal' formvar was passed. ?! The = internal pref-saving sandbox form submits a form var named after a = webdna tag?? =20 I have not tried this on my webdna 7 local install yet.. nor on any = version 6- install that does not use a sandbox.. but so far the issue = is confirmed on one machine running webdna version 6 , and on another = machine running webdna version 6.2 - both using sandboxes. IIRC the host I am lately working with told me that he tried it on his = master webdna pref-saving form and the issue arises there too.. implying = the issue is not only in sandboxes. My first thought was just to confirm the issue with you all here. = Please try it! My second thought, as workaround, was to set up a conditional in the = pre-parse script that checks [thisurl] to see if we are in the sandbox = admin area or not.. before applying our patch. My third thought is to = look again if I can find the formvar in the pref-saving form which is = actually causing the patch to fire a [redirect] (my first glance did not = find it), and where. Your thoughts? -Govinda= Govinda

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Need help... (1997) Requiring that certain fields be completed (1997) unable to launch acgi in WebCat (1997) Date Calulation (1997) [WebDNA] How do we tell what's misconfigured? Or which WebDNA 7 version to use? (2011) Custom formulas.db (1998) WebDNA Server Not Running (2005) Size limit for tmpl editor ? (1997) [WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009) New Command prefs ... (1997) WebCatalog/Mac 2.1b2 - PIXO (1997) RE: WebDNA-Talk searchable? (1997) Normalizing Dates and Phone numbers (2000) [WebDNA] Resolve IP to Domain (2018) What am I missing (1997) Webcat/Webmerchant part II (1998) Online reference (1997) help needed: Non-english characters in WebCatalog (1997) Security Question (1997) Pasting from M$ Word (2001)