You include this at the top of all pages:--------------040502050104030208010103-- Associated Messages, from the most recent to the oldest:
[/!][!]Prevent tag hacking[/!][!][/!][!]--- START: to plug up the security hole of when URLhacker passes a webdna context name as a formvar---[/!][!][/!][formvariables name=!][redirect /][/formvariables][!][/!][formvariables name=addfields][redirect /][/formvariables][!][/!][formvariables name=addlineitem][redirect/][/formvariables][!][/!][formvariables name=append][redirect /][/formvariables][!][/!][formvariables name=appendfile][redirect/][/formvariables][!][/!][formvariables name=applescript][redirect/][/formvariables][!][/!][formvariables name=arrayget][redirect /][/formvariables][!][/!][formvariables name=arrayset][redirect /][/formvariables][!][/!][formvariables name=authenticate][redirect/][/formvariables][!][/!][formvariables name=boldwords][redirect /][/formvariables][!][/!][formvariables name=browsername][redirect/][/formvariables][!][/!][formvariables name=calcfilecrc32][redirect/][/formvariables][!][/!][formvariables name=capitalize][redirect/][/formvariables][!][/!][formvariables name=case][redirect /][/formvariables][!][/!][formvariables name=clearlineitems][redirect/][/formvariables][!][/!][formvariables name=closedatabase][redirect/][/formvariables][!][/!][formvariables name=command][redirect /][/formvariables][!][/!][formvariables name=commitdatabase][redirect/][/formvariables][!][/!][formvariables name=convertchars][redirect/][/formvariables][!][/!][formvariables name=convertwords][redirect/][/formvariables][!][/!][formvariables name=copyfile][redirect /][/formvariables][!][/!][formvariables name=copyfolder][redirect/][/formvariables][!][/!][formvariables name=countchars][redirect/][/formvariables][!][/!][formvariables name=countwords][redirect/][/formvariables][!][/!][formvariables name=createfolder][redirect/][/formvariables][!][/!][formvariables name=date][redirect /][/formvariables][!][/!][formvariables name=ddeconnect][redirect/][/formvariables][!][/!][formvariables name=ddesend][redirect /][/formvariables][!][/!][formvariables name=decrypt][redirect /][/formvariables][!][/!][formvariables name=delete][redirect /][/formvariables][!][/!][formvariables name=deletefile][redirect/][/formvariables][!][/!][formvariables name=deletefolder][redirect/][/formvariables][!][/!][formvariables name=dos][redirect /][/formvariables][!][/!][formvariables name=elapsedtime][redirect/][/formvariables][!][/!][formvariables name=else][redirect /][/formvariables][!][/!][formvariables name=encrypt][redirect /][/formvariables][!][/!][formvariables name=exclusivelock][redirect/][/formvariables][!][/!][formvariables name=filecompare][redirect/][/formvariables][!][/!][formvariables name=fileinfo][redirect /][/formvariables][!][/!][formvariables name=findstring][redirect/][/formvariables][!][/!][formvariables name=flushcache][redirect/][/formvariables][!][/!][formvariables name=flushdatabases][redirect/][/formvariables][!][/!][formvariables name=format][redirect /][/formvariables][!][/!][formvariables name=format][redirect /][/formvariables][!][/!][formvariables name=formvariables][redirect/][/formvariables][!][/!][formvariables name=founditems][redirect/][/formvariables][!][/!][formvariables name=freememory][redirect/][/formvariables][!][/!][formvariables name=function][redirect /][/formvariables][!][/!][formvariables name=getchars][redirect /][/formvariables][!][/!][formvariables name=getcookie][redirect /][/formvariables][!][/!][formvariables name=getmimeheader][redirect/][/formvariables][!][/!][formvariables name=grep][redirect /][/formvariables][!][/!][formvariables name=hideif][redirect /][/formvariables][!][/!][formvariables name=html1][redirect /][/formvariables][!][/!][formvariables name=html2][redirect /][/formvariables][!][/!][formvariables name=html3][redirect /][/formvariables][!][/!][formvariables name=httpmethod][redirect/][/formvariables][!][/!][formvariables name=if][redirect /][/formvariables][!][/!][formvariables name=include][redirect /][/formvariables][!][/!][formvariables name=input][redirect /][/formvariables][!][/!][formvariables name=interpret][redirect /][/formvariables][!][/!][formvariables name=ipaddress][redirect /][/formvariables][!][/!][formvariables name=issecureclient][redirect/][/formvariables][!][/!][formvariables name=lastautonumner][redirect/][/formvariables][!][/!][formvariables name=lastrandom][redirect/][/formvariables][!][/!][formvariables name=lineitems][redirect /][/formvariables][!][/!][formvariables name=listchars][redirect /][/formvariables][!][/!][formvariables name=listcookies][redirect/][/formvariables][!][/!][formvariables name=listdatabases][redirect/][/formvariables][!][/!][formvariables name=listfields][redirect/][/formvariables][!][/!][formvariables name=listfiles][redirect /][/formvariables][!][/!][formvariables name=listmimeheaders][redirect/][/formvariables][!][/!][formvariables name=listpath][redirect /][/formvariables][!][/!][formvariables name=listvariables][redirect/][/formvariables][!][/!][formvariables name=listwords][redirect /][/formvariables][!][/!][formvariables name=lookup][redirect /][/formvariables][!][/!][formvariables name=lookup][redirect /][/formvariables][!][/!][formvariables name=loop][redirect /][/formvariables][!][/!][formvariables name=lowercase][redirect /][/formvariables][!][/!][formvariables name=math][redirect /][/formvariables][!][/!][formvariables name=middle][redirect /][/formvariables][!][/!][formvariables name=movefile][redirect /][/formvariables][!][/!][formvariables name=object][redirect /][/formvariables][!][/!][formvariables name=orderfile][redirect /][/formvariables][!][/!][formvariables name=password][redirect /][/formvariables][!][/!][formvariables name=platform][redirect /][/formvariables][!][/!][formvariables name=product][redirect /][/formvariables][!][/!][formvariables name=protect][redirect /][/formvariables][!][/!][formvariables name=purchase][redirect /][/formvariables][!][/!][formvariables name=random][redirect /][/formvariables][!][/!][formvariables name=raw][redirect /][/formvariables][!][/!][formvariables name=redirect][redirect /][/formvariables][!][/!][formvariables name=referrer][redirect /][/formvariables][!][/!][formvariables name=removehtml][redirect/][/formvariables][!][/!][formvariables name=removelineitem][redirect/][/formvariables][!][/!][formvariables name=replace][redirect /][/formvariables][!][/!][formvariables name=replacefounditems][redirect/][/formvariables][!][/!][formvariables name=return][redirect /][/formvariables][!][/!][formvariables name=returnraw][redirect /][/formvariables][!][/!][formvariables name=scope][redirect /][/formvariables][!][/!][formvariables name=search][redirect /][/formvariables][!][/!][formvariables name=sendmail][redirect /][/formvariables][!][/!][formvariables name=setcookie][redirect /][/formvariables][!][/!][formvariables name=setheader][redirect /][/formvariables][!][/!][formvariables name=setlineitem][redirect/][/formvariables][!][/!][formvariables name=setmimeheader][redirect/][/formvariables][!][/!][formvariables name=shell][redirect /][/formvariables][!][/!][formvariables name=showif][redirect /][/formvariables][!][/!][formvariables name=shownext][redirect /][/formvariables][!][/!][formvariables name=spawn][redirect /][/formvariables][!][/!][formvariables name=sql][redirect /][/formvariables][!][/!][formvariables name=sql][redirect /][/formvariables][!][/!][formvariables name=sqlconnect][redirect/][/formvariables][!][/!][formvariables name=sqldisconnect][redirect/][/formvariables][!][/!][formvariables name=sqlexecute][redirect/][/formvariables][!][/!][formvariables name=sqlinfo][redirect /][/formvariables][!][/!][formvariables name=sqlrelease][redirect/][/formvariables][!][/!][formvariables name=sqlresult][redirect /][/formvariables][!][/!][formvariables name=switch][redirect /][/formvariables][!][/!][formvariables name=table][redirect /][/formvariables][!][/!][formvariables name=tcpconnect][redirect/][/formvariables][!][/!][formvariables name=tcpsend][redirect /][/formvariables][!][/!][formvariables name=text][redirect /][/formvariables][!][/!][formvariables name=then][redirect /][/formvariables][!][/!][formvariables name=thisurl][redirect /][/formvariables][!][/!][formvariables name=time][redirect /][/formvariables][!][/!][formvariables name=unurl][redirect /][/formvariables][!][/!][formvariables name=uppercase][redirect /][/formvariables][!][/!][formvariables name=url][redirect /][/formvariables][!][/!][formvariables name=username][redirect /][/formvariables][!][/!][formvariables name=validcard][redirect /][/formvariables][!][/!][formvariables name=version][redirect /][/formvariables][!][/!][formvariables name=version][redirect /][/formvariables][!][/!][formvariables name=waitforfile][redirect/][/formvariables][!][/!][formvariables name=writefile][redirect /][/formvariables][!][/!][formvariables name=xmlnode][redirect /][/formvariables][!][/!][formvariables name=xmlnodes][redirect /][/formvariables][!][/!][formvariables name=xmlnodesattributes][redirect/][/formvariables][!][/!][formvariables name=xmlparse][redirect /][/formvariables][!][/!][formvariables name=xsl][redirect /][/formvariables][!][/!][formvariables name=xslt][redirect /][/formvariables][!][/!][!]--- END: to plug up the security hole of when URL hackerpasses a webdna context name as a formvar---[/!]---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list
DanielMeola301-486-0901
On Wed, Dec 12, 2012 at 2:44 PM, TerryWilson <terry@terryfic.com>wrote:
Thisexploit was discovered a few years back, but I thought it was fixed, ora fix was announced or something. I forget.
Terry--
Hi,
I am running V6.2 on CentOS 5.8 and have found instances where WebDNAcode displays on a page if certain WebDNA tags are in the URL.
I thought it was something I was doing but this appears to happen onthe www.webdna.us site as well.
http://www.webdna.us/page.dna?text=
takes you to a page that shows only webdna code
http://www.webdna.us/page.dna?numero=56&text=
adds a line of text above the navigation row in the red background(need to mouse over to see it - text is same color as red background)
I first experienced this with != and fixed it by putting aRewriteRule in an .htaccess file in the site's root folder
Today I tried a few other tags and found others. I haven't checked allthe tags just a handful.
text=
math=
format=
Anyone else experience this, have a fix or suggestion?
Thanks,
Steve
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
Terry Wilson | terry@terryfic.com| http://terryfic.com
http://WhosComing.com - a simplified, affordableonline reservation system
iStockPhoto portfolio - http://www.istockphoto.com/Terryfic3D?refnum=Terryfic3D
--------------------------------------------------------------------------
Attitude is the only difference between ordeal and adventure.
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
.To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
You include this at the top of all pages:--------------040502050104030208010103-- Steve Raslevich
[/!][!]--- START: to plug up the security hole of when URLhacker passes a webdna context name as a formvar---[/!][!][/!][formvariables name=!][redirect /][/formvariables][!][/!][formvariables name=addfields][redirect /][/formvariables][!][/!][formvariables name=addlineitem][redirect/][/formvariables][!][/!][formvariables name=append][redirect /][/formvariables][!][/!][formvariables name=appendfile][redirect/][/formvariables][!][/!][formvariables name=applescript][redirect/][/formvariables][!][/!][formvariables name=arrayget][redirect /][/formvariables][!][/!][formvariables name=arrayset][redirect /][/formvariables][!][/!][formvariables name=authenticate][redirect/][/formvariables][!][/!][formvariables name=boldwords][redirect /][/formvariables][!][/!][formvariables name=browsername][redirect/][/formvariables][!][/!][formvariables name=calcfilecrc32][redirect/][/formvariables][!][/!][formvariables name=capitalize][redirect/][/formvariables][!][/!][formvariables name=case][redirect /][/formvariables][!][/!][formvariables name=clearlineitems][redirect/][/formvariables][!][/!][formvariables name=closedatabase][redirect/][/formvariables][!][/!][formvariables name=command][redirect /][/formvariables][!][/!][formvariables name=commitdatabase][redirect/][/formvariables][!][/!][formvariables name=convertchars][redirect/][/formvariables][!][/!][formvariables name=convertwords][redirect/][/formvariables][!][/!][formvariables name=copyfile][redirect /][/formvariables][!][/!][formvariables name=copyfolder][redirect/][/formvariables][!][/!][formvariables name=countchars][redirect/][/formvariables][!][/!][formvariables name=countwords][redirect/][/formvariables][!][/!][formvariables name=createfolder][redirect/][/formvariables][!][/!][formvariables name=date][redirect /][/formvariables][!][/!][formvariables name=ddeconnect][redirect/][/formvariables][!][/!][formvariables name=ddesend][redirect /][/formvariables][!][/!][formvariables name=decrypt][redirect /][/formvariables][!][/!][formvariables name=delete][redirect /][/formvariables][!][/!][formvariables name=deletefile][redirect/][/formvariables][!][/!][formvariables name=deletefolder][redirect/][/formvariables][!][/!][formvariables name=dos][redirect /][/formvariables][!][/!][formvariables name=elapsedtime][redirect/][/formvariables][!][/!][formvariables name=else][redirect /][/formvariables][!][/!][formvariables name=encrypt][redirect /][/formvariables][!][/!][formvariables name=exclusivelock][redirect/][/formvariables][!][/!][formvariables name=filecompare][redirect/][/formvariables][!][/!][formvariables name=fileinfo][redirect /][/formvariables][!][/!][formvariables name=findstring][redirect/][/formvariables][!][/!][formvariables name=flushcache][redirect/][/formvariables][!][/!][formvariables name=flushdatabases][redirect/][/formvariables][!][/!][formvariables name=format][redirect /][/formvariables][!][/!][formvariables name=format][redirect /][/formvariables][!][/!][formvariables name=formvariables][redirect/][/formvariables][!][/!][formvariables name=founditems][redirect/][/formvariables][!][/!][formvariables name=freememory][redirect/][/formvariables][!][/!][formvariables name=function][redirect /][/formvariables][!][/!][formvariables name=getchars][redirect /][/formvariables][!][/!][formvariables name=getcookie][redirect /][/formvariables][!][/!][formvariables name=getmimeheader][redirect/][/formvariables][!][/!][formvariables name=grep][redirect /][/formvariables][!][/!][formvariables name=hideif][redirect /][/formvariables][!][/!][formvariables name=html1][redirect /][/formvariables][!][/!][formvariables name=html2][redirect /][/formvariables][!][/!][formvariables name=html3][redirect /][/formvariables][!][/!][formvariables name=httpmethod][redirect/][/formvariables][!][/!][formvariables name=if][redirect /][/formvariables][!][/!][formvariables name=include][redirect /][/formvariables][!][/!][formvariables name=input][redirect /][/formvariables][!][/!][formvariables name=interpret][redirect /][/formvariables][!][/!][formvariables name=ipaddress][redirect /][/formvariables][!][/!][formvariables name=issecureclient][redirect/][/formvariables][!][/!][formvariables name=lastautonumner][redirect/][/formvariables][!][/!][formvariables name=lastrandom][redirect/][/formvariables][!][/!][formvariables name=lineitems][redirect /][/formvariables][!][/!][formvariables name=listchars][redirect /][/formvariables][!][/!][formvariables name=listcookies][redirect/][/formvariables][!][/!][formvariables name=listdatabases][redirect/][/formvariables][!][/!][formvariables name=listfields][redirect/][/formvariables][!][/!][formvariables name=listfiles][redirect /][/formvariables][!][/!][formvariables name=listmimeheaders][redirect/][/formvariables][!][/!][formvariables name=listpath][redirect /][/formvariables][!][/!][formvariables name=listvariables][redirect/][/formvariables][!][/!][formvariables name=listwords][redirect /][/formvariables][!][/!][formvariables name=lookup][redirect /][/formvariables][!][/!][formvariables name=lookup][redirect /][/formvariables][!][/!][formvariables name=loop][redirect /][/formvariables][!][/!][formvariables name=lowercase][redirect /][/formvariables][!][/!][formvariables name=math][redirect /][/formvariables][!][/!][formvariables name=middle][redirect /][/formvariables][!][/!][formvariables name=movefile][redirect /][/formvariables][!][/!][formvariables name=object][redirect /][/formvariables][!][/!][formvariables name=orderfile][redirect /][/formvariables][!][/!][formvariables name=password][redirect /][/formvariables][!][/!][formvariables name=platform][redirect /][/formvariables][!][/!][formvariables name=product][redirect /][/formvariables][!][/!][formvariables name=protect][redirect /][/formvariables][!][/!][formvariables name=purchase][redirect /][/formvariables][!][/!][formvariables name=random][redirect /][/formvariables][!][/!][formvariables name=raw][redirect /][/formvariables][!][/!][formvariables name=redirect][redirect /][/formvariables][!][/!][formvariables name=referrer][redirect /][/formvariables][!][/!][formvariables name=removehtml][redirect/][/formvariables][!][/!][formvariables name=removelineitem][redirect/][/formvariables][!][/!][formvariables name=replace][redirect /][/formvariables][!][/!][formvariables name=replacefounditems][redirect/][/formvariables][!][/!][formvariables name=return][redirect /][/formvariables][!][/!][formvariables name=returnraw][redirect /][/formvariables][!][/!][formvariables name=scope][redirect /][/formvariables][!][/!][formvariables name=search][redirect /][/formvariables][!][/!][formvariables name=sendmail][redirect /][/formvariables][!][/!][formvariables name=setcookie][redirect /][/formvariables][!][/!][formvariables name=setheader][redirect /][/formvariables][!][/!][formvariables name=setlineitem][redirect/][/formvariables][!][/!][formvariables name=setmimeheader][redirect/][/formvariables][!][/!][formvariables name=shell][redirect /][/formvariables][!][/!][formvariables name=showif][redirect /][/formvariables][!][/!][formvariables name=shownext][redirect /][/formvariables][!][/!][formvariables name=spawn][redirect /][/formvariables][!][/!][formvariables name=sql][redirect /][/formvariables][!][/!][formvariables name=sql][redirect /][/formvariables][!][/!][formvariables name=sqlconnect][redirect/][/formvariables][!][/!][formvariables name=sqldisconnect][redirect/][/formvariables][!][/!][formvariables name=sqlexecute][redirect/][/formvariables][!][/!][formvariables name=sqlinfo][redirect /][/formvariables][!][/!][formvariables name=sqlrelease][redirect/][/formvariables][!][/!][formvariables name=sqlresult][redirect /][/formvariables][!][/!][formvariables name=switch][redirect /][/formvariables][!][/!][formvariables name=table][redirect /][/formvariables][!][/!][formvariables name=tcpconnect][redirect/][/formvariables][!][/!][formvariables name=tcpsend][redirect /][/formvariables][!][/!][formvariables name=text][redirect /][/formvariables][!][/!][formvariables name=then][redirect /][/formvariables][!][/!][formvariables name=thisurl][redirect /][/formvariables][!][/!][formvariables name=time][redirect /][/formvariables][!][/!][formvariables name=unurl][redirect /][/formvariables][!][/!][formvariables name=uppercase][redirect /][/formvariables][!][/!][formvariables name=url][redirect /][/formvariables][!][/!][formvariables name=username][redirect /][/formvariables][!][/!][formvariables name=validcard][redirect /][/formvariables][!][/!][formvariables name=version][redirect /][/formvariables][!][/!][formvariables name=version][redirect /][/formvariables][!][/!][formvariables name=waitforfile][redirect/][/formvariables][!][/!][formvariables name=writefile][redirect /][/formvariables][!][/!][formvariables name=xmlnode][redirect /][/formvariables][!][/!][formvariables name=xmlnodes][redirect /][/formvariables][!][/!][formvariables name=xmlnodesattributes][redirect/][/formvariables][!][/!][formvariables name=xmlparse][redirect /][/formvariables][!][/!][formvariables name=xsl][redirect /][/formvariables][!][/!][formvariables name=xslt][redirect /][/formvariables][!][/!][!]--- END: to plug up the security hole of when URL hackerpasses a webdna context name as a formvar---[/!]---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list
DanielMeola301-486-0901
On Wed, Dec 12, 2012 at 2:44 PM, TerryWilson <terry@terryfic.com>wrote:
Thisexploit was discovered a few years back, but I thought it was fixed, ora fix was announced or something. I forget.
Terry--
Hi,
I am running V6.2 on CentOS 5.8 and have found instances where WebDNAcode displays on a page if certain WebDNA tags are in the URL.
I thought it was something I was doing but this appears to happen onthe www.webdna.us site as well.
http://www.webdna.us/page.dna?text=
takes you to a page that shows only webdna code
http://www.webdna.us/page.dna?numero=56&text=
adds a line of text above the navigation row in the red background(need to mouse over to see it - text is same color as red background)
I first experienced this with != and fixed it by putting aRewriteRule in an .htaccess file in the site's root folder
Today I tried a few other tags and found others. I haven't checked allthe tags just a handful.
text=
math=
format=
Anyone else experience this, have a fix or suggestion?
Thanks,
Steve
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
Terry Wilson | terry@terryfic.com| http://terryfic.com
http://WhosComing.com - a simplified, affordableonline reservation system
iStockPhoto portfolio - http://www.istockphoto.com/Terryfic3D?refnum=Terryfic3D
--------------------------------------------------------------------------
Attitude is the only difference between ordeal and adventure.
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
.To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...