Re: [WebDNA] WebDNA code displaying on page

This WebDNA talk-list message is from

2012


It keeps the original formatting.
numero = 110005
interpreted = N
texte = The webdna.us site is vulnerable. http://webdna.us/page.dna?search=3D-hacked- FWIW, I have this in my pre-parse script: [formvariables name=3Dsearch][redirect /][/formvariables][formvariables = name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect = /][/formvariables][formvariables name=3Dmath][redirect = /][/formvariables][formvariables name=3Dencrypt][redirect = /][/formvariables][formvariables name=3Ddecrypt][redirect = /][/formvariables][formvariables name=3Dauthenticate][redirect = /][/formvariables][formvariables name=3Dprotect][redirect = /][/formvariables][formvariables name=3Dtcpconnect][redirect = /][/formvariables] It doesn't cover all WebDNA keywords, but catches the primary ones that = concern me from a security standpoint. I don't like to add more code = than necessary, since it increases the processing time needed for every = page load, but you can extend the default list if desired, and can add = other keywords tests on specific pages if needed. - Brian On Dec 12, 2012, at 11:55 AM, Steve Raslevich = wrote: > Hi Chris, >=20 > So is there a fix for 6.2? I am guessing then that the webdna.us site = is also still running 6.2? >=20 > christophe.billiottet@webdna.us wrote: >> Exact, that was fixed in WebDNA.fcgi few years ago >>=20 >> - chris >>=20 >>=20 >> On Dec 12, 2012, at 17:44, Terry Wilson wrote: >>=20 >> =20 >>> This exploit was discovered a few years back, but I thought it was >>> fixed, or a fix was announced or something. I forget. >>>=20 >>> Terry >>>=20 >>>=20 >>> =20 >>>> Hi, >>>>=20 >>>> I am running V6.2 on CentOS 5.8 and have found instances where >>>> WebDNA code displays on a page if certain WebDNA tags are in the = URL. >>>>=20 >>>> I thought it was something I was doing but this appears to happen = on >>>> the www.webdna.us site as well. >>>>=20 >>>> http://www.webdna.us/page.dna?text=3D >>>> takes you to a page that shows only webdna code >>>>=20 >>>> http://www.webdna.us/page.dna?numero=3D56&text=3D >>>> adds a line of text above the navigation row in the red background >>>> (need to mouse over to see it - text is same color as red = background) >>>>=20 >>>>=20 >>>> I first experienced this with !=3D and fixed it by putting a >>>> RewriteRule in an .htaccess file in the site's root folder >>>>=20 >>>> Today I tried a few other tags and found others. I haven't checked >>>> all the tags just a handful. >>>>=20 >>>> text=3D >>>> math=3D >>>> format=3D >>>>=20 >>>> Anyone else experience this, have a fix or suggestion? >>>>=20 >>>> Thanks, >>>> Steve >>>>=20 >>>>=20 >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list. >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> =20 >>>=20 >>> --=20 >>> Terry Wilson | terry@terryfic.com | http://terryfic.com >>> http://WhosComing.com - a simplified, affordable online reservation = system >>> iStockPhoto portfolio - = http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D >>> = --------------------------------------------------------------------------= >>> Attitude is the only difference between ordeal and adventure. >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list. >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>> =20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list. >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> =20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] WebDNA code displaying on page (WebDNA Solutions 2012)
  2. Re: [WebDNA] WebDNA code displaying on page (Tom Duke 2012)
  3. Re: [WebDNA] WebDNA code displaying on page (Donovan Brooke 2012)
  4. Re: [WebDNA] WebDNA code displaying on page (Donovan Brooke 2012)
  5. Re: [WebDNA] WebDNA code displaying on page (Govinda 2012)
  6. Re: [WebDNA] WebDNA code displaying on page (Michael Davis 2012)
  7. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  8. Re: [WebDNA] WebDNA code displaying on page (Michael Davis 2012)
  9. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  10. Re: [WebDNA] WebDNA code displaying on page (Daniel Meola 2012)
  11. Re: [WebDNA] WebDNA code displaying on page (Brian Fries 2012)
  12. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  13. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  14. Re: [WebDNA] WebDNA code displaying on page (WebDNA Solutions 2012)
  15. Re: [WebDNA] WebDNA code displaying on page (Daniel Meola 2012)
  16. Re: [WebDNA] WebDNA code displaying on page (christophe.billiottet@webdna.us 2012)
The webdna.us site is vulnerable. http://webdna.us/page.dna?search=3D-hacked- FWIW, I have this in my pre-parse script: [formvariables name=3Dsearch][redirect /][/formvariables][formvariables = name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect = /][/formvariables][formvariables name=3Dmath][redirect = /][/formvariables][formvariables name=3Dencrypt][redirect = /][/formvariables][formvariables name=3Ddecrypt][redirect = /][/formvariables][formvariables name=3Dauthenticate][redirect = /][/formvariables][formvariables name=3Dprotect][redirect = /][/formvariables][formvariables name=3Dtcpconnect][redirect = /][/formvariables] It doesn't cover all WebDNA keywords, but catches the primary ones that = concern me from a security standpoint. I don't like to add more code = than necessary, since it increases the processing time needed for every = page load, but you can extend the default list if desired, and can add = other keywords tests on specific pages if needed. - Brian On Dec 12, 2012, at 11:55 AM, Steve Raslevich = wrote: > Hi Chris, >=20 > So is there a fix for 6.2? I am guessing then that the webdna.us site = is also still running 6.2? >=20 > christophe.billiottet@webdna.us wrote: >> Exact, that was fixed in WebDNA.fcgi few years ago >>=20 >> - chris >>=20 >>=20 >> On Dec 12, 2012, at 17:44, Terry Wilson wrote: >>=20 >> =20 >>> This exploit was discovered a few years back, but I thought it was >>> fixed, or a fix was announced or something. I forget. >>>=20 >>> Terry >>>=20 >>>=20 >>> =20 >>>> Hi, >>>>=20 >>>> I am running V6.2 on CentOS 5.8 and have found instances where >>>> WebDNA code displays on a page if certain WebDNA tags are in the = URL. >>>>=20 >>>> I thought it was something I was doing but this appears to happen = on >>>> the www.webdna.us site as well. >>>>=20 >>>> http://www.webdna.us/page.dna?text=3D >>>> takes you to a page that shows only webdna code >>>>=20 >>>> http://www.webdna.us/page.dna?numero=3D56&text=3D >>>> adds a line of text above the navigation row in the red background >>>> (need to mouse over to see it - text is same color as red = background) >>>>=20 >>>>=20 >>>> I first experienced this with !=3D and fixed it by putting a >>>> RewriteRule in an .htaccess file in the site's root folder >>>>=20 >>>> Today I tried a few other tags and found others. I haven't checked >>>> all the tags just a handful. >>>>=20 >>>> text=3D >>>> math=3D >>>> format=3D >>>>=20 >>>> Anyone else experience this, have a fix or suggestion? >>>>=20 >>>> Thanks, >>>> Steve >>>>=20 >>>>=20 >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list. >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> =20 >>>=20 >>> --=20 >>> Terry Wilson | terry@terryfic.com | http://terryfic.com >>> http://WhosComing.com - a simplified, affordable online reservation = system >>> iStockPhoto portfolio - = http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D >>> = --------------------------------------------------------------------------= >>> Attitude is the only difference between ordeal and adventure. >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list. >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>> =20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list. >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> =20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Brian Fries

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

loops (2000) categorys (1998) 'page impression' techniques for banner ads (1999) Online reference (1997) "Advanced" Search Algorithm (2008) Text limits in NT version? (1997) Duplicate Items in the Cart (1998) Stumped on ShowNext -using variables (1997) Webcatalog acgi conflict? (1999) WebCat2b12 CGI Mac -- Problems propagating the cart through frames...still (1997) WebCatalog 2.0 & WebDNA docs in HTML ... (1997) Major Security Hole IIS NT (1998) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) Mac app. that converts e-mails (2000) See [shell]s (2008) WebCatb15 Mac CGI -- [purchase] (1997) HomePage Caution (1997) incrementing a counter remotely? (1999) Can GMT be called from the OS ? (2004) Searching multiple Databases (1997)