Here is a version Donovan posted I think in Sept. =2011.-------------------------------------------=--------------------------------------------------------------------------=-----------------------[formvariables =name=3Dtext][redirect =url=3Dindex.html][/formvariables][text]t_commands=3D|[url]![/ur=l]|addfields|addlineitem|append|appendfile|applescript|arrayget|arrayset|a=uthenticate|boldwords|browsername|calcfilecrc32|capitalize|cart|case|clear=lineitems|closedatabase|command|commitdatabase|convertchars|convertwords|c=opyfile|copyfolder|countchars|countwords|createfolder|date|ddeconnect|ddes=end|decrypt|delete|deletefile|deletefolder|dos|elapsedtime|else|encrypt|ex=clusivelock|filecompare|fileinfo|findstring|flushcache|flushdatabases|form=at|format|formvariables|founditems|freememory|function|getchars|getcookie|=getmimeheader|grep|hideif|html1|html2|html3|httpmethod|if|include|input|in=terpret|ipaddress|issecureclient|lastautonumner|lastrandom|lineitems|listc=hars|listcookies|listdatabases|listfields|listfiles|listmimeheaders|listpa=th|listvariables|listwords|lookup|lookup|loop|lowercase|math|middle|movefi=le|object|orderfile|password|platform|product|protect|purchase|random|raw|=redirect|referrer|removehtml|removelineitem|replace|replacefounditems|retu=rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime=header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe=cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi=surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write=file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text][formvariables] [showif =[t_commands]^|[url][name][/url]|][redirect =url=3Dindex.html]=[/showif][/formvariables]
<=/div>----------------------------------------------------------------=--------------------------------------------------------------------------=--The version you posted that started this =thread looked fine, too, at first glance. =-G---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing listOn 2013-09-11, at 9:34 PM, Steve Graham =<skgrahamjr@gmail.com> =wrote:> Many of us placed other code to =prevent this hole in the webdna pre-parse script.Can you =send it to me or post here?---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing listOn Wed, Sep 11, 2013 at 6:57 PM, John Butler <govinda.webdnatalk@gmail.com> =wrote:yes, it seems the coder was =preventing the very thing I mentioned in my last post on this =thread.-GOn 2013-09-11, at 7:54 =PM, Steve Graham <skgrahamjr@gmail.com> wrote:This is =noHack.db:=---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
contextName
!
addfields
addlineitem
appendappendfile
applescript
arrayget
arrayset
authenticate
bol=dwords
browsername
calcfilecrc32
capitalize
=case
clearlineitems
closedatabase
command
commitdatabase
co=nvertchars
convertwords
copyfile
copyfolder
countchars
coun=twords
createfolder
date
ddeconnect
ddesend
decrypt
dele=te
=deletefile
deletefolder
dos
elapsedtime
else
encrypt
exc=lusivelock
filecompare
fileinfo
findstring
flushcache
flush=databases
format
format
formvariables
founditems
freememory=
=function
getchars
getcookie
getmimeheader
grep
hideif
ht=ml1
html2
html3
httpmethod
if
include
input
interpret=
ipaddress
issecureclient
lastautonumner
lastrandom
lineite=ms
=listchars
listcookies
listdatabases
listfields
listfiles
li=stmimeheaders
listpath
listvariables
listwords
lookup
looku=p
loop
lowercase
math
middle
movefile
object
orderfil=e
=password
platform
product
protect
purchase
random
raw
redirect
referrer
removehtml
removelineitem
replace
replac=efounditems
return
returnraw
scope
search
sendmail
setco=okie
=setheader
setlineitem
setmimeheader
shell
showif
shownextspawn
sql
sql
sqlconnect
sqldisconnect
sqlexecute
sqli=nfo
sqlrelease
sqlresult
switch
table
tcpconnect
tcpsend=
=text
then
thisurl
time
unurl
uppercase
url
usernamevalidcard
version
version
waitforfile
writefile
xmlnodexmlnodes
xmlnodesattributes
xmlparse
xsl
xsltOn Wed, Sep 11, 2013 at 6:42 PM, =Donovan Brooke <dbrooke@webdna.us> wrote:Steve,---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
It appears the original coder was trying to stop anyone from =trying a context in the URL... however, I'm not sure why that would be =desired. We don't know the contents of "noHack.db" so we can't tell you =exactly what the coder was trying to protect the site from.
=
Donovan --- Original message ------------------------------------------------------------ =This message is sent to you because you are subscribed to the mailing =list <talk@webdna.us>. To unsubscribe, E-mail to: =<talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.us Bug =Reporting: support@webdna.us
Subject: =[WebDNA] Stop hacking
From: Steve Graham <skgrahamjr@gmail.com>
To: <talk@webdna.us>
Date: Wednesday, =11/09/2013 3:53 PMI found this code in a webdna site I am =fixing. Someone please say if this is necessary or recommended to =stop hackers in v7.x or v6.2.1:
[formvariables]
[search =db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]]
[founditems=]
[redirect =/]
[/founditems]
[/search]
[/formvariables]
[!] include =this file at the top of every page to block hacking when a context name =appears as a formvariable name [/!]---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
=.To unsubscribe, E-mail to: archives: http://mail.webdna.us/l=ist/talk@webdna.usBug Reporting: support@webdna.us .To unsubscribe, E-mail to: archives: http://mail.webdna.us/l=ist/talk@webdna.usBug Reporting: support@webdna.us
|
Here is a version Donovan posted I think in Sept. =2011.-------------------------------------------=--------------------------------------------------------------------------=-----------------------[formvariables =name=3Dtext][redirect =url=3Dindex.html][/formvariables][text]t_commands=3D|[url]![/ur=l]|addfields|addlineitem|append|appendfile|applescript|arrayget|arrayset|a=uthenticate|boldwords|browsername|calcfilecrc32|capitalize|cart|case|clear=lineitems|closedatabase|command|commitdatabase|convertchars|convertwords|c=opyfile|copyfolder|countchars|countwords|createfolder|date|ddeconnect|ddes=end|decrypt|delete|deletefile|deletefolder|dos|elapsedtime|else|encrypt|ex=clusivelock|filecompare|fileinfo|findstring|flushcache|flushdatabases|form=at|format|formvariables|founditems|freememory|function|getchars|getcookie|=getmimeheader|grep|hideif|html1|html2|html3|httpmethod|if|include|input|in=terpret|ipaddress|issecureclient|lastautonumner|lastrandom|lineitems|listc=hars|listcookies|listdatabases|listfields|listfiles|listmimeheaders|listpa=th|listvariables|listwords|lookup|lookup|loop|lowercase|math|middle|movefi=le|object|orderfile|password|platform|product|protect|purchase|random|raw|=redirect|referrer|removehtml|removelineitem|replace|replacefounditems|retu=rn|returnraw|scope|search|sendmail|setcookie|setheader|setlineitem|setmime=header|shell|showif|shownext|spawn|sql|sql|sqlconnect|sqldisconnect|sqlexe=cute|sqlinfo|sqlrelease|sqlresult|switch|table|tcpconnect|tcpsend|then|thi=surl|time|unurl|uppercase|url|username|validcard|version|waitforfile|write=file|xmlnode|xmlnodes|xmlnodesattributes|xmlparse|xsl|xslt|[/text][formvariables] [showif =[t_commands]^|[url][name][/url]|][redirect =url=3Dindex.html]=[/showif][/formvariables]
<=/div>----------------------------------------------------------------=--------------------------------------------------------------------------=--The version you posted that started this =thread looked fine, too, at first glance. =-G---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing listOn 2013-09-11, at 9:34 PM, Steve Graham =<skgrahamjr@gmail.com> =wrote:> Many of us placed other code to =prevent this hole in the webdna pre-parse script.Can you =send it to me or post here?---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing listOn Wed, Sep 11, 2013 at 6:57 PM, John Butler <govinda.webdnatalk@gmail.com> =wrote:yes, it seems the coder was =preventing the very thing I mentioned in my last post on this =thread.-GOn 2013-09-11, at 7:54 =PM, Steve Graham <skgrahamjr@gmail.com> wrote:This is =noHack.db:=---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
contextName
!
addfields
addlineitem
appendappendfile
applescript
arrayget
arrayset
authenticate
bol=dwords
browsername
calcfilecrc32
capitalize
=case
clearlineitems
closedatabase
command
commitdatabase
co=nvertchars
convertwords
copyfile
copyfolder
countchars
coun=twords
createfolder
date
ddeconnect
ddesend
decrypt
dele=te
=deletefile
deletefolder
dos
elapsedtime
else
encrypt
exc=lusivelock
filecompare
fileinfo
findstring
flushcache
flush=databases
format
format
formvariables
founditems
freememory=
=function
getchars
getcookie
getmimeheader
grep
hideif
ht=ml1
html2
html3
httpmethod
if
include
input
interpret=
ipaddress
issecureclient
lastautonumner
lastrandom
lineite=ms
=listchars
listcookies
listdatabases
listfields
listfiles
li=stmimeheaders
listpath
listvariables
listwords
lookup
looku=p
loop
lowercase
math
middle
movefile
object
orderfil=e
=password
platform
product
protect
purchase
random
raw
redirect
referrer
removehtml
removelineitem
replace
replac=efounditems
return
returnraw
scope
search
sendmail
setco=okie
=setheader
setlineitem
setmimeheader
shell
showif
shownextspawn
sql
sql
sqlconnect
sqldisconnect
sqlexecute
sqli=nfo
sqlrelease
sqlresult
switch
table
tcpconnect
tcpsend=
=text
then
thisurl
time
unurl
uppercase
url
usernamevalidcard
version
version
waitforfile
writefile
xmlnodexmlnodes
xmlnodesattributes
xmlparse
xsl
xsltOn Wed, Sep 11, 2013 at 6:42 PM, =Donovan Brooke <dbrooke@webdna.us> wrote:Steve,---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
It appears the original coder was trying to stop anyone from =trying a context in the URL... however, I'm not sure why that would be =desired. We don't know the contents of "noHack.db" so we can't tell you =exactly what the coder was trying to protect the site from.
=
Donovan --- Original message ------------------------------------------------------------ =This message is sent to you because you are subscribed to the mailing =list <talk@webdna.us>. To unsubscribe, E-mail to: =<talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.us Bug =Reporting: support@webdna.us
Subject: =[WebDNA] Stop hacking
From: Steve Graham <skgrahamjr@gmail.com>
To: <talk@webdna.us>
Date: Wednesday, =11/09/2013 3:53 PMI found this code in a webdna site I am =fixing. Someone please say if this is necessary or recommended to =stop hackers in v7.x or v6.2.1:
[formvariables]
[search =db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]]
[founditems=]
[redirect =/]
[/founditems]
[/search]
[/formvariables]
[!] include =this file at the top of every page to block hacking when a context name =appears as a formvariable name [/!]---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list .To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.usBug Reporting: support@webdna.us
=.To unsubscribe, E-mail to: archives: http://mail.webdna.us/l=ist/talk@webdna.usBug Reporting: support@webdna.us .To unsubscribe, E-mail to: archives: http://mail.webdna.us/l=ist/talk@webdna.usBug Reporting: support@webdna.us
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...