numero = 110691
interpreted = N
texte = --Apple-Mail=_5942E665-B077-4132-9541-735AF99622E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Just off the top of my head ....... What if you just disallowed all commands in the prefs ? Or update the WebDNA version to the one that fixed the problem ..... Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 12/09/2013, at 11:46 AM, John Butler = wrote: > Here is a version Donovan posted I think in Sept. 2011. >=20 > = --------------------------------------------------------------------------= ------------------------------------------------------------------ >=20 > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|return|returnraw|scope|search|sendmail|setcookie= |setheader|setlineitem|setmimeheader|shell|showif|shownext|spawn|sql|sql|s= qlconnect|sqldisconnect|sqlexecute|sqlinfo|sqlrelease|sqlresult|switch|tab= le|tcpconnect|tcpsend|then|thisurl|time|unurl|uppercase|url|username|valid= card|version|waitforfile|writefile|xmlnode|xmlnodes|xmlnodesattributes|xml= parse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] >=20 >=20 > = --------------------------------------------------------------------------= ------------------------------------------------------------------ >=20 > The version you posted that started this thread looked fine, too, at = first glance. =20 >=20 > -G >=20 >=20 >=20 > On 2013-09-11, at 9:34 PM, Steve Graham wrote: >=20 >> > Many of us placed other code to prevent this hole in the webdna = pre-parse script. >>=20 >> Can you send it to me or post here? >>=20 >>=20 >>=20 >>=20 >>=20 >>=20 >> On Wed, Sep 11, 2013 at 6:57 PM, John Butler = wrote: >> yes, it seems the coder was preventing the very thing I mentioned in = my last post on this thread. >>=20 >> -G >>=20 >>=20 >> On 2013-09-11, at 7:54 PM, Steve Graham wrote: >>=20 >>> This is noHack.db: >>>=20 >>> contextName >>> ! >>> addfields >>> addlineitem >>> append >>> appendfile >>> applescript >>> arrayget >>> arrayset >>> authenticate >>> boldwords >>> browsername >>> calcfilecrc32 >>> capitalize >>> case >>> clearlineitems >>> closedatabase >>> command >>> commitdatabase >>> convertchars >>> convertwords >>> copyfile >>> copyfolder >>> countchars >>> countwords >>> createfolder >>> date >>> ddeconnect >>> ddesend >>> decrypt >>> delete >>> deletefile >>> deletefolder >>> dos >>> elapsedtime >>> else >>> encrypt >>> exclusivelock >>> filecompare >>> fileinfo >>> findstring >>> flushcache >>> flushdatabases >>> format >>> format >>> formvariables >>> founditems >>> freememory >>> function >>> getchars >>> getcookie >>> getmimeheader >>> grep >>> hideif >>> html1 >>> html2 >>> html3 >>> httpmethod >>> if >>> include >>> input >>> interpret >>> ipaddress >>> issecureclient >>> lastautonumner >>> lastrandom >>> lineitems >>> listchars >>> listcookies >>> listdatabases >>> listfields >>> listfiles >>> listmimeheaders >>> listpath >>> listvariables >>> listwords >>> lookup >>> lookup >>> loop >>> lowercase >>> math >>> middle >>> movefile >>> object >>> orderfile >>> password >>> platform >>> product >>> protect >>> purchase >>> random >>> raw >>> redirect >>> referrer >>> removehtml >>> removelineitem >>> replace >>> replacefounditems >>> return >>> returnraw >>> scope >>> search >>> sendmail >>> setcookie >>> setheader >>> setlineitem >>> setmimeheader >>> shell >>> showif >>> shownext >>> spawn >>> sql >>> sql >>> sqlconnect >>> sqldisconnect >>> sqlexecute >>> sqlinfo >>> sqlrelease >>> sqlresult >>> switch >>> table >>> tcpconnect >>> tcpsend >>> text >>> then >>> thisurl >>> time >>> unurl >>> uppercase >>> url >>> username >>> validcard >>> version >>> version >>> waitforfile >>> writefile >>> xmlnode >>> xmlnodes >>> xmlnodesattributes >>> xmlparse >>> xsl >>> xslt >>>=20 >>>=20 >>> On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke = wrote: >>> Steve,=20 >>> It appears the original coder was trying to stop anyone from trying = a context in the URL... however, I'm not sure why that would be desired. = We don't know the contents of "noHack.db" so we can't tell you exactly = what the coder was trying to protect the site from. >>>=20 >>> Donovan >>> =20 >>> =20 >>>> --- Original message ---=20 >>>> Subject: [WebDNA] Stop hacking=20 >>>> From: Steve Graham =20 >>>> To: =20 >>>> Date: Wednesday, 11/09/2013 3:53 PM >>>>=20 >>>> I found this code in a webdna site I am fixing. Someone please say = if this is necessary or recommended to stop hackers in v7.x or v6.2.1: >>>>=20 >>>> [formvariables] >>>> [search db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]] >>>> [founditems] >>>> [redirect /] >>>> [/founditems] >>>> [/search] >>>> [/formvariables] >>>>=20 >>>> [!] include this file at the top of every page to block hacking = when a context name appears as a formvariable name [/!] >>>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: = archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>>=20 >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>>=20 >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_5942E665-B077-4132-9541-735AF99622E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Just = off the top of my head .......
What if you just = disallowed all commands in the prefs ?
Or update the = WebDNA version to the one that fixed the problem = .....
contextName ! addfields addlineitem appendappendfile applescript arrayget arrayset authenticate bol= dwords browsername calcfilecrc32 capitalize = case clearlineitems closedatabase command commitdatabase co= nvertchars convertwords copyfile copyfolder countchars coun= twords createfolder date ddeconnect ddesend decrypt dele= te = deletefile deletefolder dos elapsedtime else encrypt exc= lusivelock filecompare fileinfo findstring flushcache flush= databases format format formvariables founditems freememory= = function getchars getcookie getmimeheader grep hideif ht= ml1 html2 html3 httpmethod if include input interpret= ipaddress issecureclient lastautonumner lastrandom lineite= ms = listchars listcookies listdatabases listfields listfiles li= stmimeheaders listpath listvariables listwords lookup looku= p loop lowercase math middle movefile object orderfil= e = password platform product protect purchase random rawredirect referrer removehtml removelineitem replace replac= efounditems return returnraw scope search sendmail setco= okie = setheader setlineitem setmimeheader shell showif shownextspawn sql sql sqlconnect sqldisconnect sqlexecute sqli= nfo sqlrelease sqlresult switch table tcpconnect tcpsend= = text then thisurl time unurl uppercase url usernamevalidcard version version waitforfile writefile xmlnodexmlnodes xmlnodesattributes xmlparse xsl xslt
On Wed, Sep 11, 2013 at 6:42 PM, = Donovan Brooke <dbrooke@webdna.us> wrote:
Steve, It appears the original coder was trying to stop anyone from = trying a context in the URL... however, I'm not sure why that would be = desired. We don't know the contents of "noHack.db" so we can't tell you = exactly what the coder was trying to protect the site from. = Donovan
--- Original message --- Subject: = [WebDNA] Stop hacking From: Steve Graham <skgrahamjr@gmail.com> To: <talk@webdna.us> Date: Wednesday, = 11/09/2013 3:53 PM
I found this code in a webdna site I am = fixing. Someone please say if this is necessary or recommended to = stop hackers in v7.x or v6.2.1:
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
=
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
= --Apple-Mail=_5942E665-B077-4132-9541-735AF99622E5--
Associated Messages, from the most recent to the oldest:
--Apple-Mail=_5942E665-B077-4132-9541-735AF99622E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Just off the top of my head ....... What if you just disallowed all commands in the prefs ? Or update the WebDNA version to the one that fixed the problem ..... Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 12/09/2013, at 11:46 AM, John Butler = wrote: > Here is a version Donovan posted I think in Sept. 2011. >=20 > = --------------------------------------------------------------------------= ------------------------------------------------------------------ >=20 > [formvariables name=3Dtext][redirect url=3Dindex.html][/formvariables] > = [text]t_commands=3D|[url]![/url]|addfields|addlineitem|append|appendfile|a= pplescript|arrayget|arrayset|authenticate|boldwords|browsername|calcfilecr= c32|capitalize|cart|case|clearlineitems|closedatabase|command|commitdataba= se|convertchars|convertwords|copyfile|copyfolder|countchars|countwords|cre= atefolder|date|ddeconnect|ddesend|decrypt|delete|deletefile|deletefolder|d= os|elapsedtime|else|encrypt|exclusivelock|filecompare|fileinfo|findstring|= flushcache|flushdatabases|format|format|formvariables|founditems|freememor= y|function|getchars|getcookie|getmimeheader|grep|hideif|html1|html2|html3|= httpmethod|if|include|input|interpret|ipaddress|issecureclient|lastautonum= ner|lastrandom|lineitems|listchars|listcookies|listdatabases|listfields|li= stfiles|listmimeheaders|listpath|listvariables|listwords|lookup|lookup|loo= p|lowercase|math|middle|movefile|object|orderfile|password|platform|produc= t|protect|purchase|random|raw|redirect|referrer|removehtml|removelineitem|= replace|replacefounditems|return|returnraw|scope|search|sendmail|setcookie= |setheader|setlineitem|setmimeheader|shell|showif|shownext|spawn|sql|sql|s= qlconnect|sqldisconnect|sqlexecute|sqlinfo|sqlrelease|sqlresult|switch|tab= le|tcpconnect|tcpsend|then|thisurl|time|unurl|uppercase|url|username|valid= card|version|waitforfile|writefile|xmlnode|xmlnodes|xmlnodesattributes|xml= parse|xsl|xslt|[/text] > [formvariables] > [showif [t_commands]^|[url][name][/url]|] > [redirect url=3Dindex.html] > [/showif] > [/formvariables] >=20 >=20 > = --------------------------------------------------------------------------= ------------------------------------------------------------------ >=20 > The version you posted that started this thread looked fine, too, at = first glance. =20 >=20 > -G >=20 >=20 >=20 > On 2013-09-11, at 9:34 PM, Steve Graham wrote: >=20 >> > Many of us placed other code to prevent this hole in the webdna = pre-parse script. >>=20 >> Can you send it to me or post here? >>=20 >>=20 >>=20 >>=20 >>=20 >>=20 >> On Wed, Sep 11, 2013 at 6:57 PM, John Butler = wrote: >> yes, it seems the coder was preventing the very thing I mentioned in = my last post on this thread. >>=20 >> -G >>=20 >>=20 >> On 2013-09-11, at 7:54 PM, Steve Graham wrote: >>=20 >>> This is noHack.db: >>>=20 >>> contextName >>> ! >>> addfields >>> addlineitem >>> append >>> appendfile >>> applescript >>> arrayget >>> arrayset >>> authenticate >>> boldwords >>> browsername >>> calcfilecrc32 >>> capitalize >>> case >>> clearlineitems >>> closedatabase >>> command >>> commitdatabase >>> convertchars >>> convertwords >>> copyfile >>> copyfolder >>> countchars >>> countwords >>> createfolder >>> date >>> ddeconnect >>> ddesend >>> decrypt >>> delete >>> deletefile >>> deletefolder >>> dos >>> elapsedtime >>> else >>> encrypt >>> exclusivelock >>> filecompare >>> fileinfo >>> findstring >>> flushcache >>> flushdatabases >>> format >>> format >>> formvariables >>> founditems >>> freememory >>> function >>> getchars >>> getcookie >>> getmimeheader >>> grep >>> hideif >>> html1 >>> html2 >>> html3 >>> httpmethod >>> if >>> include >>> input >>> interpret >>> ipaddress >>> issecureclient >>> lastautonumner >>> lastrandom >>> lineitems >>> listchars >>> listcookies >>> listdatabases >>> listfields >>> listfiles >>> listmimeheaders >>> listpath >>> listvariables >>> listwords >>> lookup >>> lookup >>> loop >>> lowercase >>> math >>> middle >>> movefile >>> object >>> orderfile >>> password >>> platform >>> product >>> protect >>> purchase >>> random >>> raw >>> redirect >>> referrer >>> removehtml >>> removelineitem >>> replace >>> replacefounditems >>> return >>> returnraw >>> scope >>> search >>> sendmail >>> setcookie >>> setheader >>> setlineitem >>> setmimeheader >>> shell >>> showif >>> shownext >>> spawn >>> sql >>> sql >>> sqlconnect >>> sqldisconnect >>> sqlexecute >>> sqlinfo >>> sqlrelease >>> sqlresult >>> switch >>> table >>> tcpconnect >>> tcpsend >>> text >>> then >>> thisurl >>> time >>> unurl >>> uppercase >>> url >>> username >>> validcard >>> version >>> version >>> waitforfile >>> writefile >>> xmlnode >>> xmlnodes >>> xmlnodesattributes >>> xmlparse >>> xsl >>> xslt >>>=20 >>>=20 >>> On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke = wrote: >>> Steve,=20 >>> It appears the original coder was trying to stop anyone from trying = a context in the URL... however, I'm not sure why that would be desired. = We don't know the contents of "noHack.db" so we can't tell you exactly = what the coder was trying to protect the site from. >>>=20 >>> Donovan >>> =20 >>> =20 >>>> --- Original message ---=20 >>>> Subject: [WebDNA] Stop hacking=20 >>>> From: Steve Graham =20 >>>> To: =20 >>>> Date: Wednesday, 11/09/2013 3:53 PM >>>>=20 >>>> I found this code in a webdna site I am fixing. Someone please say = if this is necessary or recommended to stop hackers in v7.x or v6.2.1: >>>>=20 >>>> [formvariables] >>>> [search db=3DnoHack.db&eqcontextNamedatarq=3D[url][name][/url]] >>>> [founditems] >>>> [redirect /] >>>> [/founditems] >>>> [/search] >>>> [/formvariables] >>>>=20 >>>> [!] include this file at the top of every page to block hacking = when a context name appears as a formvariable name [/!] >>>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: = archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>>=20 >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>>=20 >>> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >>=20 >> --------------------------------------------------------- This = message is sent to you because you are subscribed to the mailing list . = To unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_5942E665-B077-4132-9541-735AF99622E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Just = off the top of my head .......
What if you just = disallowed all commands in the prefs ?
Or update the = WebDNA version to the one that fixed the problem = .....
contextName ! addfields addlineitem appendappendfile applescript arrayget arrayset authenticate bol= dwords browsername calcfilecrc32 capitalize = case clearlineitems closedatabase command commitdatabase co= nvertchars convertwords copyfile copyfolder countchars coun= twords createfolder date ddeconnect ddesend decrypt dele= te = deletefile deletefolder dos elapsedtime else encrypt exc= lusivelock filecompare fileinfo findstring flushcache flush= databases format format formvariables founditems freememory= = function getchars getcookie getmimeheader grep hideif ht= ml1 html2 html3 httpmethod if include input interpret= ipaddress issecureclient lastautonumner lastrandom lineite= ms = listchars listcookies listdatabases listfields listfiles li= stmimeheaders listpath listvariables listwords lookup looku= p loop lowercase math middle movefile object orderfil= e = password platform product protect purchase random rawredirect referrer removehtml removelineitem replace replac= efounditems return returnraw scope search sendmail setco= okie = setheader setlineitem setmimeheader shell showif shownextspawn sql sql sqlconnect sqldisconnect sqlexecute sqli= nfo sqlrelease sqlresult switch table tcpconnect tcpsend= = text then thisurl time unurl uppercase url usernamevalidcard version version waitforfile writefile xmlnodexmlnodes xmlnodesattributes xmlparse xsl xslt
On Wed, Sep 11, 2013 at 6:42 PM, = Donovan Brooke <dbrooke@webdna.us> wrote:
Steve, It appears the original coder was trying to stop anyone from = trying a context in the URL... however, I'm not sure why that would be = desired. We don't know the contents of "noHack.db" so we can't tell you = exactly what the coder was trying to protect the site from. = Donovan
--- Original message --- Subject: = [WebDNA] Stop hacking From: Steve Graham <skgrahamjr@gmail.com> To: <talk@webdna.us> Date: Wednesday, = 11/09/2013 3:53 PM
I found this code in a webdna site I am = fixing. Someone please say if this is necessary or recommended to = stop hackers in v7.x or v6.2.1:
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
=
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/l= ist/talk@webdna.us Bug Reporting: support@webdna.us
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...