Re: Major Security Hole

This WebDNA talk-list message is from

1998

It keeps the original formatting. numero = 18825
interpreted = N
texte = Dan,Yours appear to be encrypted.Paul>Oh crap! I get someting similar I can see all of my groups and user>names but the passwords appear as a string of weird characters. Now I>don't know if the characters can be interpreted or if it is just garbage.>I would prefer that nothing gets returned.>>I get the user group text string returned if I request:>>http://www.server.com/webcatalog/users.db::$data>>I also get the text string returned if I only request:>>http://www.server.com/webcatalog/users.db:>>>Here is the complete string that gets returned:>user pass groups ADMIN �m&%22#022#!#027#h ADMIN UPDATEDONE>Z�c�MNv#027#�TE��Ih DAN TRYON -�e�%2C �#004#��Tw��{ ADMIN,RSKILLS,CESD>GEOFF FULLER>*QK�V#031#�#026#��u�#%00�� RSKILLS,CESD CARL HADSELL ]��%22D7�pFx 2̻M>RSKILLS,CESD>>>I run a mac - webstar 2.1 and netcloak>I do NOT allow all webcatalog commands!>>>dan t.>>>>>>>>>>I thought that the $ was the problem too at first. But then it worked>>with just a single :>>>>It worked on .db files which allowed ANYONE to find and look at our>>users.db file. OUCH!>>>>I tried to do the same thing on the Pacific-Coast server and that of>>several others that I know run WebCat or Typhoon, including some of our>>other servers here. It only was valid in the one instance on this machine>>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>>WebStar to 2.1 and deleted Netcloak.>>>>Problem solved. But I sure was in a panic when I could type>>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>>of users, passwords and groups!>>>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>>Macintosh should be made aware that their setup may not be secure. People>>can get your admin passwords and then track down any credit card numbers>>from online stores. I am not sure if this is a problem with WebStar or>>Netcloak, but I am sure that the problem is real and it does not exist with>>NetCloak removed and Webstar updated to 2.1 or greater.>>>>Thanks, Paul>>>>>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_>> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_>> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_>> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_>> _/_/_/ Real Estate - _\_\_\_\_>> _/_/_/Websites - Children _/ _\_\_\_>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Associated Messages, from the most recent to the oldest:

Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
Re: Major Security Hole (Kenneth Grome 1998)
Re: Major Security Hole (Peter Ostry 1998)
Re: Major Security Hole (Paul Uttermohlen 1998)
Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998)
Re: Major Security Hole (Charles Kefauver 1998)
Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
Re: Major Security Hole (PCS Technical Support 1998)
Re: Major Security Hole (Peter Ostry 1998)
Re: Major Security Hole (Dan Tryon 1998)
Re: Major Security Hole (Jim Turney 1998)
Re: Major Security Hole (Peter Ostry 1998)
Re: Major Security Hole (Paul Uttermohlen 1998)
Re: Major Security Hole (Bob Minor 1998)
Re: Major Security Hole (Dan Tryon 1998)
Re: Major Security Hole (Brian Willson 1998)
Re: Major Security Hole (Britt T. 1998)
Re: Major Security Hole (Paul Uttermohlen 1998)
Re: Major Security Hole (Dave MacLeay 1998)
Re: Major Security Hole (Bob Minor 1998)
Re: Major Security Hole (Peter Ostry 1998)
Re: Major Security Hole (PCS Technical Support 1998)
Major Security Hole (Paul Uttermohlen 1998)
Re: Major Security Hole IIS NT (Bob Minor 1998)
Re: Major Security Hole IIS NT (greg 1998)
Re: Major Security Hole IIS NT (Kenneth Grome 1998)
Re: Major Security Hole IIS NT (Kenneth Grome 1998)
RE: Major Security Hole IIS NT (PCS Technical Support 1998)
RE: Major Security Hole IIS NT (Olin 1998)
Re: Major Security Hole IIS NT (Bob Minor 1998)
Re: Major Security Hole IIS NT (PCS Technical Support 1998)
Re: Major Security Hole IIS NT (Bob Minor 1998)
Re: Major Security Hole IIS NT (Peter Ostry 1998)
Re: Major Security Hole IIS NT (Bob Minor 1998)
Re: Major Security Hole IIS NT (Bob Minor 1998)
Major Security Hole IIS NT (Bob Minor 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)
Re: Major Security Hole IIS NT (Chuck Wall 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)
Re: Major Security Hole IIS NT (Raymond Hatch 1998)

Dan,Yours appear to be encrypted.Paul>Oh crap! I get someting similar I can see all of my groups and user>names but the passwords appear as a string of weird characters. Now I>don't know if the characters can be interpreted or if it is just garbage.>I would prefer that nothing gets returned.>>I get the user group text string returned if I request:>>http://www.server.com/webcatalog/users.db::$data>>I also get the text string returned if I only request:>>http://www.server.com/webcatalog/users.db:>>>Here is the complete string that gets returned:>user pass groups ADMIN �m&%22#022#!#027#h ADMIN UPDATEDONE>Z�c�MNv#027#�TE��Ih DAN TRYON -�e�%2C �#004#��Tw��{ ADMIN,RSKILLS,CESD>GEOFF FULLER>*QK�V#031#�#026#��u�#%00�� RSKILLS,CESD CARL HADSELL ]��%22D7�pFx 2̻M>RSKILLS,CESD>>>I run a mac - webstar 2.1 and netcloak>I do NOT allow all webcatalog commands!>>>dan t.>>>>>>>>>>I thought that the $ was the problem too at first. But then it worked>>with just a single :>>>>It worked on .db files which allowed ANYONE to find and look at our>>users.db file. OUCH!>>>>I tried to do the same thing on the Pacific-Coast server and that of>>several others that I know run WebCat or Typhoon, including some of our>>other servers here. It only was valid in the one instance on this machine>>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>>WebStar to 2.1 and deleted Netcloak.>>>>Problem solved. But I sure was in a panic when I could type>>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>>of users, passwords and groups!>>>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>>Macintosh should be made aware that their setup may not be secure. People>>can get your admin passwords and then track down any credit card numbers>>from online stores. I am not sure if this is a problem with WebStar or>>Netcloak, but I am sure that the problem is real and it does not exist with>>NetCloak removed and Webstar updated to 2.1 or greater.>>>>Thanks, Paul>>>>>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_>> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_>> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_>> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_>> _/_/_/ Real Estate - _\_\_\_\_>> _/_/_/Websites - Children _/ _\_\_\_>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Paul Uttermohlen

DOWNLOAD WEBDNA NOW!

Re: Major Security Hole

1998

Top Articles:

Related Readings: