Re: [WebDNA] WebDNA code displaying on page

This WebDNA talk-list message is from

2012


It keeps the original formatting.
numero = 110005
interpreted = N
texte = The webdna.us site is vulnerable. http://webdna.us/page.dna?search=3D-hacked- FWIW, I have this in my pre-parse script: [formvariables name=3Dsearch][redirect /][/formvariables][formvariables = name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect = /][/formvariables][formvariables name=3Dmath][redirect = /][/formvariables][formvariables name=3Dencrypt][redirect = /][/formvariables][formvariables name=3Ddecrypt][redirect = /][/formvariables][formvariables name=3Dauthenticate][redirect = /][/formvariables][formvariables name=3Dprotect][redirect = /][/formvariables][formvariables name=3Dtcpconnect][redirect = /][/formvariables] It doesn't cover all WebDNA keywords, but catches the primary ones that = concern me from a security standpoint. I don't like to add more code = than necessary, since it increases the processing time needed for every = page load, but you can extend the default list if desired, and can add = other keywords tests on specific pages if needed. - Brian On Dec 12, 2012, at 11:55 AM, Steve Raslevich = wrote: > Hi Chris, >=20 > So is there a fix for 6.2? I am guessing then that the webdna.us site = is also still running 6.2? >=20 > christophe.billiottet@webdna.us wrote: >> Exact, that was fixed in WebDNA.fcgi few years ago >>=20 >> - chris >>=20 >>=20 >> On Dec 12, 2012, at 17:44, Terry Wilson wrote: >>=20 >> =20 >>> This exploit was discovered a few years back, but I thought it was >>> fixed, or a fix was announced or something. I forget. >>>=20 >>> Terry >>>=20 >>>=20 >>> =20 >>>> Hi, >>>>=20 >>>> I am running V6.2 on CentOS 5.8 and have found instances where >>>> WebDNA code displays on a page if certain WebDNA tags are in the = URL. >>>>=20 >>>> I thought it was something I was doing but this appears to happen = on >>>> the www.webdna.us site as well. >>>>=20 >>>> http://www.webdna.us/page.dna?text=3D >>>> takes you to a page that shows only webdna code >>>>=20 >>>> http://www.webdna.us/page.dna?numero=3D56&text=3D >>>> adds a line of text above the navigation row in the red background >>>> (need to mouse over to see it - text is same color as red = background) >>>>=20 >>>>=20 >>>> I first experienced this with !=3D and fixed it by putting a >>>> RewriteRule in an .htaccess file in the site's root folder >>>>=20 >>>> Today I tried a few other tags and found others. I haven't checked >>>> all the tags just a handful. >>>>=20 >>>> text=3D >>>> math=3D >>>> format=3D >>>>=20 >>>> Anyone else experience this, have a fix or suggestion? >>>>=20 >>>> Thanks, >>>> Steve >>>>=20 >>>>=20 >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list. >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> =20 >>>=20 >>> --=20 >>> Terry Wilson | terry@terryfic.com | http://terryfic.com >>> http://WhosComing.com - a simplified, affordable online reservation = system >>> iStockPhoto portfolio - = http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D >>> = --------------------------------------------------------------------------= >>> Attitude is the only difference between ordeal and adventure. >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list. >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>> =20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list. >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> =20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] WebDNA code displaying on page (WebDNA Solutions 2012)
  2. Re: [WebDNA] WebDNA code displaying on page (Tom Duke 2012)
  3. Re: [WebDNA] WebDNA code displaying on page (Donovan Brooke 2012)
  4. Re: [WebDNA] WebDNA code displaying on page (Donovan Brooke 2012)
  5. Re: [WebDNA] WebDNA code displaying on page (Govinda 2012)
  6. Re: [WebDNA] WebDNA code displaying on page (Michael Davis 2012)
  7. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  8. Re: [WebDNA] WebDNA code displaying on page (Michael Davis 2012)
  9. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  10. Re: [WebDNA] WebDNA code displaying on page (Daniel Meola 2012)
  11. Re: [WebDNA] WebDNA code displaying on page (Brian Fries 2012)
  12. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  13. Re: [WebDNA] WebDNA code displaying on page (Steve Raslevich 2012)
  14. Re: [WebDNA] WebDNA code displaying on page (WebDNA Solutions 2012)
  15. Re: [WebDNA] WebDNA code displaying on page (Daniel Meola 2012)
  16. Re: [WebDNA] WebDNA code displaying on page (christophe.billiottet@webdna.us 2012)
The webdna.us site is vulnerable. http://webdna.us/page.dna?search=3D-hacked- FWIW, I have this in my pre-parse script: [formvariables name=3Dsearch][redirect /][/formvariables][formvariables = name=3D!][redirect /][/formvariables][formvariables name=3Dtext][redirect = /][/formvariables][formvariables name=3Dmath][redirect = /][/formvariables][formvariables name=3Dencrypt][redirect = /][/formvariables][formvariables name=3Ddecrypt][redirect = /][/formvariables][formvariables name=3Dauthenticate][redirect = /][/formvariables][formvariables name=3Dprotect][redirect = /][/formvariables][formvariables name=3Dtcpconnect][redirect = /][/formvariables] It doesn't cover all WebDNA keywords, but catches the primary ones that = concern me from a security standpoint. I don't like to add more code = than necessary, since it increases the processing time needed for every = page load, but you can extend the default list if desired, and can add = other keywords tests on specific pages if needed. - Brian On Dec 12, 2012, at 11:55 AM, Steve Raslevich = wrote: > Hi Chris, >=20 > So is there a fix for 6.2? I am guessing then that the webdna.us site = is also still running 6.2? >=20 > christophe.billiottet@webdna.us wrote: >> Exact, that was fixed in WebDNA.fcgi few years ago >>=20 >> - chris >>=20 >>=20 >> On Dec 12, 2012, at 17:44, Terry Wilson wrote: >>=20 >> =20 >>> This exploit was discovered a few years back, but I thought it was >>> fixed, or a fix was announced or something. I forget. >>>=20 >>> Terry >>>=20 >>>=20 >>> =20 >>>> Hi, >>>>=20 >>>> I am running V6.2 on CentOS 5.8 and have found instances where >>>> WebDNA code displays on a page if certain WebDNA tags are in the = URL. >>>>=20 >>>> I thought it was something I was doing but this appears to happen = on >>>> the www.webdna.us site as well. >>>>=20 >>>> http://www.webdna.us/page.dna?text=3D >>>> takes you to a page that shows only webdna code >>>>=20 >>>> http://www.webdna.us/page.dna?numero=3D56&text=3D >>>> adds a line of text above the navigation row in the red background >>>> (need to mouse over to see it - text is same color as red = background) >>>>=20 >>>>=20 >>>> I first experienced this with !=3D and fixed it by putting a >>>> RewriteRule in an .htaccess file in the site's root folder >>>>=20 >>>> Today I tried a few other tags and found others. I haven't checked >>>> all the tags just a handful. >>>>=20 >>>> text=3D >>>> math=3D >>>> format=3D >>>>=20 >>>> Anyone else experience this, have a fix or suggestion? >>>>=20 >>>> Thanks, >>>> Steve >>>>=20 >>>>=20 >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list. >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> =20 >>>=20 >>> --=20 >>> Terry Wilson | terry@terryfic.com | http://terryfic.com >>> http://WhosComing.com - a simplified, affordable online reservation = system >>> iStockPhoto portfolio - = http://www.istockphoto.com/Terryfic3D?refnum=3DTerryfic3D >>> = --------------------------------------------------------------------------= >>> Attitude is the only difference between ordeal and adventure. >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list. >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>> =20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list. >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> =20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Brian Fries

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

URL for Discussion Archive (1997) Bug? (1997) The Form authentication trick (2000) Shipping based in distance and weight (1999) $flushdatabases question ... (1998) How many Databases can I open? (2003) Question about links (1999) question: back button prevention (1997) PIXO Support (1997) WebCatalog and Bar Code Scanners (1999) SQL Madness (2005) Online reference (1997) Duplicate Hell (1999) [WebDNA] How much does it cost now? (2008) Re:Emailer tracking (1997) Comments in db? (1997) List Name Change (2002) multi-paragraph fields (1997) Nested tags count question (1997) auto adding SKUs w/DB helper (1998)