Re: Major Security Hole

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 18824
interpreted = N
texte = How do you have your database extension preference set up in webcatalogs preferences?I am using webcat on webstar and webten and I simply cannot access these files with any combination of your files.Bob Minor Cybermill Communications -----Original Message----- From: Dan Tryon To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PM Subject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user names but the passwords appear as a string of weird characters. Now I don't know if the characters can be interpreted or if it is just garbage. I would prefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db: Here is the complete string that gets returned: user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONE ZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESD GEOFF FULLER *QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻M RSKILLS,CESD I run a mac - webstar 2.1 and netcloak I do NOT allow all webcatalog commands! dan t. > >I thought that the $ was the problem too at first. But then it worked >with just a single : > >It worked on .db files which allowed ANYONE to find and look at our >users.db file. OUCH! > >I tried to do the same thing on the Pacific-Coast server and that of >several others that I know run WebCat or Typhoon, including some of our >other servers here. It only was valid in the one instance on this machine >that we were still running Webstar 2.0 on along with Netcloak. I upgraded >WebStar to 2.1 and deleted Netcloak. > >Problem solved. But I sure was in a panic when I could type >http://secure.ims1.com/webcatalog/users.db::$data and get a complete list >of users, passwords and groups! > >Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a >Macintosh should be made aware that their setup may not be secure. People >can get your admin passwords and then track down any credit card numbers >from online stores. I am not sure if this is a problem with WebStar or >Netcloak, but I am sure that the problem is real and it does not exist with >NetCloak removed and Webstar updated to 2.1 or greater. > >Thanks, Paul > > > > > _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ > _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ > _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ > _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ > _/_/_/ Real Estate - _\_\_\_\_ > _/_/_/Websites - Children _/ _\_\_\_ >_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ > > > Associated Messages, from the most recent to the oldest:

    
  1. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  2. Re: Major Security Hole (Kenneth Grome 1998)
  3. Re: Major Security Hole (Peter Ostry 1998)
  4. Re: Major Security Hole (Paul Uttermohlen 1998)
  5. Re: Major Security Hole (solution with Welcome) (Peter Ostry 1998)
  6. Re: Major Security Hole (Charles Kefauver 1998)
  7. Re: Major Security Hole (solution with Welcome) (Andreas Pardeike 1998)
  8. Re: Major Security Hole (PCS Technical Support 1998)
  9. Re: Major Security Hole (Peter Ostry 1998)
  10. Re: Major Security Hole (Dan Tryon 1998)
  11. Re: Major Security Hole (Jim Turney 1998)
  12. Re: Major Security Hole (Peter Ostry 1998)
  13. Re: Major Security Hole (Paul Uttermohlen 1998)
  14. Re: Major Security Hole (Bob Minor 1998)
  15. Re: Major Security Hole (Dan Tryon 1998)
  16. Re: Major Security Hole (Brian Willson 1998)
  17. Re: Major Security Hole (Britt T. 1998)
  18. Re: Major Security Hole (Paul Uttermohlen 1998)
  19. Re: Major Security Hole (Dave MacLeay 1998)
  20. Re: Major Security Hole (Bob Minor 1998)
  21. Re: Major Security Hole (Peter Ostry 1998)
  22. Re: Major Security Hole (PCS Technical Support 1998)
  23. Major Security Hole (Paul Uttermohlen 1998)
  24. Re: Major Security Hole IIS NT (Bob Minor 1998)
  25. Re: Major Security Hole IIS NT (greg 1998)
  26. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  27. Re: Major Security Hole IIS NT (Kenneth Grome 1998)
  28. RE: Major Security Hole IIS NT (PCS Technical Support 1998)
  29. RE: Major Security Hole IIS NT (Olin 1998)
  30. Re: Major Security Hole IIS NT (Bob Minor 1998)
  31. Re: Major Security Hole IIS NT (PCS Technical Support 1998)
  32. Re: Major Security Hole IIS NT (Bob Minor 1998)
  33. Re: Major Security Hole IIS NT (Peter Ostry 1998)
  34. Re: Major Security Hole IIS NT (Bob Minor 1998)
  35. Re: Major Security Hole IIS NT (Bob Minor 1998)
  36. Major Security Hole IIS NT (Bob Minor 1998)
  37. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  38. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  39. Re: Major Security Hole IIS NT (Chuck Wall 1998)
  40. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  41. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  42. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
  43. Re: Major Security Hole IIS NT (Raymond Hatch 1998)
How do you have your database extension preference set up in webcatalogs preferences?I am using webcat on webstar and webten and I simply cannot access these files with any combination of your files.Bob Minor Cybermill Communications -----Original Message----- From: Dan Tryon To: WebDNA-Talk@smithmicro.com Date: Monday, July 13, 1998 4:49 PM Subject: Re: Major Security HoleOh crap! I get someting similar I can see all of my groups and user names but the passwords appear as a string of weird characters. Now I don't know if the characters can be interpreted or if it is just garbage. I would prefer that nothing gets returned.I get the user group text string returned if I request:http://www.server.com/webcatalog/users.db::$dataI also get the text string returned if I only request:http://www.server.com/webcatalog/users.db: Here is the complete string that gets returned: user pass groups ADMIN m&%22#022#!#027#h ADMIN UPDATEDONE ZcMNv#027#TEIh DAN TRYON -e%2C #004#Tw{ ADMIN,RSKILLS,CESD GEOFF FULLER *QKV#031##026#u#%00 RSKILLS,CESD CARL HADSELL ]%22D7pFx 2̻M RSKILLS,CESD I run a mac - webstar 2.1 and netcloak I do NOT allow all webcatalog commands! dan t. > >I thought that the $ was the problem too at first. But then it worked >with just a single : > >It worked on .db files which allowed ANYONE to find and look at our >users.db file. OUCH! > >I tried to do the same thing on the Pacific-Coast server and that of >several others that I know run WebCat or Typhoon, including some of our >other servers here. It only was valid in the one instance on this machine >that we were still running Webstar 2.0 on along with Netcloak. I upgraded >WebStar to 2.1 and deleted Netcloak. > >Problem solved. But I sure was in a panic when I could type >http://secure.ims1.com/webcatalog/users.db::$data and get a complete list >of users, passwords and groups! > >Anyone who is still using WebStar 2.0, Netcloak and WebCatalog 2.0 on a >Macintosh should be made aware that their setup may not be secure. People >can get your admin passwords and then track down any credit card numbers >from online stores. I am not sure if this is a problem with WebStar or >Netcloak, but I am sure that the problem is real and it does not exist with >NetCloak removed and Webstar updated to 2.1 or greater. > >Thanks, Paul > > > > > _/_/_/_/_/_/_/_/_/_/_/_/|\_\_\_\_\_\_\_\_\_\_\_\_ > _/_/_/Paul Uttermohlen, Internet Marketspace, Inc. \_\_\_\_ > _/_/_/ mailto:paul@ims1.com - Website Development \_\_\_\_ > _/_/_/ Business - _\_\_\_\_\_\_\_\_\_\_ > _/_/_/ Real Estate - _\_\_\_\_ > _/_/_/Websites - Children _/ _\_\_\_ >_/_/_/_/_/_/_/_/_/_/_/_/_/_/ | \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ > > > Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

ShowIf variables (1997) WC2b15 File Corruption (1997) Dismissing dialogs (was 2.1b3 --> way slow) (1997) Trouble with emailer (2000) Unknown error: OrderNotCreated (1997) HELP-1!!! (1998) WebCat2b13MacPlugIn - More limits on [include] (1997) Quick ShowIf question (1997) WebCatalog and Macromedia Flash (1998) ConvertChars (2000) form data submission gets truncated (1997) when is date system date or order date? (1997) Location of Browser Info.txt file (1997) GuestBook example (1997) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) Error 11 (1996) Sort Order on a page search (1997) Scoping rules in WebDNA 4.0 (2000) ListFiles Sorting (2000) Sense/Disallow HTML tags during $Append (1997)