Re: Denying access by IP address

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 27996
interpreted = N
texte = > Don't want to burst your bubble, but there is a security problem with >your solution. You should use some other method to block IP addresses such >as any built in to your web server. The problem is, and this has been >brought to the attention of SM already, session values such as ipaddress and >referrer that *should not* be editable, can be overridden by adding >formvariables with the same name. Try this on for size... >http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr >er=http://gonzo.ofthedayclub.com/ > >Someone in your unwanted class C could override the [ipaddress] value and >get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [FormVariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested) [HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=]

You're trying to hack in!

[redirect http://someURL] [/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support ********************************** Smith Micro, Internet Solutions Div | eCommerce (WebCatalog) 16855 West Bernardo Drive, #380 | ------------------------- San Diego, CA 92127 | Software & Site Development WebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: Denying access by IP address (Kenneth Grome 2000)
  2. Re: Denying access by IP address (Dale Therio 2000)
  3. Re: Denying access by IP address (Kenneth Grome 2000)
  4. Re: Denying access by IP address (Kenneth Grome 2000)
  5. Re: Denying access by IP address (Mike Davis 2000)
  6. Re: Denying access by IP address (WebDNA Support 2000)
  7. Re: Denying access by IP address (WebDNA Support 2000)
  8. Re: Denying access by IP address (Scott Nelsen 2000)
  9. Re: Denying access by IP address (Bob Minor 2000)
  10. Re: Denying access by IP address (Scott Nelsen 2000)
  11. Re: Denying access by IP address (Mike Davis 2000)
  12. Re: Denying access by IP address (Peter Ostry 2000)
  13. Re: Denying access by IP address (JHowarth@smithmicro.com 2000)
  14. Denying access by IP address (Scott Nelsen 2000)
> Don't want to burst your bubble, but there is a security problem with >your solution. You should use some other method to block IP addresses such >as any built in to your web server. The problem is, and this has been >brought to the attention of SM already, session values such as ipaddress and >referrer that *should not* be editable, can be overridden by adding >formvariables with the same name. Try this on for size... >http://www.yourserver.com/protectedfile.tpl?ipaddress=206.251.067.003&referr >er=http://gonzo.ofthedayclub.com/ > >Someone in your unwanted class C could override the [ipaddress] value and >get in.This is true, although there's also a workaround that can at least detect this condition, and even expose possible 'hacking' attempts. You can use [formvariables] to detect when someone is trying to override [ipaddress], and even redirect them to another page *without* sending the fake [ipaddress]:(untested) [HideIf [FormVariables name=ipaddress&exact=t][value][/FormVariables]=]

You're trying to hack in!

[redirect http://someURL] [/HideIf]When the redirect happens, it is done without an overridden [ipaddress], so on that template you can actually get the real ipaddress from the browser. You could even redirect back to the same template silently, but without the overridden ipaddress.Technical Support ********************************** Smith Micro, Internet Solutions Div | eCommerce (WebCatalog) 16855 West Bernardo Drive, #380 | ------------------------- San Diego, CA 92127 | Software & Site Development WebCatalog Support: (858) 675-0632 | http://www.smithmicro.com Fax: (858) 675-0372 **********************************------------------------------------------------------------- Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server. To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to WebDNA Support

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Store Admin Problems (1999) re: How can I record purchases to a database? (1998) [Fwd: Rotating Banners ... (was LinkExchange)] (1997) [shownext max=?] armed (1997) WC2b15 - [HTMLx]...[/HTMLx] problems SOLVED! (1997) Trouble with formula.db + more explanation (1997) WC2/Mac -- Forms not submitting correctly with Mac browsers (1997) help with writefile (1998) Swear words (2002) Wireless WebDNA available today! (2000) creator code (1997) multiple databases (1997) Problems with ^ could be solved with [REPLACE CHARACTERS] (1997) question: search return in order (1997) Web DNA... (2007) [AppendFile] problem (WebCat2b13 Mac .acgi) (1997) OT - Public Upload Security (2002) RE: AccountAuthorizer doesn't seem to work (1997) Plugin or CGI or both (1997) Pithy questions on webcommerce & siteedit (1997)