Re: WebCatalog 4.0 has been released!

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 32825
interpreted = N
texte = >Again,don't forget you can *easily* use the new pref to make text vars INsecure AND plug the security hole with something that SM offered on this list months ago. Here's a version of it-[formvariables][showif [URL][name][/URL]^NameOfYourVarHere][authenticate Futile Hacker][/showif][/formvariables]Or if you prefer-[formvariables][showif [URL][name][/URL]^NameOfYourVarHere][redirect some.tpl?message=[url]no dice pal[/url]][/showif][/formvariables] EXPLANATION FOR NEWBIES: Say you have a var whose value you set with [text]. Say that value is important as it toggles secret access etc. So then you do not want a user to be able to override its value simply by putting it in the URL (i.e. - www.some.tpl?SecretVar=LetMeIn, which *would override* this in some.tpl: [text]SecretVar=DoNotLetHimIn[/text]) - (IF using webcat 3). In Webcat 3 all [text] vars could be overridden this way. Many users LIKE that feature and took advantage of it to override text vars when appropriate. But when you do NOT want the text var to be overrideable you have to protect yourself like with the fix above.With Webcat 4, if you do not make the effort of tweaking the so far undocumented pref (setting it to 1 as Jay just mentioned) then your [text] vars *cannot* be overridden, even if you sometimes would like them to be. If you want them to be overrideable, then you have to change the pref setting to 1. And then (I assume) you can still make some particular [text] var NOT overrideable (secure) if you set its context param to &secure=T (this is what Bob Minor is asking about to be sure).SM made the default behaviour of Webcat 4 to keep the text vars secure so that newbies don't shoot themselves in the foot, but gave the pref so that advanced users could still use insecure text vars at their own convenience and conscious 'hassle'.-John> How big > > of security problem is this if I turn OFF the new default setting? > > > > Thanks, Paul > That's a good question. I also believe that the cure is worse than the > disease here. > > There are a slew of things that someone would have to do, and know, in > order take advantage of this and even if they did the value would be > completely dependant upon what form they were trying to circumvent and what > it's purpose was. > > I personally intend to change that preference immediately upon > installing 4.x and most likely leaving it that way. > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  2. Re: WebCatalog 4.0 has been released! (Chris Brandt 2000)
  3. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  4. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  5. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  6. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  7. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  8. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  9. Re: WebCatalog 4.0 has been released! (Joseph D'Andrea 2000)
  10. Re: WebCatalog 4.0 has been released! (John Butler 2000)
  11. Re: WebCatalog 4.0 has been released! (Alex McCombie 2000)
  12. Re: WebCatalog 4.0 has been released! (John Peacock 2000)
  13. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  14. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  15. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  16. Re: WebCatalog 4.0 has been released! (Paul Uttermohlen 2000)
  17. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  18. Re: WebCatalog 4.0 has been released! (Mark Derrick 2000)
  19. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  20. Re: WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  21. Re: WebCatalog 4.0 has been released! (Mike Heininger 2000)
  22. Re: WebCatalog 4.0 has been released! (Peter Ostry 2000)
  23. Re: WebCatalog 4.0 has been released! (Jesse Proudman 2000)
  24. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
  25. WebCatalog 4.0 has been released! (Jay Van Vark 2000)
>Again,don't forget you can *easily* use the new pref to make text vars INsecure AND plug the security hole with something that SM offered on this list months ago. Here's a version of it-[formvariables][showif [url][name][/URL]^NameOfYourVarHere][authenticate Futile Hacker][/showif][/formvariables]Or if you prefer-[formvariables][showif [url][name][/URL]^NameOfYourVarHere][redirect some.tpl?message=[url]no dice pal[/url]][/showif][/formvariables] EXPLANATION FOR NEWBIES: Say you have a var whose value you set with [text]. Say that value is important as it toggles secret access etc. So then you do not want a user to be able to override its value simply by putting it in the URL (i.e. - www.some.tpl?SecretVar=LetMeIn, which *would override* this in some.tpl: [text]SecretVar=DoNotLetHimIn[/text]) - (IF using webcat 3). In Webcat 3 all [text] vars could be overridden this way. Many users LIKE that feature and took advantage of it to override text vars when appropriate. But when you do NOT want the text var to be overrideable you have to protect yourself like with the fix above.With Webcat 4, if you do not make the effort of tweaking the so far undocumented pref (setting it to 1 as Jay just mentioned) then your [text] vars *cannot* be overridden, even if you sometimes would like them to be. If you want them to be overrideable, then you have to change the pref setting to 1. And then (I assume) you can still make some particular [text] var NOT overrideable (secure) if you set its context param to &secure=T (this is what Bob Minor is asking about to be sure).SM made the default behaviour of Webcat 4 to keep the text vars secure so that newbies don't shoot themselves in the foot, but gave the pref so that advanced users could still use insecure text vars at their own convenience and conscious 'hassle'.-John> How big > > of security problem is this if I turn OFF the new default setting? > > > > Thanks, Paul > That's a good question. I also believe that the cure is worse than the > disease here. > > There are a slew of things that someone would have to do, and know, in > order take advantage of this and even if they did the value would be > completely dependant upon what form they were trying to circumvent and what > it's purpose was. > > I personally intend to change that preference immediately upon > installing 4.x and most likely leaving it that way. > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ John Butler

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WC2b15 - [HTMLx]...[/HTMLx] problems (1997) [WebDNA] problems sorting when using multiple words in the search (2011) ListFiles then delete by ModDate (2002) Bill To - Ship To Information display (1997) RE: 2nd WebCatalog2 Feature Request (1996) NewCart+Search with one click ? (1997) PSC recommends what date format yr 2000??? (1997) Large founditems loops (2000) MAC FINDER (2001) WebCatalog complains that the service is not running. (1998) Multiple catalog databases and showcart (1997) select menus & database design (1998) Quit revisited (1997) Nav. 4 probs with cart - Serious problem (1997) Separate SSL Server (1997) Referrer field to header field conversion (1997) WebCatalog [FoundItems] Problem - AGAIN - (1997) emailer error -108 (1997) Emailer Timing out (1999) [FEATURE REQUEST] (2004)