Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69484
interpreted = N
texte = Donovan, I use ScanAlert on many of my customer websites for more than a year now. The first time they identified this Cross Scripting Error they gave me a different hack example than the they are using now. I'll be damned if I can remember what the example was, but it caused my entire WebDNA page to be returned as text. I was a bit stunned because I had never seen such a hack, and I was wondering how I could have been a programmer for so long and not known how easily it could be done. However, some time in the past year they started using the 123 example instead. Maybe it was not such a good idea to show specifically how website could actually be hacked. Anyway, in order to pass their testing I found that I just can't [url] all incoming variables. They eventually will find a way past it. So I had to add the following to the prefs.inc that I process at the very top of every page in the site: [hideif [thisurl]^/admin/] [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif] [formvariables] [showif [url][name][value][/url]^script][redirect /index.html][/showif] [showif [url][name][value][/url]^iframe][redirect /index.html][/showif] [text][url][name][/url]=[input][value][/input][/text] [/formvariables] [/hideif] I've had this code running on all my HackerSafe websites for some time and so far it seems bullet proof. But if you guys have a better way of handling the issue let me know. Matthew A Perosi Psi Prime, Inc. http://www.psiprime.com 323 Union Blvd. Totowa, NJ 07512 P: 973.413.8210 F: 973.413.8217 Donovan Brooke wrote: > Stuart Tremain wrote: > >> Hi Donovan >> >> I use Hacker Safe for some of my clients. >> >> The biggest problem that I had (not really big) was if someone put a >> script into a textarea and the script was then processed, to solve >> the problem make sure all textarea entries are URL'd so that they >> won't return "<" or ">" this then stops any script for processing > > > Stuart, Yes, I know how to fix it, but what danger is there > really? .. that's what I am trying to determin. > > Donovan > > > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Donovan, I use ScanAlert on many of my customer websites for more than a year now. The first time they identified this Cross Scripting Error they gave me a different hack example than the they are using now. I'll be damned if I can remember what the example was, but it caused my entire WebDNA page to be returned as text. I was a bit stunned because I had never seen such a hack, and I was wondering how I could have been a programmer for so long and not known how easily it could be done. However, some time in the past year they started using the 123 example instead. Maybe it was not such a good idea to show specifically how website could actually be hacked. Anyway, in order to pass their testing I found that I just can't [url] all incoming variables. They eventually will find a way past it. So I had to add the following to the prefs.inc that I process at the very top of every page in the site: [hideif [thisurl]^/admin/] [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif] [formvariables] [showif [url][name][value][/url]^script][redirect /index.html][/showif] [showif [url][name][value][/url]^iframe][redirect /index.html][/showif] [text][url][name][/url]=[input][value][/input][/text] [/formvariables] [/hideif] I've had this code running on all my HackerSafe websites for some time and so far it seems bullet proof. But if you guys have a better way of handling the issue let me know. Matthew A Perosi Psi Prime, Inc. http://www.psiprime.com 323 Union Blvd. Totowa, NJ 07512 P: 973.413.8210 F: 973.413.8217 Donovan Brooke wrote: > Stuart Tremain wrote: > >> Hi Donovan >> >> I use Hacker Safe for some of my clients. >> >> The biggest problem that I had (not really big) was if someone put a >> script into a textarea and the script was then processed, to solve >> the problem make sure all textarea entries are URL'd so that they >> won't return "<" or ">" this then stops any script for processing > > > Stuart, Yes, I know how to fix it, but what danger is there > really? .. that's what I am trying to determin. > > Donovan > > > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Matthew A Perosi

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2b13MacPlugIn - [include] doesn't allow creator (1997) Re:Variable Math (1998) WC2b15 File Corruption (1997) Imagemagick and fonts (2004) Mac: LModelDirector bug fix (1997) [WriteFile] problems (1997) Re:WebDNA Writer Needed (1997) Bug Report, maybe (1997) Support ?? (1997) New Beta Documentation (1997) ASP and Web DNA (1998) [WebDNA] WebDNA 8.6 announced - New features (2018) Cancel Subscription (1996) [Shownext] [whynot] (2000) Client-side Image Maps and WebCat? (1998) Webcat/Webmerchant (1998) Download URL & access on the fly ? (1997) Problems searching from a FORM (1997) Verifying both name and password (was: New Problem) (1997) WebCatalog can't find database (1997)