Fred, we weren't given any background info on the app. The implications
would be different if you're logging in to your web-based email acct than it
would be if you're logging in to your eTrade trading account, of course.
All good points Fred. Anything is possible. (Sidenote, if I had the
persistance to go through the process you described, I'd get in anyway --
with or without the usernames.) ;-)
Courtney E. Payne, Developer
Fig Leaf Software
"We've got you covered"
[EMAIL PROTECTED]
www.figleaf.com
-----Original Message-----
From: Fred T. Sanders [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 8:43 AM
To: [EMAIL PROTECTED]
Subject: Re: OT: Java Script Question
Courtney,
I hope your not suggesting they run a query of usernames and passwords, or
even just the user names for that matter. They would be viewable in source.
You might say "well its just usernames big deal". Okay I've now got a list
of user names I know are on the system, I fire up my Shadow HackNCrack
program, give it my nifty new list of usernames and point it to one of the
many dictionairy files I have for passwords and use the http crack module
and brute force the website. NOT only do I have a high degree of certainty
that I'll eventually get in, I'm now generating 10s of 1000s of hits on the
server draining resources from use by others gaining the added benefit of
hacking your site AND performing a very mild DOS attack as after effect
there by slowing down the rest of the site for others, even if only by a
small degree.
Disclaimer: I uhh don't have any of the above mentioned dictionary files
and would never dream of doing the above mentioned techniques to anything
but my own boxes. The names of software mentioned above was not changed, he
lives in a foreign company and could probably use the business, although I'm
not going to give a link to their site, even though the software is only $25
American for the "Shadow Advanced Network Tools", the "Shadow Advanced Local
Tools" and the "Shadow HackandCrack" software suite. I also won't mention
their Shadow Security Scanner either, which just went up to $100.
The point is security is ALWAYS and issue, because as much as we'd all like
to believe there really is no such thing as security, no matter how much
we'd like to believe there is, but that's not an excuse to make it easy for
them.
Fred
----- Original Message -----
From: "Courtney Payne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 08, 2000 8:05 AM
Subject: RE: OT: Java Script Question
> DD,
>
> Just as a side note, you'll *have* to go back to the server (ie. your
action
> page) to query and check login names unless, on your form page, you query
> your database beforehand and (using WDDX) make it available to your JS so
> that you can do the check right there on the client, without having to hit
> the server first. For what you're trying to do, though, the code provided
> will solve your issue just fine (would be placed on your action page).
>
> Courtney E. Payne, Developer
> Fig Leaf Software
> "We've got you covered"
> [EMAIL PROTECTED]
> www.figleaf.com
>
>
> -----Original Message-----
> From: Peter Theobald [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 07, 2000 11:07 PM
> To: [EMAIL PROTECTED]; House Of Fusion
> Subject: Re: OT: Java Script Question
>
>
>
> <script>
> <!--
> alert("Username taken, please try another")
> history.back(1)
> // -->
> </script>
>
> At 01:25 PM 9/7/00 -0700, Double Down wrote:
> >I would like to flash a java script alert box saying that a login name is
> >already in use. This will happen on the submit and it will go to the
action
> >page to check the db. My question is can I have the alert box pop up on
the
> >form page so the person does not have to go back and re-enter all of
their
> >information. How do I do this?
> >
> >
> >
> >TIA
> >DDINC
> >
> >
>
>---------------------------------------------------------------------------
> ---
> >Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> >To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
>
> --------------------------------------------------------------------------
-
> Peter Theobald, Chief Technology Officer
> LiquidStreaming http://www.liquidstreaming.com
> [EMAIL PROTECTED]
> Phone 1.212.545.1232 Fax 1.212.679.8032
>
> --------------------------------------------------------------------------
--
> --
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --------------------------------------------------------------------------
----
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
