Witango-Talk: Network outages @ witango.com Friday 24th Sept AEST
Hi, On Friday 24th Sept (in Australia), between 10am and 5pm AEST (Thursday 5pm and 12am PST) we will be doing some network maintenance and upgrades. During this upgrade window there will be times where our web, witango-talk and email will be unavailable. This is part of the upgrade. These services will return and be accessible shortly thereafter. If you do have an emergency (an unforeseen combination of circumstances or the resulting state that calls for immediate action) we will still be able to be contacted on that antiquated technology called the telephone. Phone: +61 2 9460 0500 Fax : +61 2 9460 0502 Do not panic or be alarmed we are only upgrading our network infrastructure. A few hours without witango-talk will do you good. ;) Regards Phil TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
Ooops! Just noticed a bug in my test value syntax. Make that %'; (percent + single-quote + semicolon) since % is the SQL wild card for column values in most databases (except Access). Similarly choose the line terminator applicable for your Database SQL syntax (# in some cases), and/or programming language (semicolon, etc.). Sri Sri Amudhanar wrote: Since you provide your own SQL in a DirectDBMS action, you are responsible for its quality, so like Gauthier suggests, use stored procedures/parametized queries. Sri Amudhanar Maxys Corporation Authorized Witango Reseller Authorized Pervasive, Cisco, HP, Thawte Reseller. Roland Dumas wrote: Re: Witango-Talk: Security question I’m slow here. Does this mean that if there is a SQL query in a DirectDBMS Action that it’s protected by this bind dust? Or just New Record and Update Actions? On 9/22/04 11:34 AM, "Sri Amudhanar" <[EMAIL PROTECTED]> wrote: One of the lesser talked about features of Witango/Tango server architecture is the advantage of "actions", especially the database actions. According to what I have gleaned over the years (since I don't work for Pervasive or Witango, and I don't have access to the Server source code), the database action appears to "PREPARE" SQL and then "BIND" values to it on the fly, before actually executing the statement. This way quotes and other SQL breaking characters in the field values are prevented from breaking the query. If you attempt to assemble your own SQL query for use in Witango/Tango, PHP (which has no equivalent of a database action), or a Java application etc, SQL hacking is a serious problem that will need to be addressed. Witango/Tango <@BIND **> tags provide a great service here. For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least. As they say, have fun! Sri Amudhanar Maxys Corporation [EMAIL PROTECTED] wrote: Hello, this issue is known as "SQL injection" problem, search on google for more information. You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier - Original Message - From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question I want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affect the database, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. C.) It is theoretically possible to submit harmful code that might do this. If someone put some SQL in a text field, for instance, what might happen to it down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried and failed. He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, but witango as the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
Re: Witango-Talk: Security question
Since you provide your own SQL in a DirectDBMS action, you are responsible for its quality, so like Gauthier suggests, use stored procedures/parametized queries. Sri Amudhanar Maxys Corporation Authorized Witango Reseller Authorized Pervasive, Cisco, HP, Thawte Reseller. Roland Dumas wrote: Re: Witango-Talk: Security question I’m slow here. Does this mean that if there is a SQL query in a DirectDBMS Action that it’s protected by this bind dust? Or just New Record and Update Actions? On 9/22/04 11:34 AM, "Sri Amudhanar" <[EMAIL PROTECTED]> wrote: One of the lesser talked about features of Witango/Tango server architecture is the advantage of "actions", especially the database actions. According to what I have gleaned over the years (since I don't work for Pervasive or Witango, and I don't have access to the Server source code), the database action appears to "PREPARE" SQL and then "BIND" values to it on the fly, before actually executing the statement. This way quotes and other SQL breaking characters in the field values are prevented from breaking the query. If you attempt to assemble your own SQL query for use in Witango/Tango, PHP (which has no equivalent of a database action), or a Java application etc, SQL hacking is a serious problem that will need to be addressed. Witango/Tango <@BIND **> tags provide a great service here. For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least. As they say, have fun! Sri Amudhanar Maxys Corporation [EMAIL PROTECTED] wrote: Hello, this issue is known as "SQL injection" problem, search on google for more information. You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier - Original Message - From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question I want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affect the database, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. C.) It is theoretically possible to submit harmful code that might do this. If someone put some SQL in a text field, for instance, what might happen to it down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried and failed. He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, but witango as the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: Hi Roland, This is very unlikely; it is more likely that they would try to add sql statements in the input field. First of the data type constraints off the database field would probably either prevent the saving of the offensive code and will most likely truncate it. Even if there is supposedly evil script saved in the data, when pulled from the database it is not being viewed in a manner that will execute it. Plus, most firewalls and antivirus servers and client will block
Witango-Talk: applications.ini and APPPATH
I'm confused about how the path is set for application execution. I assume an 'application' is a collection of witango executables contained within a directory marked by <@APPPATH>. But I seem to have trouble getting anything other than the first stanza in applications.ini to be recognized. Am I reading this wrong? My testing seems to indicate that Witango extracts the path relative to the web root directory, and determines the application from this sub-path, rather than the full-path. I would like to have two witango applications defined in applications.ini, presumably set up as [Applications] app1= app2= [app1] PATH=/path/to/app1 DEFAULTERRORFILE=/path/to/app1/error1.html [app2] PATH=/path/to/app2 DEFAULTERRORFILE=/path/to/app2/error2.html Then my web sites would be configured as virtual hosts. Below shows three domains, two using app1, and one using app2. Is this possible? ServerName app1.mydomain.com DocumentRoot /path/to/app1 ServerName app1.yourdomain.com DocumentRoot /path/to/app1 ServerName app2.mydomain.com DocumentRoot /path/to/app2 So to test this out, I have a little taf that just displays: Applicationswitch: @@system$applicationswitch Appname: <@APPNAME> AppPath: <@APPPATH> APPFILEPATH: <@APPFILEPATH> @@application$dedfaulterrorfile When I execute this, I get back: Applicationswitch: on Appname: Default AppPath: / APPFILEPATH: / It looks like , But some questions. 1. How does witango extract the path to determine it's executing app1 or app2. < TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: startupurl problem
Most odd. I have a startup.taf that initializes domain variable and it's pretty reliable. Never told to come back later. On 9/22/04 3:03 PM, "Bill Conlon" <[EMAIL PROTECTED]> wrote: > I want to initialize domain variables at server startup, but my > startup.taf fails with the following: > > 22/09/2004 14:49:3866.219.95.114 > [EMAIL PROTECTED]1102691248 1 0 > [Error] -1070 The server is starting up and can not process regular > requests. > 22/09/2004 14:49:3866.219.95.114 > [EMAIL PROTECTED]1102691248 1 0 > [Error] -1070 The server is starting up and can not process regular > requests. > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
Title: Re: Witango-Talk: Security question I’m slow here. Does this mean that if there is a SQL query in a DirectDBMS Action that it’s protected by this bind dust? Or just New Record and Update Actions? On 9/22/04 11:34 AM, "Sri Amudhanar" <[EMAIL PROTECTED]> wrote: One of the lesser talked about features of Witango/Tango server architecture is the advantage of "actions", especially the database actions. According to what I have gleaned over the years (since I don't work for Pervasive or Witango, and I don't have access to the Server source code), the database action appears to "PREPARE" SQL and then "BIND" values to it on the fly, before actually executing the statement. This way quotes and other SQL breaking characters in the field values are prevented from breaking the query. If you attempt to assemble your own SQL query for use in Witango/Tango, PHP (which has no equivalent of a database action), or a Java application etc, SQL hacking is a serious problem that will need to be addressed. Witango/Tango <@BIND **> tags provide a great service here. For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least. As they say, have fun! Sri Amudhanar Maxys Corporation [EMAIL PROTECTED] wrote: Hello, this issue is known as "SQL injection" problem, search on google for more information. You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier - Original Message - From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question I want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affect the database, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. C.) It is theoretically possible to submit harmful code that might do this. If someone put some SQL in a text field, for instance, what might happen to it down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried and failed. He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, but witango as the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: Hi Roland, This is very unlikely; it is more likely that they would try to add sql statements in the input field. First of the data type constraints off the database field would probably either prevent the saving of the offensive code and will most likely truncate it. Even if there is supposedly evil script saved in the data, when pulled from the database it is not being viewed in a manner that will execute it. Plus, most firewalls and antivirus servers and client will block in the unlikely event that the script is intact. I have had this attempt happen to me, but the hacker didn't realize that the form didn't save to the database but was just emailed to me. I have view the code in Outlook without any issues. Ben Johansen -Original Message- From: Roland Dumas [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 8:15 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Security question Have a client who is asking questions about security. Specifically, if there is a field that is
RE: Witango-Talk: Search Action
Hi Steve, You have a copy of my Tango Debugging Tools don't you? If so, connect to your datasource, copy your select statement from the debug code and paste it in the SQL Command window. Then tweak it manually until you get the syntax just right. Maybe the column UDisabled is not a text datatype, so you wouldn't want the value quoted. ie SELECT U1.UPWHint,U1.UEmail FROM User U1 WHERE (U1.UEmail='fog' AND U1.UDisabled=1) Dave -Original Message- From: Fogelson, Steve [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 5:38 PM To: Witango User Group (E-mail) Subject: Witango-Talk: Search Action I am testing Witango 5.5.003 with Oterro 3.0 I am using a simple Search Action and I have a couple questions about the following debug: 1) Why does Witango change the SQL and use '?' for the variable values and then show them in BoundVals? 2) Any ideas about the syntax error? [Query] [382] SELECT U1.UPWHint,U1.UEmail FROM User U1 WHERE (U1.UEmail=? AND U1.UDisabled=?) [BoundVals] [382] [v1='fog'; v2='1'] [Error] [396] 2367 [RBTI][Oterro ODBC Driver][Sports]-ERROR- Syntax error (2367) 42000 Thanks Steve Fogelson Internet Commerce Solutions TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Witango-Talk: startupurl problem
I want to initialize domain variables at server startup, but my startup.taf fails with the following: 22/09/2004 14:49:3866.219.95.114 [EMAIL PROTECTED]1102691248 1 0 [Error] -1070 The server is starting up and can not process regular requests. 22/09/2004 14:49:3866.219.95.114 [EMAIL PROTECTED]1102691248 1 0 [Error] -1070 The server is starting up and can not process regular requests. Yet if I execute it from a browser, after the server starts: 22/09/2004 15:00:1866.219.95.118 [EMAIL PROTECTED]1123670960 1 44 [Application File] START /startup.tafWitangoServer 22/09/2004 15:00:1866.219.95.114 [EMAIL PROTECTED]1134160816 2 39 [Application File] START /init.taf WitangoServer 22/09/2004 15:00:1866.219.95.114 [EMAIL PROTECTED]1134160816 2 44 [Application File] END /init.taf 22/09/2004 15:00:1866.219.95.118 [EMAIL PROTECTED]1123670960 1 104 [User Message] startup.taf: Initialized domain variables for ccmhtest3.tothept.com 22/09/2004 15:00:1866.219.95.114 [EMAIL PROTECTED]1113181104 2 41 [Application File] START /init.taf WitangoServer 22/09/2004 15:00:1866.219.95.114 [EMAIL PROTECTED]1113181104 2 44 [Application File] END /init.taf 22/09/2004 15:00:1866.219.95.118 [EMAIL PROTECTED]1123670960 1 152 [User Message] startup.taf: Initialized domain variables for sox3.tothept.com 22/09/2004 15:00:1866.219.95.118 [EMAIL PROTECTED]1123670960 1 153 [Application File] END /startup.taf So why does the server execute the startupurl before it's ready to accept requests? How does one delay the execution of startupurl until the server is running? TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Witango-Talk: Search Action
I am testing Witango 5.5.003 with Oterro 3.0 I am using a simple Search Action and I have a couple questions about the following debug: 1) Why does Witango change the SQL and use '?' for the variable values and then show them in BoundVals? 2) Any ideas about the syntax error? [Query] [382] SELECT U1.UPWHint,U1.UEmail FROM User U1 WHERE (U1.UEmail=? AND U1.UDisabled=?) [BoundVals] [382] [v1='fog'; v2='1'] [Error] [396] 2367 [RBTI][Oterro ODBC Driver][Sports]-ERROR- Syntax error (2367) 42000 Thanks Steve Fogelson Internet Commerce Solutions TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Witango-Talk: undefined variables
I note there is a metatag <@DEFINE> to creates an empty variable of the specified type in the specified scope. How does one identify undefined variables? The debugger, unfortunately will not catch this. Will the 5.5 syntax checker catch it (doubtful, since it can't know the full execution context of an application)? Can the server be configured to throw an error? The typical problem is a mis-spelled variable name, but this can also occur if a dependency hasn't been satisfied, or if user variables have timed out. Any thoughts? thx TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
RE: Witango-Talk: Mail Error
Hello Everyone I have a simple taf that takes some information and sends a thank you thru email right back to the user. No big deal and matter of fact, the taf isn't even in use yet, I am still testing it. Last night before I closed up shop, I tested it and it was working fine, today I started to get this error. Now, I have never seen this particular error, so I was hoping someone here might have some advice. Thanks Steve Error message below An unexpected error occurred while Sending the mail message. 451 mail server temporarily rejected Message (#4.3.0) Main Error -327 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.767 / Virus Database: 514 - Release Date: 9/21/2004 TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
Sorry, but you forgot the " it should read... :-) Should read: B.) Holy s*"*t!: You're an idiot if you don't have a layer in front of a new record or update that searches and kills anything that looks like this. I flunked proofreading This option: On 9/22/04 8:52 AM, "Roland Dumas" <[EMAIL PROTECTED]> wrote: B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. Should read: B.) Holy s**t!: You're an idiot if you don't have a layer in front of a new record or update that searches and kills anything that looks like > this. TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
One of the lesser talked about features of Witango/Tango server architecture is the advantage of "actions", especially the database actions. According to what I have gleaned over the years (since I don't work for Pervasive or Witango, and I don't have access to the Server source code), the database action appears to "PREPARE" SQL and then "BIND" values to it on the fly, before actually executing the statement. This way quotes and other SQL breaking characters in the field values are prevented from breaking the query. If you attempt to assemble your own SQL query for use in Witango/Tango, PHP (which has no equivalent of a database action), or a Java application etc, SQL hacking is a serious problem that will need to be addressed. Witango/Tango <@BIND **> tags provide a great service here. For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least. As they say, have fun! Sri Amudhanar Maxys Corporation [EMAIL PROTECTED] wrote: Hello, this issue is known as "SQL injection" problem, search on google for more information. You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier - Original Message - From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question I want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affect the database, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. C.) It is theoretically possible to submit harmful code that might do this. If someone put some SQL in a text field, for instance, what might happen to it down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried and failed. He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, but witango as the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: Hi Roland, This is very unlikely; it is more likely that they would try to add sql statements in the input field. First of the data type constraints off the database field would probably either prevent the saving of the offensive code and will most likely truncate it. Even if there is supposedly evil script saved in the data, when pulled from the database it is not being viewed in a manner that will execute it. Plus, most firewalls and antivirus servers and client will block in the unlikely event that the script is intact. I have had this attempt happen to me, but the hacker didn't realize that the form didn't save to the database but was just emailed to me. I have view the code in Outlook without any issues. Ben Johansen -Original Message- From: Roland Dumas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 21, 2004 8:15 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Security question Have a client who is asking questions about security. Specifically, if there is a field that is entered via web form and then placed in a database, is there the possibility that evil scripts can be submitted that will do evil things either to the database or to a user reading the content of that column?
Re: Witango-Talk: Security question
Hello, this issue is known as "SQL injection" problem, search on google for more information. You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier - Original Message - From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question > > I want the SHORT answer, something like: > > A.) If you use witango, a browser-sumitted piece of coding can't affect the > database, witango, or a visitor who searches and gets the record with the > code. > B.) Holy s**t!: You're an idiot of you doing have a layer in front of a > submit that searches and kills anything that looks like this. > C.) It is theoretically possible to submit harmful code that might do > this. > > If someone put some SQL in a text field, for instance, what might happen to > it down the line? > > On a prior project, there was a unix head who thought he could break a > witango app by submitting all kinds of junk. He tried and tried and failed. > He put in SQL, unix commands, and all kinds of noise, but all it did was > store it and show it back to him when he queried. Is that my answer? > > I don't need the general theoretical case of a theoretical app, but witango > as the app server and mysql as the dbms. > > > > On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: > > > Must reading: > > > > http://www.owasp.org/documentation/topten.html > > > > Welcome to the OWASP Top Ten Project > > > > The OWASP Top Ten provides a minimum standard for web application > > security. The OWASP Top Ten represents a broad consensus about what the > > most critical web application security flaws are. Project members > > include a variety of security experts from around the world who have > > shared their expertise to produce this list. There are currently > > versions in English, French, Japanese, and Korean. A Spanish version is > > in the works. We urge all companies to adopt the standard within their > > organization and start the process of ensuring that their web > > applications do not contain these flaws. Adopting the OWASP Top Ten is > > perhaps the most effective first step towards changing the software > > development culture within your organization into one that produces > > secure code. > > > > > > On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: > > > >> Hi Roland, > >> > >> This is very unlikely; it is more likely that they would try to add sql > >> statements in the input field. > >> > >> First of the data type constraints off the database field would > >> probably > >> either prevent the saving of the offensive code and will most likely > >> truncate it. > >> > >> Even if there is supposedly evil script saved in the data, when pulled > >> from > >> the database it is not being viewed in a manner that will execute it. > >> > >> Plus, most firewalls and antivirus servers and client will block in the > >> unlikely event that the script is intact. > >> > >> I have had this attempt happen to me, but the hacker didn't realize > >> that the > >> form didn't save to the database but was just emailed to me. I have > >> view the > >> code in Outlook without any issues. > >> > >> Ben Johansen > >> > >> -Original Message- > >> From: Roland Dumas [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, September 21, 2004 8:15 PM > >> To: [EMAIL PROTECTED] > >> Subject: Witango-Talk: Security question > >> > >> Have a client who is asking questions about security. Specifically, if > >> there > >> is a field that is entered via web form and then placed in a database, > >> is > >> there the possibility that evil scripts can be submitted that will do > >> evil > >> things either to the database or to a user reading the content of that > >> column? > >> > > > > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > ___[ Pub ] > Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! > http://rencontre.rencontres.com/index.php?origine=4 ___[ Pub ] Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! http://rencontre.rencontres.com/index.php?origine=4 TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
I flunked proofreading This option: On 9/22/04 8:52 AM, "Roland Dumas" <[EMAIL PROTECTED]> wrote: > B.) Holy s**t!: You're an idiot of you doing have a layer in front of a > submit that searches and kills anything that looks like this. Should read: > B.) Holy s**t!: You're an idiot if you don't have a layer in front of a > new record or update that searches and kills anything that looks like > this. TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
I want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affect the database, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this. C.) It is theoretically possible to submit harmful code that might do this. If someone put some SQL in a text field, for instance, what might happen to it down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried and failed. He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, but witango as the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: > Must reading: > > http://www.owasp.org/documentation/topten.html > > Welcome to the OWASP Top Ten Project > > The OWASP Top Ten provides a minimum standard for web application > security. The OWASP Top Ten represents a broad consensus about what the > most critical web application security flaws are. Project members > include a variety of security experts from around the world who have > shared their expertise to produce this list. There are currently > versions in English, French, Japanese, and Korean. A Spanish version is > in the works. We urge all companies to adopt the standard within their > organization and start the process of ensuring that their web > applications do not contain these flaws. Adopting the OWASP Top Ten is > perhaps the most effective first step towards changing the software > development culture within your organization into one that produces > secure code. > > > On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: > >> Hi Roland, >> >> This is very unlikely; it is more likely that they would try to add sql >> statements in the input field. >> >> First of the data type constraints off the database field would >> probably >> either prevent the saving of the offensive code and will most likely >> truncate it. >> >> Even if there is supposedly evil script saved in the data, when pulled >> from >> the database it is not being viewed in a manner that will execute it. >> >> Plus, most firewalls and antivirus servers and client will block in the >> unlikely event that the script is intact. >> >> I have had this attempt happen to me, but the hacker didn't realize >> that the >> form didn't save to the database but was just emailed to me. I have >> view the >> code in Outlook without any issues. >> >> Ben Johansen >> >> -Original Message- >> From: Roland Dumas [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, September 21, 2004 8:15 PM >> To: [EMAIL PROTECTED] >> Subject: Witango-Talk: Security question >> >> Have a client who is asking questions about security. Specifically, if >> there >> is a field that is entered via web form and then placed in a database, >> is >> there the possibility that evil scripts can be submitted that will do >> evil >> things either to the database or to a user reading the content of that >> column? >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Re: Witango-Talk: Security question
Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: Hi Roland, This is very unlikely; it is more likely that they would try to add sql statements in the input field. First of the data type constraints off the database field would probably either prevent the saving of the offensive code and will most likely truncate it. Even if there is supposedly evil script saved in the data, when pulled from the database it is not being viewed in a manner that will execute it. Plus, most firewalls and antivirus servers and client will block in the unlikely event that the script is intact. I have had this attempt happen to me, but the hacker didn't realize that the form didn't save to the database but was just emailed to me. I have view the code in Outlook without any issues. Ben Johansen -Original Message- From: Roland Dumas [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 8:15 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Security question Have a client who is asking questions about security. Specifically, if there is a field that is entered via web form and then placed in a database, is there the possibility that evil scripts can be submitted that will do evil things either to the database or to a user reading the content of that column? ___ _ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ___ _ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
