| Author |
 Topic  |
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
 Posted - 16 November 2001 : 00:43:11
|
grrrrr whats with the readonly thing?? when did that start??
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource |
 |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 16 November 2001 : 01:12:37
|
LoL, it was always that way Stim. It never changed.
You just never used it, that's why. 
- David |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 16 November 2001 : 01:59:25
|
man you're killing me here, no email still 
you got me wondering what the 'hole' is...
why don't ya just visit my forum and pm me there? although you'd have to create an account .. hmmmm oh good grief!
____________
dayve
http://www.nineinchnailz.com/forum
Edited by - dayve on 16 November 2001 02:01:00 |
|
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 16 November 2001 : 02:03:55
|
just sent ya an email :)
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 16 November 2001 : 11:44:18
|
thanks, got it this time :) well, you were correct and I will add the changes as noted. any other suggestions to streamlining or making this a more secure tool to use?
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 16 November 2001 : 11:55:21
|
quote:
You could filter out those directory inputs...
if Left(request.querystring("page"), 3) = "../" then
'show error message
elseif Left(request.querystring("page"), 1) = "/" then
'show error message
else
'code here
end if
----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource
well, this seems to have fixed it but you need to add this too:
if Left(request.querystring("page"), 3) = "../" then
'show error message
response.write "sorry, I don't want to share this file"
elseif Left(request.querystring("page"), 1) = "/" then
'show error message
response.write "sorry, I don't want to share this file"
elseif Left(request.querystring("page"), 2) = "./" then
'show error message
response.write "sorry, I don't want to share this file"
else
'code here
____________
dayve
http://www.nineinchnailz.com/forum
Edited by - dayve on 16 November 2001 11:56:41 |
|
|
|
Azaniah
Senior Member
United Kingdom
1004 Posts |
Posted - 16 November 2001 : 12:07:07
|
This is a really great feature ya know
*Secretly loves Dayve's site but not knowing much about NIN never posts [:S]*
Cheers Az
-------
Eagles fly!, but weasels don't get sucked into jet engines. |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 17 November 2001 : 00:28:35
|
I'm finished working on this "View Source Code" for my forum but I'm wondering if there is any other file I should restrict other than the config.asp file from people to view it.
Even if they do view config.asp anyway, they still can't reach my database since it is outside of the web.
But just wanted to ask, just to make sure I don't overlook anything.
- David |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 17 November 2001 : 01:30:31
|
quote:
I'm finished working on this "View Source Code" for my forum but I'm wondering if there is any other file I should restrict other than the config.asp file from people to view it.
Even if they do view config.asp anyway, they still can't reach my database since it is outside of the web.
But just wanted to ask, just to make sure I don't overlook anything.
- David
yeah, I've been thinking of other files to secure from viewing but quite frankly, I don't really see any major problems with allowing the source to be viewed. my database can not be downloaded either but just for safe measures I hid config.asp. if you are like me you have old copies of config.asp or other files in your directory that this will work with as well, so I deleted all my config.old, config.bak, etc...
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 17 November 2001 : 01:35:02
|
quote:
I'm finished working on this "View Source Code" for my forum but I'm wondering if there is any other file I should restrict other than the config.asp file from people to view it.
Even if they do view config.asp anyway, they still can't reach my database since it is outside of the web.
But just wanted to ask, just to make sure I don't overlook anything.
- David
check your email
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 17 November 2001 : 01:47:12
|
LoL. Dayve, don't you got anything else better to do with your time? 
I named the file source.asp and a link to each page source is on each link on my forum files. You can even look at the source.asp code by entering it in the page variable in the link.
It actually saves me some time, instead of going into my editor to find out what's wrong with the code in a file or if someone wants a mod that I installed they can just look at the source and see how I did it.
Aah. Simplicity at it's best.
Now I just need someone to find a way to do bad with it something to ruin my day. (I'm kidding)
- David |
|
|
|
Rob Poretti
Junior Member
Canada
435 Posts |
Posted - 21 November 2001 : 09:37:28
|
Since everyone is concerned about security (and they ought to be!), and they want to use this facility for themselves, I have a couple simple solutions...
1) Don't name the file display_source.asp (unless you want everyone to know this. For example call it something like:
Display_my_password_Page.asp
...where my_password is a bunch of characters that you'll remember. 
2) If you are using a Windows based server (NT/2000/XP) to host your site, use this instead:
<%
If Request.ServerVariables("LOGON_USER")="" Then
Response.Status = "401 Access Denied"
else
asp=Request.QueryString("page")
set fso = createobject("scripting.filesystemobject")
set act = fso.opentextfile(server.MapPath(asp))
read_asp = act.readall
act.close
response.write "<pre>" & server.htmlencode(read_asp) & "</pre>"
end if
%>
The first time you go to this page, it will ask you to login. You must use your username and password to enter. You only have to do this once per session, so it's not too much of an inconvenience.
Hope this helps,
Rob Poretti 
Sascom Marketing Group ~ Toronto
Cube-Tec Forums
vox.905.825.5373 fax.905.825.5960
Edited by - Rob Poretti on 21 November 2001 09:41:12 |
|
|
|
Rob Poretti
Junior Member
Canada
435 Posts |
Posted - 21 November 2001 : 09:38:54
|
Oh... by the way... thanks for a VERY useful MOD!!!
Rob Poretti
Sascom Marketing Group ~ Toronto
Cube-Tec Forums
vox.905.825.5373 fax.905.825.5960
Edited by - Rob Poretti on 21 November 2001 09:41:42 |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 21 November 2001 : 10:55:03
|
quote:
Oh... by the way... thanks for a VERY useful MOD!!!
Rob Poretti
Sascom Marketing Group ~ Toronto
Cube-Tec Forums
vox.905.825.5373 fax.905.825.5960
Edited by - Rob Poretti on 21 November 2001 09:41:42
thanks for the info Rob and it is valuable information, but my intentions for this mod was that so somebody could in fact freely view my source code with exception to some pages that will enhance a hacker as to where to start to try and get my databases. I get a lot of requests for my source code and I use it for referencing tweaks and mods that I have done since I am not so good at packaging them up.
do you have any additional security awareness that should be brought to our attention? thanks.
____________
dayve
http://www.nineinchnailz.com/forum |
|
|
|
Rob Poretti
Junior Member
Canada
435 Posts |
Posted - 21 November 2001 : 18:27:50
|
No probs... and I'm sure there are other's like yourself that would use that tool in just that way. I was just worried about other's that may not be quite in the know... even if you're not a programmer, solution 1 is a piece of cake for anyone to do.
And I know what you're talking about packaging mods!! Yikes! In some cases, packing the mods and doing the documentation takes longer then the mod itself!
I can't think of other security issues as I write this but some ideas come to mind about automatically showing a link depending if someone is logged in, or if they are a moderator or administrator using mLevel... hmmm...
Cheers!
Rob Poretti
Sascom Marketing Group ~ Toronto
Cube-Tec Forums
vox.905.825.5373 fax.905.825.5960 |
|
|
|
Topic |
|
Topic Locked
