| Author |
 Topic  |
|
|
snaayk
Senior Member
USA
1061 Posts |
 Posted - 16 May 2002 : 15:03:08
|
With all this hacker news going on lately, it really makes you thing of what vulnerabilities you have.
Perhaps, worse than that is, how many vulnerabilities have I made?
I had no idea that any page could be exploited like members.asp; but worse yet, how many times have I left that same hole open in a MOD or in one of the 4 different MODs I have in motion that are just waiting for 3.4 to come out so that I can complete? How about the massive project I have going on at work (lucky thats on an intranet and I don't have to worry about hackers quite the same).
I always wondered what all those =trim, chkstring, (string, "SQLstring") things were all about. Now, I wonder are these functions that are exclusive to Snitz? Are these functions found in inc_functions.asp Should I be using them when I make a MOD or install a MOD that doesn't have them? Or are these functions that are resident to ASP, and can be used anywhere within ASP pages.
Either way, it would be nice if someone here with some knowledge could perhaps shed a little light on this subject for those of us not quite as familiar with the specs of the language.
I know that either HUW or Richard (I think) mentioned a while back that inc_functions was being broken up and that a read me was being constructed for all the different function found in these files. Is this true and is it on target for release with 3.4?
Hopefully, with some help we can stop the holes befor ethey are found, and this can only be done with the power of knowledge. This is especially true in a community where a lot of the MOD developers are learning as they go (like myself). And although the MODs work like intended they may be leaving exploitable holes hereinto unknown.
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 16 May 2002 : 15:40:53
|
actually most of the functions, including the chkstring(bla bla), are in inc_functions.asp.
It is a real treasue, and I am newly discovering what I can do with Snitz.  (you know, it's a huge compilation of different coders who help snitz grow.)
quote:
I know that either HUW or Richard (I think) mentioned a while back that inc_functions was being broken up and that a read me was being constructed for all the different function found in these files. Is this true and is it on target for release with 3.4?
I didn't know that, are there any such a readme file for the functions.
|
 |
|
|
@tomic
Senior Member
USA
1790 Posts |
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 16 May 2002 : 15:59:21
|
quote:
Check out this post about SQL Injection attacks.
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26930
I highly recommend reading everything you can on the subject. These functions are not at all unique to Snitz. These functions are necessary to many, if not all, web applications using a database.
@tomic
http://www.skepticfriends.org
wooww, thanks for the topic link @tomic, it's really great.
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 16 May 2002 : 16:46:51
|
quote:
I know that either HUW or Richard (I think) mentioned a while back that inc_functions was being broken up and that a read me was being constructed for all the different function found in these files. Is this true and is it on target for release with 3.4?
The functions are being broken up, but there is no readme file for what each function does. We are only doing a readme file on how to set up your forum.
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
|
|
|
MFHOWLAND
Starting Member
6 Posts |
Posted - 22 May 2002 : 16:11:12
|
Security is always an ongoing process. I started learning about security about a year ago with a company that got hit with a worm. The main site page was replaced with one of those lame "You are now owned by NTO".
The holes that you see in Snitz are not uncommon. It is good to see people helping to get rid of these and make the forum better. There are different attacks that work on different SQL DB systems.. for Instance you can do DROP statements against SQL Database easily, but it is harder with MS Access or even Oracle.
Some type of attacks are SQL Injection attacks where you can run database commands because someone leaves a single quote open or doesnt validate a numeric string, etc.. About 100% of these errors could be fixed if people would code ASP using the ADODB.COMMAND object. It allows you to setup parameter fields, assign them as types (Integer, String, etc..) and then you do not have to worry about all of the parsing issues.
One big problem a forum like snitz has is anyone can see the source code and thus figure out where the holes are. A nice feature of snitz (I think) is you can rename your tables? If I can see the code but not guess the name of your table it makes it harder to hack your system.
Another form of attack that has nothing to do with this forum in particular are OS attacks. The attack that got my old system was done through IIS with a very popular attack that lets you run commands on the IIS Server. I was able to shut those kinds of holes down by applying patches.
One thing you should do is keep vigilant with your log files (If you can). On an IIS server you can check and see what commands/pages people are calling and look for anything out of the ordinary.. for instance, is someone using the work UNION in an URL when I have no pages called union. Or is CMD.EXE being called.
Anyway, just keep reading and soon you will be an expert.
Thanks,
Marshall
|
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 22 May 2002 : 18:09:48
|
I hate to say this, but I am glad that all of this is coming out in the open. It is really making people aware of the risks of not doing good codeing. One thing I have learned is no matter what you get returned via a forum, querystring, or database, is check to make sure the correct value is being passed thru. without this, it can cause all these problems. if your site uses snitz that helps run the entire site, then you need to use the same functions thruout the entire site, or write your own. Just because the forum is safe, doesnt mean that the rest of your site is, and then can still cause trouble on the forum thru other parts of your site.
Brad
Web Hosting with SQL Server @ $24.95 per month
|
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 22 May 2002 : 18:11:16
|
quote:
Security is always an ongoing process. I started learning about security about a year ago with a company that got hit with a worm. The main site page was replaced with one of those lame "You are now owned by NTO".
The holes that you see in Snitz are not uncommon. It is good to see people helping to get rid of these and make the forum better. There are different attacks that work on different SQL DB systems.. for Instance you can do DROP statements against SQL Database easily, but it is harder with MS Access or even Oracle.
Some type of attacks are SQL Injection attacks where you can run database commands because someone leaves a single quote open or doesnt validate a numeric string, etc.. About 100% of these errors could be fixed if people would code ASP using the ADODB.COMMAND object. It allows you to setup parameter fields, assign them as types (Integer, String, etc..) and then you do not have to worry about all of the parsing issues.
One big problem a forum like snitz has is anyone can see the source code and thus figure out where the holes are. A nice feature of snitz (I think) is you can rename your tables? If I can see the code but not guess the name of your table it makes it harder to hack your system.
Another form of attack that has nothing to do with this forum in particular are OS attacks. The attack that got my old system was done through IIS with a very popular attack that lets you run commands on the IIS Server. I was able to shut those kinds of holes down by applying patches.
One thing you should do is keep vigilant with your log files (If you can). On an IIS server you can check and see what commands/pages people are calling and look for anything out of the ordinary.. for instance, is someone using the work UNION in an URL when I have no pages called union. Or is CMD.EXE being called.
Anyway, just keep reading and soon you will be an expert.
Thanks,
Marshall
thanks for sharing your experinces.
what an unsafe world we live by!
|
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 22 May 2002 : 18:55:27
|
quote:
thanks for sharing your experinces.
what an unsafe world we live by!
yea imagine that, lets take for example i send you some code im working on (aka my gallery) so you can work on something on it then you just disappear. you are probley trying to release the code as one you wrote also. you cant trust anyone with anything!!!!
Brad
Web Hosting with SQL Server @ $24.95 per month
|
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 23 May 2002 : 02:29:47
|
quote:
quote:
thanks for sharing your experinces.
what an unsafe world we live by!
yea imagine that, lets take for example i send you some code im working on (aka my gallery) so you can work on something on it then you just disappear. you are probley trying to release the code as one you wrote also. you cant trust anyone with anything!!!!
Brad
Web Hosting with SQL Server @ $24.95 per month
yes, I just finished coding it, just looking for a suitable name.
but you realized before it's too late.
just calm down man, if I need some code, I'll code it myself.
I'm just busy to deal with it nowadays, I'll send the css-integrated files back to you in a couple of days.
|
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
snaayk
Senior Member
USA
1061 Posts |
Posted - 26 May 2002 : 13:01:53
|
I want to make sure...
if I use a case select to set the variable from a request.form/querystring I shouldn't have to chkstring it right? afterall, if it doesn't match a case then nothing will be set. I just want to make sure. I have no need to be injected :)
 |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 26 May 2002 : 21:29:05
|
Thats correct snaayk.
www.daoc-halo.com |
|
|
|
sijpie
Starting Member
United Kingdom
3 Posts |
Posted - 29 August 2002 : 11:44:22
|
Snaayk's original question really never got answered.
I'll try to rephrase it here:
If I am requesting a text string wich will form part of an SQL query, which ChkString() case should I use to weed out potential damaging code?
Is it important to run trim() first ie: trim(checkstring())? |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 August 2002 : 12:00:52
|
for text string: chkstring(Request.QueryString("EXAMPLE"),"SQLString")
you can use trim as well, though in most cases, it should not be necessary. |
|
|
| |
Topic |
|
Topic Locked
