| Author |
 Topic  |
|
Deleted
deleted
4116 Posts |
 Posted - 09 October 2002 : 00:27:06
|
On lines 505-506:
scriptname = request.servervariables("script_name")
Response.Write " <form name=""PageNum" & fnum & """ action=""search.asp?" & chkString(Request.QueryString,"SQLString") & """ method=""post"">" & vbNewLine
the action should be "moderate.asp?..."
Also, in all DropDownPaging, "scriptname" is queried unnecessarily. Actually I think it meant to be :
... action="" & scriptname & "?"
This is corrected in v4b04 by defining global variables in config.asp and parsing it once preventing multiple request object calls/parses.
|
 Stop the WAR! |
Edited by - Davio on 11 February 2003 00:17:22 |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 11 February 2003 : 00:16:15
|
Confirmed this is a bug.
But for your second bug, since the subroutine is used in each file it is needed in, I would prefer if the name of the file is hardcoded into the sub instead of getting the name of the file from the server variables.
If the sub was in one file and included in all the other files that needed it, then using scriptname would be used. |
Support Snitz Forums
|
 |
|
|
Deleted
deleted
4116 Posts |
Posted - 12 February 2003 : 02:18:16
|
This has already been fixed in v4b04a01...
The scriptname retrieval in dropdownpaging in moderate.asp has been queried unnecessarily because it was not used in that function.
The changes in config.asp are:
Dim strScriptName, strTempArr, strScriptFileName, strPathInfo
strScriptName = Request.ServerVariables("script_name")
strTempArr = Split(strScriptName, "/")
strScriptFileName = lcase(strTempArr(Ubound(strTempArr)))
strPathInfo = Request.ServerVariables("Path_Info")
I'll keep them because these are used in many places causing multiple Request.ServerVariables and string manipulations.
I could not understand if the Request.ServerVariables("script_name") and Request.ServerVariables("Path_Info") has any differences although I searched a lot, thus I included both. Any information regarding this will be very appreciated.
|
Stop the WAR! |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 12 February 2003 : 07:41:06
|
I haven't found any differences in them either. But I think scriptname is the common one to use.
Are you also checking the code that is being retrieved from those variables? I don't trust any data that can be manipulated by the user.
I also searched the alpha 1 version and I don't see where the code you have in config.asp is being used anywhere in the forum. Are you going to implement it in the next alpha release? |
Support Snitz Forums
|
|
|
|
Deleted
deleted
4116 Posts |
Posted - 12 February 2003 : 08:37:44
|
Occurences on current code:
7 strScriptName
18 strScriptFileName
1 strPathInfo
I'll replace strPathInfo in pop_datepicker.asp with strScriptName. The strScriptName calculation is done in v3.4.x at least once in title calculation so there will not be any performance loss.
quote:
Are you also checking the code that is being retrieved from those variables? I don't trust any data that can be manipulated by the user.
How can a user manipulate a request.servervariables result? I also never saw a code that checks them...
|
Stop the WAR! |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 12 February 2003 : 08:46:49
|
| There must be some way. There had been posts in the past about Norton AntiVirus and Zone Alarm causing HTTP_REFERER to return empty or a string of random characters as referer |
|
|
|
VodkaFish
Average Member
USA
654 Posts |
Posted - 12 February 2003 : 17:04:30
|
quote:
Originally posted by GauravBhabu
There must be some way. There had been posts in the past about Norton AntiVirus and Zone Alarm causing HTTP_REFERER to return empty or a string of random characters as referer
This is what's doing it. I have users who make posts and always get kicked back out to the front of the forums after. They all have a Norton security program installed. |
v ø d k â f ï § h |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 12 February 2003 : 18:02:59
|
| VodkaFish, I posted a solution for that, though for register.asp but it can be used in other files also. Look here |
|
|
|
Deleted
deleted
4116 Posts |
Posted - 12 February 2003 : 21:00:00
|
The HTTP_REFERER variable is a lot different then SCRIPT_NAME. The second is not a part of a protocol that connects the server with the client.
|
Stop the WAR! |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 13 February 2003 : 07:42:00
|
| HTTP_REFERRER also tells you where you came from (which is why the Norton Firewall blocks it) and the SCRIPT_NAME tells you where you are. |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 13 February 2003 : 08:13:52
|
| Both are part of Server Variables Collection. If HTTP_REFERER can be manipulated then I think other items in the collection can also be manipulated to return wrong or empty values. |
|
|
|
Deleted
deleted
4116 Posts |
Posted - 13 February 2003 : 10:02:53
|
quote:
Originally posted by GauravBhabu
Both are part of Server Variables Collection. If HTTP_REFERER can be manipulated then I think other items in the collection can also be manipulated to return wrong or empty values.
To my understanding, request.servervariables provides an access point for ASP programmer to different kinds of information. HTTP header contents is one of these and they are between server and client.
The point of tampering of the HTTP_REFERER is not at the server side, but at the client. It is much more like the User Agent information. The firewall just analyses all packets from/to the computer and checks the headers and change them if needed. All of these HTTP_* type request.servervariables are subject to modification at any point between the browser and the server. This is where Echelon & Carnivore reside  .
=========CLIENT======= =========SERVER==========
Browser ===> firewall ===> Internet ====> Server | ASP
X ?
On the other hand, the "script_name" is server side only, client has nothing to do with this. Except malicious code running on the server, that part cannot be tempered so easily.
Here is a quick reference for HTTP headers: http://www.cs.tut.fi/~jkorpela/http.html
|
Stop the WAR! |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 13 February 2003 : 10:09:20
|
| Bozden, what I meant was, the script_name is the name of the page in users browsers. The user can enter anything in thier browser and then submit it. That same url they submit in thier browser is stored in the various server variables and then used in the files. If not checked properly, they could execute even javascript code, just by entering it in thier browser. |
Support Snitz Forums
|
|
|
|
Deleted
deleted
4116 Posts |
Posted - 13 February 2003 : 11:41:10
|
| OK, you must be knowing something I don't know. What do you suggest? |
Stop the WAR! |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 07 March 2003 : 21:33:10
|
Bozden, never mind my concerns about the SCRIPT_NAME variable. Checking the code I realized we don't have checks for SCRIPT_NAME. I thought we did.
My concern had also stemmed from a bug report last month I think, when a user post used a special formatted url, that took advantage of the SCRIPT_NAME being used in the code. I don't think it was anything to worry about.
Fixed the first bug mentioned in your post in 3.4.04 |
Support Snitz Forums
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
Topic |
|
Forum Locked
Topic Locked
