1. Security Issues?
- Posted by "C. K. Lester" <cklester at yahoo.com> Nov 26, 2002
- 446 views
What security issues are there in using Eu WebServer, if any? Somebody see if this works for them: http://208.188.27.10/members (use any userid and password). This may not be up for much longer... how do i redirect to another page? how do i prevent the userid and password from showing up in the URL text box after the user clicks "OK"?
2. Re: Security Issues?
- Posted by Euman <euman at bellsouth.net> Nov 26, 2002
- 409 views
Hey CK, If your running the server then you could re-write these in Euphoria #!/usr/local/bin/perl use CGI; $query = new CGI; if ($query->param('url') ne '') { # redirect user to value of "url" print $query->redirect($query->param('url')); } else { # no URL was provided so redirect back to referrer print $query->redirect($query->referer()); } or, written in VB <%@ LANGUAGE="VBScript" %> <% If (Request("url") <> "") Then ' redirect user to value of "url" Response.Redirect Request("url") Else ' no URL was provided so redirect back to referrer Response.Redirect Request.ServerVariables("HTTP_REFERER") End If %> you can write them in Euphoria in about 2 minutes! Euman ----- Original Message ----- From: "C. K. Lester" <cklester at yahoo.com> To: "EUforum" <EUforum at topica.com> Sent: Tuesday, November 26, 2002 1:32 PM Subject: RE: Security Issues? : : : > Somebody see if this works for them: http://208.188.27.10/members (use : > any : > userid and password). This may not be up for much longer... : : It's not up anymore, but I'll be testing every once in a while. : : I still need to know: : : how do i redirect to another page? : : For instance, I've gotten the user's ID and password, and now I want to : send them to the next page. Or I guess I should just form the HTML with : the appropriate content and each link has a parameter indicating a valid : user is clicking around... ??? Anybody with some helpful hints and tips, : please speak up. : : : : :
3. Re: Security Issues?
- Posted by Robert Craig <rds at RapidEuphoria.com> Nov 26, 2002
- 408 views
C.K. Lester writes: > For instance, I've gotten the user's ID and password, and now I want to > send them to the next page. Or I guess I should just form the HTML with > the appropriate content and each link has a parameter indicating a valid > user is clicking around... ??? Anybody with some helpful hints and tips, > please speak up. This is where "cookies" can be helpful. You output a cookie in the header of the HTML, then the user's Web browser will remember that cookie for you, and you'll be able to access it via an environment variable on any future page that the user visits (by default, until he closes his Web browser). e.g. printf(1, "Set-Cookie:myname=%s\n", {name}) A cookie is just a name-value pair. It's easier than trying to attach his name or id to every link that you provide him. Search the web for "cgi cookies". People can potentially fake the value of a cookie, so for security you might want to assign a special code number rather than using his name to identify him. Also, some people are paranoid about accepting cookies, so they have their browser reject them. Regards, Rob Craig Rapid Deployment Software http://www.RapidEuphoria.com
4. Re: Security Issues?
- Posted by Kat <kat at kogeijin.com> Nov 26, 2002
- 419 views
On 26 Nov 2002, at 14:31, Robert Craig wrote: > Also, some people are paranoid about accepting > cookies, so they have their browser reject them. Especially us paranoid kats who read security warnings (even from microsoft themselves) about how cookies can contain executeable code, and get executed. Kat
5. Re: Security Issues?
- Posted by "C. K. Lester" <cklester at yahoo.com> Nov 26, 2002
- 450 views
kat, how would you track a user on a web site? or do you care? :) ----- Original Message ----- From: "Kat" <kat at kogeijin.com> To: "EUforum" <EUforum at topica.com> Subject: Re: Security Issues? > > On 26 Nov 2002, at 14:31, Robert Craig wrote: > > > Also, some people are paranoid about accepting > > cookies, so they have their browser reject them. > > Especially us paranoid kats who read security warnings (even from microsoft > themselves) about how cookies can contain executeable code, and get > executed. > > Kat > > >
6. Re: Security Issues?
- Posted by Euman <euman at bellsouth.net> Nov 26, 2002
- 476 views
I reject Cookies because its a way for sites to monitor where you go and where you've been. grab a copy of "ad-aware" run it on your machine and I'll bet you have atleast one site that has either stuck code in your registry or sent cookies that they can track your movements with. Euman ----- Original Message ----- From: "Robert Craig" <rds at RapidEuphoria.com> To: "EUforum" <EUforum at topica.com> Subject: Re: Security Issues? : : C.K. Lester writes: : > For instance, I've gotten the user's ID and password, and now I want to : > send them to the next page. Or I guess I should just form the HTML with : > the appropriate content and each link has a parameter indicating a valid : > user is clicking around... ??? Anybody with some helpful hints and tips, : > please speak up. : : This is where "cookies" can be helpful. : You output a cookie in the header of the HTML, : then the user's Web browser will remember : that cookie for you, and you'll be able to access it : via an environment variable on any future page : that the user visits (by default, until he closes his Web browser). : e.g. : printf(1, "Set-Cookie:myname=%s\n", {name}) : : A cookie is just a name-value pair. : : It's easier than trying to attach his name or id : to every link that you provide him. : : Search the web for "cgi cookies". : : People can potentially fake the value of : a cookie, so for security you might want to assign a : special code number rather than using his name : to identify him. : : Also, some people are paranoid about accepting : cookies, so they have their browser reject them. : : Regards, : Rob Craig : Rapid Deployment Software : http://www.RapidEuphoria.com : : : : :
7. Re: Security Issues?
- Posted by "C. K. Lester" <cklester at yahoo.com> Nov 26, 2002
- 402 views
Hey, thanks Rob! > This is where "cookies" can be helpful. That's where I was headed before your email came to me! > You output a cookie in the header of the HTML, > then the user's Web browser will remember > that cookie for you, and you'll be able to access it > via an environment variable on any future page > that the user visits (by default, until he closes his Web browser). > e.g. > printf(1, "Set-Cookie:myname=%s\n", {name}) I put that in the header of the HTML page? What environment variable do I look for? How do I retrieve it?
8. Re: Security Issues?
- Posted by "C. K. Lester" <cklester at yahoo.com> Nov 26, 2002
- 431 views
do you ever go to sites that need to keep track of you on their web site? for instance, password protected pages? ----- Original Message ----- From: "Euman" <euman at bellsouth.net> To: "EUforum" <EUforum at topica.com> Subject: Re: Security Issues? > > I reject Cookies because its a way for sites to monitor where you go > and where you've been. > > grab a copy of "ad-aware" run it on your machine and I'll bet you have > atleast one site that has either stuck code in your registry or sent cookies > that they can track your movements with. > > Euman > > ----- Original Message ----- > From: "Robert Craig" <rds at RapidEuphoria.com> > To: "EUforum" <EUforum at topica.com> > Sent: Tuesday, November 26, 2002 2:31 PM > Subject: Re: Security Issues? > > > : > : C.K. Lester writes: > : > For instance, I've gotten the user's ID and password, and now I want to > : > send them to the next page. Or I guess I should just form the HTML with > : > the appropriate content and each link has a parameter indicating a valid > : > user is clicking around... ??? Anybody with some helpful hints and tips, > : > please speak up. > : > : This is where "cookies" can be helpful. > : You output a cookie in the header of the HTML, > : then the user's Web browser will remember > : that cookie for you, and you'll be able to access it > : via an environment variable on any future page > : that the user visits (by default, until he closes his Web browser). > : e.g. > : printf(1, "Set-Cookie:myname=%s\n", {name}) > : > : A cookie is just a name-value pair. > : > : It's easier than trying to attach his name or id > : to every link that you provide him. > : > : Search the web for "cgi cookies". > : > : People can potentially fake the value of > : a cookie, so for security you might want to assign a > : special code number rather than using his name > : to identify him. > : > : Also, some people are paranoid about accepting > : cookies, so they have their browser reject them. > : > : Regards, > : Rob Craig > : Rapid Deployment Software > : http://www.RapidEuphoria.com > : > : > : > : > : > > >
9. Re: Security Issues?
- Posted by "C. K. Lester" <cklester at yahoo.com> Nov 26, 2002
- 412 views
> I don't know the program you are using. I haveto use apache on the nix shell, > and it won't accept the nick!password at domain.com form of an url. I can't > even get it to return the index.html or the default.html, and i can't reach > orkim, his email bounces. Kat, I'm using EU WebServer by Peter Blue, running on a Win2K box. Works great!!!
10. Re: Security Issues?
- Posted by Euman <euman at bellsouth.net> Nov 26, 2002
- 407 views
One link CK, http://www.sidesport.com/hijack/ There are thousands like it that continually update how to access anything. Why do you think MS has a Security update everyday? Euman ----- Original Message ----- From: "C. K. Lester" <cklester at yahoo.com> To: "EUforum" <EUforum at topica.com> Sent: Tuesday, November 26, 2002 3:01 PM Subject: Re: Security Issues? : : do you ever go to sites that need to keep track of you on their web site? : for instance, password protected pages? : : ----- Original Message ----- : From: "Euman" <euman at bellsouth.net> : To: "EUforum" <EUforum at topica.com> : Sent: Tuesday, November 26, 2002 12:52 PM : Subject: Re: Security Issues? : : : > : > I reject Cookies because its a way for sites to monitor where you go : > and where you've been. : > : > grab a copy of "ad-aware" run it on your machine and I'll bet you have : > atleast one site that has either stuck code in your registry or sent : cookies : > that they can track your movements with. : > : > Euman : > : > ----- Original Message ----- : > From: "Robert Craig" <rds at RapidEuphoria.com> : > To: "EUforum" <EUforum at topica.com> : > Sent: Tuesday, November 26, 2002 2:31 PM : > Subject: Re: Security Issues? : > : > : > : : > : C.K. Lester writes: : > : > For instance, I've gotten the user's ID and password, and now I want : to : > : > send them to the next page. Or I guess I should just form the HTML : with : > : > the appropriate content and each link has a parameter indicating a : valid : > : > user is clicking around... ??? Anybody with some helpful hints and : tips, : > : > please speak up. : > : : > : This is where "cookies" can be helpful. : > : You output a cookie in the header of the HTML, : > : then the user's Web browser will remember : > : that cookie for you, and you'll be able to access it : > : via an environment variable on any future page : > : that the user visits (by default, until he closes his Web browser). : > : e.g. : > : printf(1, "Set-Cookie:myname=%s\n", {name}) : > : : > : A cookie is just a name-value pair. : > : : > : It's easier than trying to attach his name or id : > : to every link that you provide him. : > : : > : Search the web for "cgi cookies". : > : : > : People can potentially fake the value of : > : a cookie, so for security you might want to assign a : > : special code number rather than using his name : > : to identify him. : > : : > : Also, some people are paranoid about accepting : > : cookies, so they have their browser reject them. : > : : > : Regards, : > : Rob Craig : > : Rapid Deployment Software : > : http://www.RapidEuphoria.com : > : : > : : > : : > : : > : : > : > : > : : : :
11. Re: Security Issues?
- Posted by Robert Craig <rds at RapidEuphoria.com> Nov 26, 2002
- 413 views
C.K. Lester writes: > I put that in the header of the HTML page? Just before the actual HTML... puts(1, "Set-Cookie:myuserid=CKLESTER\n") puts(1, "Content-type: text/html\n\n") -- two \n's puts(1, "<html><head><title>Welcome to C.K.'s Site</title></head>\n") puts(1, ... etc...) > What environment variable do I look for? How do I retrieve it? object cookie cookie = getenv("HTTP_COOKIE") Note to the Paranoid: No cookies are used on RapidEuphoria.com Regards, Rob Craig Rapid Deployment Software http://www.RapidEuphoria.com
12. Re: Security Issues?
- Posted by Euman <euman at bellsouth.net> Nov 26, 2002
- 414 views
: Note to the Paranoid: : No cookies are used on RapidEuphoria.com : : Regards, : Rob Craig : Rapid Deployment Software : http://www.RapidEuphoria.com NOT PARANOID ROB! Just Cautious..................! and uh, btw, the adds that display atop RDS site do TRY to submit random cookies. Euman
13. Re: Security Issues?
- Posted by Kat <kat at kogeijin.com> Nov 27, 2002
- 408 views
On 26 Nov 2002, at 13:52, C. K. Lester wrote: > > kat, how would you track a user on a web site? or do you care? :) Dynamic webpage generation. They enter a name or whatever, Submit, and the returned page has the ident built into the urls that point to my pages. If they bookmark the page, or "favorites" it, the url is saved complete with the data they entered. I'd use this only for user persistance on sequential pages. Generally, i don't care. Cookies get killed and faked here before IE ever sees them. Kat > > ----- Original Message ----- > From: "Kat" <kat at kogeijin.com> > To: "EUforum" <EUforum at topica.com> > Sent: Tuesday, November 26, 2002 1:45 PM > Subject: Re: Security Issues? > > > > On 26 Nov 2002, at 14:31, Robert Craig wrote: > > > > > Also, some people are paranoid about accepting > > > cookies, so they have their browser reject them. > > > > Especially us paranoid kats who read security warnings (even from > microsoft > > themselves) about how cookies can contain executeable code, and get > > executed. > > > > Kat > > > > > > >
14. Re: Security Issues?
- Posted by Kat <kat at kogeijin.com> Nov 27, 2002
- 467 views
On 26 Nov 2002, at 14:02, C. K. Lester wrote: > > > I don't know the program you are using. I haveto use apache on the nix > shell, > > and it won't accept the nick!password at domain.com form of an url. I can't > > even get it to return the index.html or the default.html, and i can't > reach > > orkim, his email bounces. > > Kat, I'm using EU WebServer by Peter Blue, running on a Win2K box. Works > great!!! That's nice. All i can get for commercial shells is *nix. Kat
15. Re: Security Issues?
- Posted by Kat <kat at kogeijin.com> Nov 27, 2002
- 440 views
On 26 Nov 2002, at 15:38, Euman wrote: > > : Note to the Paranoid: > : No cookies are used on RapidEuphoria.com > : > : Regards, > : Rob Craig > : Rapid Deployment Software > : http://www.RapidEuphoria.com > > NOT PARANOID ROB! > Just Cautious..................! > > and uh, btw, the adds that display atop RDS site do TRY to submit random > cookies. What ads? Kat
16. Re: Security Issues?
- Posted by Euler German <efgerman at myrealbox.com> Nov 27, 2002
- 402 views
On 26 Nov 2002, at 13:52, Euman wrote: > > I reject Cookies because its a way for sites to monitor where you go and > where you've been. > > grab a copy of "ad-aware" run it on your machine and I'll bet you have > atleast one site that has either stuck code in your registry or sent > cookies that they can track your movements with. > > Euman > May I suggest Spybot S&D <http://security.kolla.de/> to you? I found out that Ad-aware people haven't update spyware signatures since a long time ago (Sep.24). Kind regards, -- Euler
17. Re: Security Issues?
- Posted by Robert Craig <rds at RapidEuphoria.com> Nov 29, 2002
- 425 views
C.K. Lester writes: > Rob Craig writes: > > cookie = getenv("HTTP_COOKIE") > > Doesn't the cookie exist on the user's PC? If that's the case, > how can the getenv() function return something from a file > on the user's PC, if, indeed, that is what it does...? The cookie information is stored on the user's PC by his browser. Whenever he visits your page, his browser will send the cookie information to your server, and your server will make the info available to you in an environment variable. Some cookies are temporary, and disappear when the browser is closed, but you can also create longer lasting cookies on the user's machine, so, for example, he doesn't have to log in every time. Regards, Rob Craig Rapid Deployment Software http://www.RapidEuphoria.com