1. Security Issues?
What security issues are there in using Eu WebServer, if any?
Somebody see if this works for them: http://208.188.27.10/members (use any
userid and password). This may not be up for much longer...
how do i redirect to another page?
how do i prevent the userid and password from showing up in the URL text box
after the user clicks "OK"?
2. Re: Security Issues?
Hey CK,
If your running the server then you could re-write these in Euphoria
#!/usr/local/bin/perl
use CGI;
$query = new CGI;
if ($query->param('url') ne '') {
# redirect user to value of "url"
print $query->redirect($query->param('url'));
} else {
# no URL was provided so redirect back to referrer
print $query->redirect($query->referer());
}
or, written in VB
<%@ LANGUAGE="VBScript" %>
<%
If (Request("url") <> "") Then
' redirect user to value of "url"
Response.Redirect Request("url")
Else
' no URL was provided so redirect back to referrer
Response.Redirect Request.ServerVariables("HTTP_REFERER")
End If
%>
you can write them in Euphoria in about 2 minutes!
Euman
----- Original Message -----
From: "C. K. Lester" <cklester at yahoo.com>
To: "EUforum" <EUforum at topica.com>
Sent: Tuesday, November 26, 2002 1:32 PM
Subject: RE: Security Issues?
:
:
: > Somebody see if this works for them: http://208.188.27.10/members (use
: > any
: > userid and password). This may not be up for much longer...
:
: It's not up anymore, but I'll be testing every once in a while.
:
: I still need to know:
:
: how do i redirect to another page?
:
: For instance, I've gotten the user's ID and password, and now I want to
: send them to the next page. Or I guess I should just form the HTML with
: the appropriate content and each link has a parameter indicating a valid
: user is clicking around... ??? Anybody with some helpful hints and tips,
: please speak up.
:
:
:
:
:
3. Re: Security Issues?
C.K. Lester writes:
> For instance, I've gotten the user's ID and password, and now I want to
> send them to the next page. Or I guess I should just form the HTML with
> the appropriate content and each link has a parameter indicating a valid
> user is clicking around... ??? Anybody with some helpful hints and tips,
> please speak up.
This is where "cookies" can be helpful.
You output a cookie in the header of the HTML,
then the user's Web browser will remember
that cookie for you, and you'll be able to access it
via an environment variable on any future page
that the user visits (by default, until he closes his Web browser).
e.g.
printf(1, "Set-Cookie:myname=%s\n", {name})
A cookie is just a name-value pair.
It's easier than trying to attach his name or id
to every link that you provide him.
Search the web for "cgi cookies".
People can potentially fake the value of
a cookie, so for security you might want to assign a
special code number rather than using his name
to identify him.
Also, some people are paranoid about accepting
cookies, so they have their browser reject them.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
4. Re: Security Issues?
On 26 Nov 2002, at 14:31, Robert Craig wrote:
> Also, some people are paranoid about accepting
> cookies, so they have their browser reject them.
Especially us paranoid kats who read security warnings (even from microsoft
themselves) about how cookies can contain executeable code, and get
executed.
Kat
5. Re: Security Issues?
kat, how would you track a user on a web site? or do you care? :)
----- Original Message -----
From: "Kat" <kat at kogeijin.com>
To: "EUforum" <EUforum at topica.com>
Subject: Re: Security Issues?
>
> On 26 Nov 2002, at 14:31, Robert Craig wrote:
>
> > Also, some people are paranoid about accepting
> > cookies, so they have their browser reject them.
>
> Especially us paranoid kats who read security warnings (even from
microsoft
> themselves) about how cookies can contain executeable code, and get
> executed.
>
> Kat
>
>
>
6. Re: Security Issues?
I reject Cookies because its a way for sites to monitor where you go
and where you've been.
grab a copy of "ad-aware" run it on your machine and I'll bet you have
atleast one site that has either stuck code in your registry or sent cookies
that they can track your movements with.
Euman
----- Original Message -----
From: "Robert Craig" <rds at RapidEuphoria.com>
To: "EUforum" <EUforum at topica.com>
Subject: Re: Security Issues?
:
: C.K. Lester writes:
: > For instance, I've gotten the user's ID and password, and now I want to
: > send them to the next page. Or I guess I should just form the HTML with
: > the appropriate content and each link has a parameter indicating a valid
: > user is clicking around... ??? Anybody with some helpful hints and tips,
: > please speak up.
:
: This is where "cookies" can be helpful.
: You output a cookie in the header of the HTML,
: then the user's Web browser will remember
: that cookie for you, and you'll be able to access it
: via an environment variable on any future page
: that the user visits (by default, until he closes his Web browser).
: e.g.
: printf(1, "Set-Cookie:myname=%s\n", {name})
:
: A cookie is just a name-value pair.
:
: It's easier than trying to attach his name or id
: to every link that you provide him.
:
: Search the web for "cgi cookies".
:
: People can potentially fake the value of
: a cookie, so for security you might want to assign a
: special code number rather than using his name
: to identify him.
:
: Also, some people are paranoid about accepting
: cookies, so they have their browser reject them.
:
: Regards,
: Rob Craig
: Rapid Deployment Software
: http://www.RapidEuphoria.com
:
:
:
:
:
7. Re: Security Issues?
Hey, thanks Rob!
> This is where "cookies" can be helpful.
That's where I was headed before your email came to me!
> You output a cookie in the header of the HTML,
> then the user's Web browser will remember
> that cookie for you, and you'll be able to access it
> via an environment variable on any future page
> that the user visits (by default, until he closes his Web browser).
> e.g.
> printf(1, "Set-Cookie:myname=%s\n", {name})
I put that in the header of the HTML page?
What environment variable do I look for? How do I retrieve it?
8. Re: Security Issues?
do you ever go to sites that need to keep track of you on their web site?
for instance, password protected pages?
----- Original Message -----
From: "Euman" <euman at bellsouth.net>
To: "EUforum" <EUforum at topica.com>
Subject: Re: Security Issues?
>
> I reject Cookies because its a way for sites to monitor where you go
> and where you've been.
>
> grab a copy of "ad-aware" run it on your machine and I'll bet you have
> atleast one site that has either stuck code in your registry or sent
cookies
> that they can track your movements with.
>
> Euman
>
> ----- Original Message -----
> From: "Robert Craig" <rds at RapidEuphoria.com>
> To: "EUforum" <EUforum at topica.com>
> Sent: Tuesday, November 26, 2002 2:31 PM
> Subject: Re: Security Issues?
>
>
> :
> : C.K. Lester writes:
> : > For instance, I've gotten the user's ID and password, and now I want
to
> : > send them to the next page. Or I guess I should just form the HTML
with
> : > the appropriate content and each link has a parameter indicating a
valid
> : > user is clicking around... ??? Anybody with some helpful hints and
tips,
> : > please speak up.
> :
> : This is where "cookies" can be helpful.
> : You output a cookie in the header of the HTML,
> : then the user's Web browser will remember
> : that cookie for you, and you'll be able to access it
> : via an environment variable on any future page
> : that the user visits (by default, until he closes his Web browser).
> : e.g.
> : printf(1, "Set-Cookie:myname=%s\n", {name})
> :
> : A cookie is just a name-value pair.
> :
> : It's easier than trying to attach his name or id
> : to every link that you provide him.
> :
> : Search the web for "cgi cookies".
> :
> : People can potentially fake the value of
> : a cookie, so for security you might want to assign a
> : special code number rather than using his name
> : to identify him.
> :
> : Also, some people are paranoid about accepting
> : cookies, so they have their browser reject them.
> :
> : Regards,
> : Rob Craig
> : Rapid Deployment Software
> : http://www.RapidEuphoria.com
> :
> :
> :
> :
> :
>
>
>
9. Re: Security Issues?
> I don't know the program you are using. I haveto use apache on the nix
shell,
> and it won't accept the nick!password at domain.com form of an url. I can't
> even get it to return the index.html or the default.html, and i can't
reach
> orkim, his email bounces.
Kat, I'm using EU WebServer by Peter Blue, running on a Win2K box. Works
great!!!
10. Re: Security Issues?
One link CK,
http://www.sidesport.com/hijack/
There are thousands like it that continually update how to access
anything.
Why do you think MS has a Security update everyday?
Euman
----- Original Message -----
From: "C. K. Lester" <cklester at yahoo.com>
To: "EUforum" <EUforum at topica.com>
Sent: Tuesday, November 26, 2002 3:01 PM
Subject: Re: Security Issues?
:
: do you ever go to sites that need to keep track of you on their web
site?
: for instance, password protected pages?
:
: ----- Original Message -----
: From: "Euman" <euman at bellsouth.net>
: To: "EUforum" <EUforum at topica.com>
: Sent: Tuesday, November 26, 2002 12:52 PM
: Subject: Re: Security Issues?
:
:
: >
: > I reject Cookies because its a way for sites to monitor where you go
: > and where you've been.
: >
: > grab a copy of "ad-aware" run it on your machine and I'll bet you have
: > atleast one site that has either stuck code in your registry or sent
: cookies
: > that they can track your movements with.
: >
: > Euman
: >
: > ----- Original Message -----
: > From: "Robert Craig" <rds at RapidEuphoria.com>
: > To: "EUforum" <EUforum at topica.com>
: > Sent: Tuesday, November 26, 2002 2:31 PM
: > Subject: Re: Security Issues?
: >
: >
: > :
: > : C.K. Lester writes:
: > : > For instance, I've gotten the user's ID and password, and now I
want
: to
: > : > send them to the next page. Or I guess I should just form the HTML
: with
: > : > the appropriate content and each link has a parameter indicating a
: valid
: > : > user is clicking around... ??? Anybody with some helpful hints and
: tips,
: > : > please speak up.
: > :
: > : This is where "cookies" can be helpful.
: > : You output a cookie in the header of the HTML,
: > : then the user's Web browser will remember
: > : that cookie for you, and you'll be able to access it
: > : via an environment variable on any future page
: > : that the user visits (by default, until he closes his Web browser).
: > : e.g.
: > : printf(1, "Set-Cookie:myname=%s\n", {name})
: > :
: > : A cookie is just a name-value pair.
: > :
: > : It's easier than trying to attach his name or id
: > : to every link that you provide him.
: > :
: > : Search the web for "cgi cookies".
: > :
: > : People can potentially fake the value of
: > : a cookie, so for security you might want to assign a
: > : special code number rather than using his name
: > : to identify him.
: > :
: > : Also, some people are paranoid about accepting
: > : cookies, so they have their browser reject them.
: > :
: > : Regards,
: > : Rob Craig
: > : Rapid Deployment Software
: > : http://www.RapidEuphoria.com
: > :
: > :
: > :
: > :
: > :
: >
: >
: >
:
:
:
:
11. Re: Security Issues?
C.K. Lester writes:
> I put that in the header of the HTML page?
Just before the actual HTML...
puts(1, "Set-Cookie:myuserid=CKLESTER\n")
puts(1, "Content-type: text/html\n\n") -- two \n's
puts(1, "<html><head><title>Welcome to C.K.'s Site</title></head>\n")
puts(1, ... etc...)
> What environment variable do I look for? How do I retrieve it?
object cookie
cookie = getenv("HTTP_COOKIE")
Note to the Paranoid:
No cookies are used on RapidEuphoria.com
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
12. Re: Security Issues?
: Note to the Paranoid:
: No cookies are used on RapidEuphoria.com
:
: Regards,
: Rob Craig
: Rapid Deployment Software
: http://www.RapidEuphoria.com
NOT PARANOID ROB!
Just Cautious..................!
and uh, btw, the adds that display atop RDS site do TRY to submit random
cookies.
Euman
13. Re: Security Issues?
On 26 Nov 2002, at 13:52, C. K. Lester wrote:
>
> kat, how would you track a user on a web site? or do you care? :)
Dynamic webpage generation. They enter a name or whatever, Submit, and
the returned page has the ident built into the urls that point to my pages. If
they bookmark the page, or "favorites" it, the url is saved complete with the
data they entered. I'd use this only for user persistance on sequential
pages. Generally, i don't care. Cookies get killed and faked here before IE
ever sees them.
Kat
>
> ----- Original Message -----
> From: "Kat" <kat at kogeijin.com>
> To: "EUforum" <EUforum at topica.com>
> Sent: Tuesday, November 26, 2002 1:45 PM
> Subject: Re: Security Issues?
>
>
> > On 26 Nov 2002, at 14:31, Robert Craig wrote:
> >
> > > Also, some people are paranoid about accepting
> > > cookies, so they have their browser reject them.
> >
> > Especially us paranoid kats who read security warnings (even from
> microsoft
> > themselves) about how cookies can contain executeable code, and get
> > executed.
> >
> > Kat
> >
> >
>
>
>
14. Re: Security Issues?
On 26 Nov 2002, at 14:02, C. K. Lester wrote:
>
> > I don't know the program you are using. I haveto use apache on the nix
> shell,
> > and it won't accept the nick!password at domain.com form of an url. I can't
> > even get it to return the index.html or the default.html, and i can't
> reach
> > orkim, his email bounces.
>
> Kat, I'm using EU WebServer by Peter Blue, running on a Win2K box. Works
> great!!!
That's nice. All i can get for commercial shells is *nix.
Kat
15. Re: Security Issues?
On 26 Nov 2002, at 15:38, Euman wrote:
>
> : Note to the Paranoid:
> : No cookies are used on RapidEuphoria.com
> :
> : Regards,
> : Rob Craig
> : Rapid Deployment Software
> : http://www.RapidEuphoria.com
>
> NOT PARANOID ROB!
> Just Cautious..................!
>
> and uh, btw, the adds that display atop RDS site do TRY to submit random
> cookies.
What ads?
Kat
16. Re: Security Issues?
On 26 Nov 2002, at 13:52, Euman wrote:
>
> I reject Cookies because its a way for sites to monitor where you go and
> where you've been.
>
> grab a copy of "ad-aware" run it on your machine and I'll bet you have
> atleast one site that has either stuck code in your registry or sent
> cookies that they can track your movements with.
>
> Euman
>
May I suggest Spybot S&D <http://security.kolla.de/> to you? I found
out that Ad-aware people haven't update spyware signatures since a long
time ago (Sep.24).
Kind regards,
-- Euler
17. Re: Security Issues?
C.K. Lester writes:
> Rob Craig writes:
> > cookie = getenv("HTTP_COOKIE")
>
> Doesn't the cookie exist on the user's PC? If that's the case,
> how can the getenv() function return something from a file
> on the user's PC, if, indeed, that is what it does...?
The cookie information is stored on the user's PC by his browser.
Whenever he visits your page, his browser will send the cookie
information to your server, and your server will make the info
available to you in an environment variable.
Some cookies are temporary, and disappear when
the browser is closed, but you can also create
longer lasting cookies on the user's machine,
so, for example, he doesn't have to log in every time.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
