[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] Userdb password security/ Security ?
****** message to minivend-users from Ryan Hertz <rhertz@gyb.baits.com> ******
At 01:03 PM 1/24/2000 , you wrote:
>****** message to minivend-users from Hans-Joachim Leidinger
><jojo@buchonline.net> ******
Well, a solution would be to check the REFERER environment variable. If
the referer to any access of your userdb is not from a page on your site
then disallow the action. Seems simple enough to me. This keeps people
from typing anything directly into the location bar. An SSI (Apache)
example looks like this:
<!--#if expr="\"$HTTP_REFERER\" != \"http://yoursite.com\""; -->
Sorry, you're not supposed to do that.
<BLOCKQUOTE>
Access to <STRONG><!--#echo var="REQUEST_URI" --></STRONG> failed.
</BLOCKQUOTE>
<!--#else -->
Ok here.
<!--#endif -->
Something like that, the first if isn't exactly right, as would have to
wildcard match all of your pages...
Anyways... I'm personally not using the login/userdb functionality.
>"B.J. Bezemer" wrote:
> >
> > ****** message to minivend-users from "B.J. Bezemer"
> <bas.bezemer@wxs.nl> ******
> >
> > Hi All,
> >
> > It has been very quiet after Gideons question on this topic and I can't
> > imagine that Joachim and I are the only one that shivered for a moment.
> > Ofcourse there are tricks or workarounds to fix this problem. You could
> > rename the database from userdb to the name of a loved one in reverse
> order,
> > with some numbers in it, but that is not a structural solution. The
> password
> > field is not the only information that I don't want to be made public. I
> > don't want anyone to snoop into my database where I keep all my information
> > on orders (addresses of my customers, how much they ordered etc.).
> >
>[BIG DEL]
>
>Some time after my check, i have thought about this and i think...
>
>without any MV tags like [value name] etc...in any results page, nobody
>is able to see any user informations. Anyone can see the number of blank
>lines. Ok! This is no problem for me. We can prevent this with a if
>conditions by MV. But are there any way to grap the informations? I can
>not believe it, because i can not see any way to transfer any data to
>any server via cgi methode and without a post methode.
>
>It seems me, we are frightened and we have hoped like a lot of chicken.
>I am very sure, if this is a real security hole, we all get an emergency
>help by Mike Heins.
>
>At this moment, i can sleep in my bed very well now! Isnīt it so?
>
>Regards,
>
> Joachim
>
>
>
>
>--
>-------------Hans-Joachim Leidinger---------------------
>
>
>-
>To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
>email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
>Archive of past messages: http://www.minivend.com/minivend/minivend-list
Ryan Hertz tel 800-645-BAIT
Webmaster fax 520-645-2588
Advertising Director http://www.insideline.net
Gary Yamamoto Custom Baits, Inc. http://www.yamamoto.baits.com
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
