Gossamer Forum
Home : Products : DBMan SQL : Discussion :

Another Security Issue

Quote Reply
Another Security Issue
So if you're in my DBManSQL database and you're viewing a record, you can simply copy the URL and send it to someone and then put in their browser and go right to the record and bypass the login.....this is scary. Is anyone else aware of this...or more importantly how to prevent this?
Default users are not allowed and default permissions are set to 0,0,0,0,0 just in case. What's going on?

Quote Reply
Re: Another Security Issue In reply to
The problem most likely is due to the user session. You need to make sure that you set a shorter auth logging session in the .cfg file OR hack the auth.pl file to logoff users within a certain time period.

Regards,

Eliot Lee

Quote Reply
Re: Another Security Issue In reply to
In Reply To:
The problem most likely is due to the user session. You need to make sure that you set
a shorter auth logging session in the .cfg file OR hack the auth.pl file to logoff users within a certain time period.
This is SUCH a WRONG answer, I hope no one believes it. This MySQLMan is so filled with security breaches, it is not funny...I am so surprised (but not really after the acknowledged glaring security hole in DBMan)

Get a clue Anthro

easy does it
Quote Reply
Re: Another Security Issue In reply to
WELL, EXCUSE ME! Mad

Quote Reply
Re: Another Security Issue In reply to
Bearwithme,
Calm down. You don't need to worry about this. The only way someone can get your URL (that you are referring to) is IF you modify your script somehow to contain hyperlinks to someone elses domain AND you click on the link. Then they *could* look into their referrer logs, and get the URL. However, by the time they get it, the session will have already timed out.



Quote Reply
Re: Another Security Issue In reply to
This is not even a real problem. It exists with the regular DBman as well. As Katana Man said, unless your sessions are set for ridiculously long, by the time someone got the URL (unless they were advised by phone to check their email immediately!), the session would probably have expired.

In any case, the referrer mod will take care of this situation!! If I remember correctly, the HTTP_REFERRER variable from your server will be blank if the person just cuts and pastes the URL into the browser. You could always just test for that in sub main, and refer such requests to html_unauth !!

Would be an easy fix, if my HTTP_REFERRER theory is correct !!

Quote Reply
Re: Another Security Issue In reply to
In Reply To:
Calm down. You don't need to worry about this. The only way someone can get your URL (that you are referring to) is IF you modify your script somehow to contain hyperlinks to someone elses domain AND you click on the link. Then they *could* look into their referrer logs, and get the URL. However, by the time they get it, the session will have already timed out.
My mistake, and I stand corrected.

easy does it
Quote Reply
Re: Another Security Issue In reply to
This is a bigger issue if people include images from other sites in their DBMan generated pages, eg a banner advert or 'valid HTML 4.0' image or something like that.

Personally I don't think you can be too paranoid about security stuff and I'd be happier if in addition to the URL random number if there was a cookie associated with the session or the URL was only valid from the IP address that logged on.

Best thing to do though is to run it (or at least the admin interface) through SSL :-)

Chris

--
http://webarchitects.co.uk/
Quote Reply
Re: Another Security Issue In reply to
In Reply To:
This MySQLMan is so filled with security breaches, it is not funny...I am so surprised (but not really after the acknowledged glaring security hole in DBMan)
What do you mean by this? I'm not aware of a security hole in MySQLMan? Also, I'd hardly call the security hole in DBMan "glaring". It would take a fairly competent person to exploit it, and even more to notice it (you really need to understand subtlities in perl to see it).

Please back up such sweaping generalizations.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Another Security Issue In reply to
In Reply To:
or the URL was only valid from the IP address that logged on.
Unfortunately this would break for a lot of people as a lot of people behind firewall's IP changes, and a lot share the same IP.

Cookies are a good alternative, but as mentioned in the Discussion group a lot of people hate them. =)

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Another Security Issue In reply to
In Reply To:
What do you mean by this? I'm not aware of a security hole in MySQLMan? Also, I'd hardly call the security hole in DBMan "glaring". It would take a fairly competent person to exploit it, and even more to notice it (you really need to understand subtlities in perl to see it).

Please back up such sweaping generalizations.
Excuse me?...if you'd look just 2 posts above yours, you'd see that I acknowledged and accepted responsibility for my mistake - and this was over 2 months ago...sheesh!



easy does it