Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
31
Web Server - Ask For Help / Re: Security analysis vulnerability reported
« on: October 05, 2021, 06:19:02 AM »
Hi Bruce,
Thank you for the clear explanation and help in resolving the issue, I'll make the change you suggest.
Gordon
Thank you for the clear explanation and help in resolving the issue, I'll make the change you suggest.
Gordon
32
Web Server - Ask For Help / Re: NetWebYear or other scheduler
« on: October 05, 2021, 06:14:20 AM »
Hi Bruce,
Just a couple of quick questions if I may, I've successfully loaded data from 2 tables, blocked out time and actual appointments and I can colour them as required. However I do have 2 issues:
1. The would be background blocked out entries sit over part of an appointment entry if is starts later than but not before the end of an actual appointment, the later starting appointment sits on top which is obviously desirable normally but not if it's intended to be a background only. I've attached an image.
2. I can't make insert work when clicking on a blocked out entry, I get a record not found error in the insert/update form as it is can't find an appointment because there isn't one, but it's trying to update because I clicked on an entry in PlannerQueue.Data albeit from the blocked out table.
Is there any way of making the blocked out entries truly inactive so they are display only and allow inserts into the main appointment table if I click on a time in a blocked out region?
I'm so close to this being perfect for my needs.
Gordon
Just a couple of quick questions if I may, I've successfully loaded data from 2 tables, blocked out time and actual appointments and I can colour them as required. However I do have 2 issues:
1. The would be background blocked out entries sit over part of an appointment entry if is starts later than but not before the end of an actual appointment, the later starting appointment sits on top which is obviously desirable normally but not if it's intended to be a background only. I've attached an image.
2. I can't make insert work when clicking on a blocked out entry, I get a record not found error in the insert/update form as it is can't find an appointment because there isn't one, but it's trying to update because I clicked on an entry in PlannerQueue.Data albeit from the blocked out table.
Is there any way of making the blocked out entries truly inactive so they are display only and allow inserts into the main appointment table if I click on a time in a blocked out region?
I'm so close to this being perfect for my needs.
Gordon
33
Web Server - Ask For Help / Re: NetWebYear or other scheduler
« on: October 01, 2021, 05:28:42 AM »
Thank you Bruce that is really kind of you, I will try to attend Wednesday, in the meantime I'll play around with the ideas you suggest.
Gordon
Gordon
34
Web Server - Ask For Help / NetWebYear or other scheduler
« on: October 01, 2021, 03:18:42 AM »
Hi,
I've tried using NetWebYear to create a basic appointment book and in truth it provides all I must have apart from a couple of features:
1. The ability to change the background colour of specific time slots for a given date to make non working times such as lunch obvious, I know I could put an appointment in but it's no ideal.
2. Ideally select a colour for individual events.
Are either of these possible.
Failing that I've looked at FullCalendar but that will be a steep learning curve for me as I've not used a jquery plugin before and I don't know if its even possible.
I know I ask a lot of questions but I do appreciate the help I receive.
Gordon
I've tried using NetWebYear to create a basic appointment book and in truth it provides all I must have apart from a couple of features:
1. The ability to change the background colour of specific time slots for a given date to make non working times such as lunch obvious, I know I could put an appointment in but it's no ideal.
2. Ideally select a colour for individual events.
Are either of these possible.
Failing that I've looked at FullCalendar but that will be a steep learning curve for me as I've not used a jquery plugin before and I don't know if its even possible.
I know I ask a lot of questions but I do appreciate the help I receive.
Gordon
35
Web Server - Ask For Help / Re: Security analysis vulnerability reported
« on: September 30, 2021, 06:27:45 AM »
Thanks, I wish I could but I take care of my grandchildren for several hours on a Thursday afternoon so it is almost impossible.
36
Web Server - Ask For Help / Re: Security analysis vulnerability reported
« on: September 30, 2021, 05:55:28 AM »
Hi Vinnie,
Thank you for the reply, I do have Change Session ID on log In/Out ticked and also delete session on logout. However, I'm unsure whether this helps with session fixation attacks, please forgive my ignorance.
Gordon
Thank you for the reply, I do have Change Session ID on log In/Out ticked and also delete session on logout. However, I'm unsure whether this helps with session fixation attacks, please forgive my ignorance.
Gordon
37
Web Server - Ask For Help / Security analysis vulnerability reported
« on: September 30, 2021, 03:12:58 AM »
Hi,
One of our customers has run a security analysis on their system and has reported that there is a significant vulnerability with regard to our Nettalk WebServer application. The analysis was performed by Barclays Bank for their ongoing PCIDSS Compliance of card payment machines on the LAN. It appears to me in my limited knowledge that the Session ID is what they are highlighting, but beyond that I'm lost.
Does anyone have any suggestions, comments or advice about what we can do about this or what we can reply with? I would be most grateful if anyone has anything to share.
I have pasted part of their email below:
"
THREAT:
The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way. Specifically, the
scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply started a new session with this specified
session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks.
One scenario where this could be used to hijack an unsuspecting user's Web session is as follows. Assuming an online store, www.examplestore.com, has this security
issue. If an attacker uses social engineering techniques to make a target user click on a link (in an email or on a malicious Web site) like http://www.examplestore.com/?
PHPSESSID=12345, where PHPSESSID is the cookie used for identifying the session, the store will start a new session for the unsuspecting user with the session ID
12345. Then, since the attacker knows the session ID already, the attacker can simply hijack the session moments after the user has visited the store.
IMPACT:
By exploiting this vulnerability, an attacker could use the hijacked session for information gathering, invasion of privacy, property theft, or credit-card theft.
For more information about the way session-fixation attacks can be performed and the possible consequences of such attacks, read this paper.
SOLUTION:
This is a common issue web-developers come across, and many application-specific solutions exist.
The PHP package itself provides a "php.ini" based global configuration option called "session.use_only_cookies" (introduced in PHP Version 4.3.0). This is disabled by
default for backward compatibility. When enabled, this allows PHP session IDs to be set only via HTTP cookies. This makes GET/POST based hijack attacks possible
only when there is significant activity by an unsuspecting user.
For more information, read the Sessions and Security description provided on PHP's Web site.
For solutions in other web packages, check the relevant documentation.
RESULT:
GET /?SESSIONID=0123456789abcdef0123456789abcdef HTTP/1.0
Host: 77-44-120-131.xdsl.murphx.net
HTTP/1.1 200 OK
Date: Thu, 16 Sep 2021 15:53:57 GMT
Expires: Wed, 16 Sep 2020 15:53:57 GMT
Content-Length: 2577
Content-Type: text/html
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=0123456789abcdef0123456789abcdef; path=/; secure; HttpOnly; SameSite=Strict
Connection: close
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
<!DOCTYPE html><html class=" nt-html no-js">
<head>
<title>EDGE Anywhere</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="initial-scale=1">
<link href="/themes/base/theme.css?c=12.17" rel="stylesheet" />
<link href="/redactor/redactor.min.css?c=12.17" rel="stylesheet" />
<script src="/scripts/all.js?c=12.17" type="text/javascript"></script>
<script src="/redactor/redactor.min.js?c=12.17" type="text/javascript"></script>
</head>
<body class=" PageBody">
<div id="body_div" class=" PageBodyDiv">
...... rest of page
"
One of our customers has run a security analysis on their system and has reported that there is a significant vulnerability with regard to our Nettalk WebServer application. The analysis was performed by Barclays Bank for their ongoing PCIDSS Compliance of card payment machines on the LAN. It appears to me in my limited knowledge that the Session ID is what they are highlighting, but beyond that I'm lost.
Does anyone have any suggestions, comments or advice about what we can do about this or what we can reply with? I would be most grateful if anyone has anything to share.
I have pasted part of their email below:
"
THREAT:
The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way. Specifically, the
scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply started a new session with this specified
session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks.
One scenario where this could be used to hijack an unsuspecting user's Web session is as follows. Assuming an online store, www.examplestore.com, has this security
issue. If an attacker uses social engineering techniques to make a target user click on a link (in an email or on a malicious Web site) like http://www.examplestore.com/?
PHPSESSID=12345, where PHPSESSID is the cookie used for identifying the session, the store will start a new session for the unsuspecting user with the session ID
12345. Then, since the attacker knows the session ID already, the attacker can simply hijack the session moments after the user has visited the store.
IMPACT:
By exploiting this vulnerability, an attacker could use the hijacked session for information gathering, invasion of privacy, property theft, or credit-card theft.
For more information about the way session-fixation attacks can be performed and the possible consequences of such attacks, read this paper.
SOLUTION:
This is a common issue web-developers come across, and many application-specific solutions exist.
The PHP package itself provides a "php.ini" based global configuration option called "session.use_only_cookies" (introduced in PHP Version 4.3.0). This is disabled by
default for backward compatibility. When enabled, this allows PHP session IDs to be set only via HTTP cookies. This makes GET/POST based hijack attacks possible
only when there is significant activity by an unsuspecting user.
For more information, read the Sessions and Security description provided on PHP's Web site.
For solutions in other web packages, check the relevant documentation.
RESULT:
GET /?SESSIONID=0123456789abcdef0123456789abcdef HTTP/1.0
Host: 77-44-120-131.xdsl.murphx.net
HTTP/1.1 200 OK
Date: Thu, 16 Sep 2021 15:53:57 GMT
Expires: Wed, 16 Sep 2020 15:53:57 GMT
Content-Length: 2577
Content-Type: text/html
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=0123456789abcdef0123456789abcdef; path=/; secure; HttpOnly; SameSite=Strict
Connection: close
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
<!DOCTYPE html><html class=" nt-html no-js">
<head>
<title>EDGE Anywhere</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="initial-scale=1">
<link href="/themes/base/theme.css?c=12.17" rel="stylesheet" />
<link href="/redactor/redactor.min.css?c=12.17" rel="stylesheet" />
<script src="/scripts/all.js?c=12.17" type="text/javascript"></script>
<script src="/redactor/redactor.min.js?c=12.17" type="text/javascript"></script>
</head>
<body class=" PageBody">
<div id="body_div" class=" PageBodyDiv">
...... rest of page
"
38
Web Server - Ask For Help / Div Grid on a form
« on: September 28, 2021, 04:16:25 AM »
Am I correct in thinking Div Grid is intended to allow 2 dimensional field placement rather than 1 dimensional, in other words like Flex Grid?
If so is there an example that presents a form in 2 dimensions with correct vertical alignment, with perhaps 3 or 4 columns. I have tried and all I seem to get are 2 columns that don't respond correctly on resize. I fully anticipate that I am not using the feature correctly, however the only options I can find are for HTML Method (I set it to Div Grid) and the individual field start/span for row and column, I've also tried various span and last on row/line settings. Oddly I don't really see any difference between Div FlexBox and Div Grid mode, could it relate to me using 'base' as my theme and the CSS it contains?
I would really like to have a form with several fields on a row for several rows all vertically aligned into columns (perhaps 3), I know this may sound like a browse but that isn't what I require, it is just a section of a larger form. Table mode will let me do this but it is non responsive to browse width.
As ever any help would be greatly appreciated.
Gordon
If so is there an example that presents a form in 2 dimensions with correct vertical alignment, with perhaps 3 or 4 columns. I have tried and all I seem to get are 2 columns that don't respond correctly on resize. I fully anticipate that I am not using the feature correctly, however the only options I can find are for HTML Method (I set it to Div Grid) and the individual field start/span for row and column, I've also tried various span and last on row/line settings. Oddly I don't really see any difference between Div FlexBox and Div Grid mode, could it relate to me using 'base' as my theme and the CSS it contains?
I would really like to have a form with several fields on a row for several rows all vertically aligned into columns (perhaps 3), I know this may sound like a browse but that isn't what I require, it is just a section of a larger form. Table mode will let me do this but it is non responsive to browse width.
As ever any help would be greatly appreciated.
Gordon
39
Web Server - Ask For Help / Time entry format problem
« on: September 27, 2021, 04:24:54 AM »
I have an issue where seemingly similar time entry fields on a form are formated hh:mm or sometimes hh:mm:ss even though I've selected hh:mm from the picture dropdown, on examining the generated code it produces:
packet.append(p_web.CreateInput('time','TRPH:TRIContactTime',p_web.GetSessionValue('TRPH:TRIContactTime'),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'@T06B',loc:javascript,p_web.PicLength('@t01'),'Triage Contact Time','TRPH:TRIContactTime',,'imb',,,,'UpdateTriage') & p_web.CRLF) !a
As you can see it has a picture of @T06B, I checked NetWeb.tpw and the @T06B is hardcoded into the template as below
%gPacket.append(p_web.CreateInput('time','%FormField',p_web.Get%ValueScope(%DataField),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'@T06B',loc:javascript,%mltemp,%FormFieldTooltip,'%FormId',%FormFieldPlaceHolder,%datado,%vNumLow,%vNumHigh,%vNumStep,'%procedure') & p_web.CRLF) !a
Should it not be using %FormFieldPictureTime as in the template code below, I changed the template and the fields now work as expected.
%gPacket.append(p_web.CreateInput('time','%FormField',p_web.Get%ValueScope(%DataField),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'%FormFieldPictureTime',loc:javascript,%mltemp,%FormFieldTooltip,'%FormId',%FormFieldPlaceHolder,%datado,%vNumLow,%vNumHigh,%vNumStep,'%procedure') & p_web.CRLF) !a
Am I missing something and so shouldn't change the template?
NT12.17 I'll be moving to 12.26 in the next couple of days.
Gordon
packet.append(p_web.CreateInput('time','TRPH:TRIContactTime',p_web.GetSessionValue('TRPH:TRIContactTime'),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'@T06B',loc:javascript,p_web.PicLength('@t01'),'Triage Contact Time','TRPH:TRIContactTime',,'imb',,,,'UpdateTriage') & p_web.CRLF) !a
As you can see it has a picture of @T06B, I checked NetWeb.tpw and the @T06B is hardcoded into the template as below
%gPacket.append(p_web.CreateInput('time','%FormField',p_web.Get%ValueScope(%DataField),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'@T06B',loc:javascript,%mltemp,%FormFieldTooltip,'%FormId',%FormFieldPlaceHolder,%datado,%vNumLow,%vNumHigh,%vNumStep,'%procedure') & p_web.CRLF) !a
Should it not be using %FormFieldPictureTime as in the template code below, I changed the template and the fields now work as expected.
%gPacket.append(p_web.CreateInput('time','%FormField',p_web.Get%ValueScope(%DataField),loc:fieldclass,loc:readonly,clip(loc:extra) & ' ' & clip(loc:autocomplete),'%FormFieldPictureTime',loc:javascript,%mltemp,%FormFieldTooltip,'%FormId',%FormFieldPlaceHolder,%datado,%vNumLow,%vNumHigh,%vNumStep,'%procedure') & p_web.CRLF) !a
Am I missing something and so shouldn't change the template?
NT12.17 I'll be moving to 12.26 in the next couple of days.
Gordon
40
Web Server - Ask For Help / Re: The Tree field type on a form?
« on: September 23, 2021, 11:52:51 PM »
Thanks Jane
41
Web Server - Ask For Help / The Tree field type on a form?
« on: September 23, 2021, 01:06:14 AM »
I'm intrigued by the Tree field type available on a form, am I correct in assuming this will allow a tree style browse structure to be built into a form?
If so is there an example that uses it or some documentation, if my assumption is incorrect is any form of tree control available in WebServer?
Gordon
If so is there an example that uses it or some documentation, if my assumption is incorrect is any form of tree control available in WebServer?
Gordon
42
Web Server - Ask For Help / Re: Global setting of DatePicker Options
« on: September 16, 2021, 05:46:49 AM »
Hi Alberto, when I include the option
',showCurrentAtPos: 1'&|
The previous button no longer works, have you seen the same thing? If I remove it then all is well and position 1 appears to be the default behaviour.
Gordon
',showCurrentAtPos: 1'&|
The previous button no longer works, have you seen the same thing? If I remove it then all is well and position 1 appears to be the default behaviour.
Gordon
43
Web Server - Ask For Help / Re: SQL browse problem
« on: September 15, 2021, 11:51:58 PM »
Thanks Jane I'll try that and report back.
44
Web Server - Ask For Help / Re: Global setting of DatePicker Options
« on: September 15, 2021, 11:45:41 PM »
Thank you to both of you for your help I'm very grateful.
Gordon
Gordon
45
Web Server - Ask For Help / Re: Global setting of DatePicker Options
« on: September 15, 2021, 12:24:24 AM »
Hi Michelis,
Thank you for your reply, forgive my ignorance but what procedure is the processlink embed actually in and what does the code look like to set the datepicker global options.
Any help would be appreciated.
Regards
Gordon
Thank you for your reply, forgive my ignorance but what procedure is the processlink embed actually in and what does the code look like to set the datepicker global options.
Any help would be appreciated.
Regards
Gordon