NetTalk Central

« previous next »
Pages: 1 [2]

Author Topic: Is this an attack to be worried about?  (Read 4973 times)

osquiabro

  • Hero Member
  • *****
  • Posts: 677
    • View Profile
    • Email
Re: Is this an attack to be worried about?
« Reply #15 on: October 15, 2020, 04:41:29 AM »
>>The biggest issue with uploading files is that they can be downloaded (although files downloaded from the uploads folder are treated differently.) So you don't want your server to become a generic "file storage" place. For this reason many developers set their uploads folder to be _outside_ the web folder, into say a special temp folder. Then the sys-admin can move files from here when they are deemed to be ok.  Obviously this approach depends a lot on the site, and what you are doing with your uploads.

i have a validation before upload any file that only accept certain files type and the validation work, i don't how this files is coming because this server is totally outside(DMZ) of wan and lan. No user has access to that server, only through the NT application, this server is only for NT application. (https://track.magictransport.com/)

>>The other interesting item from the pic is that the file has 0 length.

but the 0 length is a possible fake, is possible with Hex Editor

>>message log? you mean Windows log? WebServer log? SQL log? I'm not sure which log you are referring to here.

I mean capesoft MessageBox, so a message box was fired

>>Of course if you use the prop:sql statement, then you need to be sanitizing that statement. SQL Injection is a thing and if you use prop:sql then that becomes your responsibility. If you use the file-driver functions (as all the NetTalk code does) then you are safe from SQL injection (*)

not prop:sql, i have a view in dct and call from there.

>>If you use the file-driver functions (as all the NetTalk code does) then you are safe from SQL injection (*)

what do you mean by that?, you would abound more

>>(*) Safe in the sense that I've never been able to construct a Driver statement that creates a SQL Injection hazard. So it might be possible, but I don't know how...

I have a confession, in the past I hacked your web forums and changed your username and password several times via url, but you found a solution to the problem, and then I started using NT sorry  ;) ;) ;)


Logged
Pages: 1 [2]
« previous next »