Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Ask For Help / Certificate / key in-memory
« on: October 08, 2018, 07:35:57 AM »
Is there a way to load the certificate / key from memory (or from an encrypted database record) rather than from a file on the hard drive?
2
Web Server - Ask For Help / Re: Security Audit - Configuring to Avoid Exploits
« on: September 20, 2018, 09:05:23 AM »
Thank you - Sorry for the delay in responding, I was ill last week.
I had 10.33 installed, but the audit was done on my product by a third party for one of my French clients without my input, and they used an older version for that because that's the one they had in production. I tried to weed out the items that newer versions had fixes for. (Change Session ID is on.)
I've downloaded 10.35 - thank you for the modification of the minimum cookie length. I'll watch for the Session Renegotiation option, and see if I can get better examples from the client on the cross site scripting issue, and insist on them using the current version in any future audits. It's a huge waste of time to be looking for problems that aren't there anymore.
I had 10.33 installed, but the audit was done on my product by a third party for one of my French clients without my input, and they used an older version for that because that's the one they had in production. I tried to weed out the items that newer versions had fixes for. (Change Session ID is on.)
I've downloaded 10.35 - thank you for the modification of the minimum cookie length. I'll watch for the Session Renegotiation option, and see if I can get better examples from the client on the cross site scripting issue, and insist on them using the current version in any future audits. It's a huge waste of time to be looking for problems that aren't there anymore.
3
Web Server - Ask For Help / Security Audit - Configuring to Avoid Exploits
« on: September 09, 2018, 01:07:29 PM »
I recently received the results of a security audit on my application, and there were several weaknesses that I couldn't figure out how to plug. Are there settings I could change for any of the following situations?
(1) When authenticating a user, the application does not assign a new session identifier, but reuses the existing session identifier created before the authentication step. The attack consists in causing a legitimate user to authenticate with a session identifier known to the attacker, and then usurp the session once authenticated using this same identifier. The attacker must create or retrieve a valid session ID and have the victim's browser use it. Depending on the case, this can be done by transmitting the identifier as a URL argument, in a hidden form field or through cookies. *** I see that there is generated code saying "s_web._SitesQueue.Defaults.ChangeSessionOnLogInOut = 1", wouldn't that have prevented this? ***
(2) HTTP header injection in the server response. An injection of HTTP header is possible when user input is returned without being properly escaped in a response header. If a carriage return is retranscribed as is from the request to a response header, an attacker could modify the contents of the following headers, see write a completely different server response. Any Cross-Site Scripting (XSS) attack can usually be reproduced by a header injection, forcing the execution of arbitrary JavaScript. This type of vulnerability can also be used to poison the cache of a proxy serving as an intermediary for users to access the application. Finally, this type of vulnerability can make it possible to pass certain restrictions on authentication flows (CSP / CORS) and the origin of accepted scripts.
(3) Attack by Cross Site Scripting (XSS by Reflection). Parameter values sent by the client browser to the web application are not sufficiently controlled, which could allow an attacker to inject HTML or JavaScript into it. Indeed, the interpretable characters, such as <,>, /, ', ", etc. are not encoded before they are integrated with the response to the client. This vulnerability could be exploited by an attacker to conduct a Cross-Site Scripting (XSS) attack, in order to execute code in the context of the victim's web browser. This type of attack is usually used to access session cookies, allowing the attacker to impersonate the victim on the application.
(4) Denial of service by renegotiation SSL / TLS. The TLS / SSL service allows renegotiation of sessions initiated by the client. Session renegotiation is an operation that requires a larger amount of computation on the server side than the client side, depending on the algorithm used. An attacker could exploit this phenomenon by requesting a large number of renegotiations of concurrent SSL / TLS sessions in order to trigger a denial of service, bypassing, for example, the mitigations limiting the number of TCP sessions opened by IP (only one TCP session needed for this attack). *** Is there a way to limit the number of attempts? ***
(5) Value of session cookies predictable or insufficiently random. Cookies are files stored by the web browser of the visitor to a website and which serve (among other things) to identify a user in time, to prevent him from returning to each page his username and password. However, when the cookie values are predictable or insufficiently random, an attacker can potentially impersonate a user by recreating the cookie on their own machine. The auditors noted the possibility of limiting the complexity of the session token returned by the application at the time of authentication. In addition to the acceptance of session cookies presented in TEC.WEB.018, the session token seems to conform to the size and composition of the one provided by the user:
Indeed, if the client provides, at the moment of authentication, a cookie of 2 uppercase letters, the returned cookie will also consist of 2 capital letters. Recommend modifying the application providing the session cookies so that the value of the latter follows a random distribution. *** I have the session ID length set to 30, is this not the same thing? ***
Issues with possible solutions:
(1) Problem: BEAST Vulnerability (TLSv1.0 with CBC), Vulnerability LUCKY13 (CBC with TLS). LUCKY13 is a time attack against TLS implementations using the weaknesses of the CBC mode (block ciphering). The attack allows the decryption of TLS traffic. Details of the attack can be found at https://eprint.iacr.org/2015/1129.pdf. BEAST is an attack against the TLSv1.0 protocol using weaknesses in the CBC mode (block ciphering). The attack decrypts the SSL / TLS traffic. Full details of the attack can be found in the paper "Here Come The XOR Ninjas" by Thai Duong and Juliano Rizzo, available at: https://bug665814.bmoattachments.org/attachment.cgi?id=540839 ... Solution: In ThisWebServer.Open, set SELF.SSLMethod = NET:SSLMethodTLS_PCI
(1) When authenticating a user, the application does not assign a new session identifier, but reuses the existing session identifier created before the authentication step. The attack consists in causing a legitimate user to authenticate with a session identifier known to the attacker, and then usurp the session once authenticated using this same identifier. The attacker must create or retrieve a valid session ID and have the victim's browser use it. Depending on the case, this can be done by transmitting the identifier as a URL argument, in a hidden form field or through cookies. *** I see that there is generated code saying "s_web._SitesQueue.Defaults.ChangeSessionOnLogInOut = 1", wouldn't that have prevented this? ***
(2) HTTP header injection in the server response. An injection of HTTP header is possible when user input is returned without being properly escaped in a response header. If a carriage return is retranscribed as is from the request to a response header, an attacker could modify the contents of the following headers, see write a completely different server response. Any Cross-Site Scripting (XSS) attack can usually be reproduced by a header injection, forcing the execution of arbitrary JavaScript. This type of vulnerability can also be used to poison the cache of a proxy serving as an intermediary for users to access the application. Finally, this type of vulnerability can make it possible to pass certain restrictions on authentication flows (CSP / CORS) and the origin of accepted scripts.
(3) Attack by Cross Site Scripting (XSS by Reflection). Parameter values sent by the client browser to the web application are not sufficiently controlled, which could allow an attacker to inject HTML or JavaScript into it. Indeed, the interpretable characters, such as <,>, /, ', ", etc. are not encoded before they are integrated with the response to the client. This vulnerability could be exploited by an attacker to conduct a Cross-Site Scripting (XSS) attack, in order to execute code in the context of the victim's web browser. This type of attack is usually used to access session cookies, allowing the attacker to impersonate the victim on the application.
(4) Denial of service by renegotiation SSL / TLS. The TLS / SSL service allows renegotiation of sessions initiated by the client. Session renegotiation is an operation that requires a larger amount of computation on the server side than the client side, depending on the algorithm used. An attacker could exploit this phenomenon by requesting a large number of renegotiations of concurrent SSL / TLS sessions in order to trigger a denial of service, bypassing, for example, the mitigations limiting the number of TCP sessions opened by IP (only one TCP session needed for this attack). *** Is there a way to limit the number of attempts? ***
(5) Value of session cookies predictable or insufficiently random. Cookies are files stored by the web browser of the visitor to a website and which serve (among other things) to identify a user in time, to prevent him from returning to each page his username and password. However, when the cookie values are predictable or insufficiently random, an attacker can potentially impersonate a user by recreating the cookie on their own machine. The auditors noted the possibility of limiting the complexity of the session token returned by the application at the time of authentication. In addition to the acceptance of session cookies presented in TEC.WEB.018, the session token seems to conform to the size and composition of the one provided by the user:
Indeed, if the client provides, at the moment of authentication, a cookie of 2 uppercase letters, the returned cookie will also consist of 2 capital letters. Recommend modifying the application providing the session cookies so that the value of the latter follows a random distribution. *** I have the session ID length set to 30, is this not the same thing? ***
Issues with possible solutions:
(1) Problem: BEAST Vulnerability (TLSv1.0 with CBC), Vulnerability LUCKY13 (CBC with TLS). LUCKY13 is a time attack against TLS implementations using the weaknesses of the CBC mode (block ciphering). The attack allows the decryption of TLS traffic. Details of the attack can be found at https://eprint.iacr.org/2015/1129.pdf. BEAST is an attack against the TLSv1.0 protocol using weaknesses in the CBC mode (block ciphering). The attack decrypts the SSL / TLS traffic. Full details of the attack can be found in the paper "Here Come The XOR Ninjas" by Thai Duong and Juliano Rizzo, available at: https://bug665814.bmoattachments.org/attachment.cgi?id=540839 ... Solution: In ThisWebServer.Open, set SELF.SSLMethod = NET:SSLMethodTLS_PCI
4
Web Server - Ask For Help / NETTALK.TPL Error: Symbol %Guid has no instance
« on: July 30, 2016, 07:52:05 AM »
When I try to compile, I get the following error, repeated once for each occurrence of %Guid in NETTALK.TPL.
(NETTALK.TPL) Error: Symbol %Guid has no instance File=C:\C10\accessory\template\win\NETTALK.TPL, Line=6446 Column=3
If I replace %Guid with %MyGuid, the errors go away.
(NETTALK.TPL) Error: Symbol %Guid has no instance File=C:\C10\accessory\template\win\NETTALK.TPL, Line=6446 Column=3
If I replace %Guid with %MyGuid, the errors go away.
5
Web Server - Ask For Help / Re: NetMainWindow - Window is already open / GPF
« on: February 27, 2014, 05:58:38 AM »
(as provided by the client)
Since it's no longer reproducible, I guess this goes back into the "mystery to solve another time" pile.
6
Web Server - Ask For Help / Re: NetMainWindow - Window is already open / GPF
« on: February 26, 2014, 01:23:52 PM »
I'm not sure I understand the question. There's plenty of code that opens other windows, and none that opens a window that is declared within the NetTalk DLL. Before narrowing it down to NetMain, I had wrapped every OPEN(Window) within the application with a check of the STATUS, and sent that out to the client having the issue, and the debug code was never triggered.
This client has reported that after installing several Microsoft Updates he no longer has the issue.
This client has reported that after installing several Microsoft Updates he no longer has the issue.
7
Web Server - Ask For Help / NetMainWindow - Window is already open / GPF
« on: February 21, 2014, 10:37:45 AM »
I still get reports of this on certain systems. Is there any way to precede the OPEN(NetMainWindow) with IF STATUS(NetMainWindow)=Window:OK THEN RETURN END or otherwise prevent this "race condition" from causing a GPF?
8
Web Server - Ask For Help / Re: Record Not Found (-2) when clicking on View button after Search; NetTalk 7.2
« on: August 20, 2013, 03:40:20 PM »
Ok, I will try the new build when it's available - thanks!
Vince
Vince
9
Web Server - Ask For Help / Record Not Found (-2) when clicking on View button after Search; NetTalk 7.2
« on: August 19, 2013, 09:25:03 AM »
I've generated a simple application and found that if I use an immediate locator on a browse, clicking the View button on one of the found records initially results in a "Record Not Found (-2)" error because the primary key ID value hasn't been saved. If I wait a few moments and then click the button, the correct record comes up and there's no error. In the log I notice that the difference on the server side is that a "rowclicked" event occurs before the call to the form in the second case.
I tried to replicate this using the Web71.app (changing settings as attached) and found a different problem. There's no error, but clicking the View button does not bring up the form until the second click.
It appears that the row is not selected when one first clicks on the View button for that row, which is what the end user expects. How do I resolve this?
------------------------------------------------
Steps to reproduce:
(1) Modify web71.app as in the attached screens and run the app, open site in IE 10
(2) Browse Customers
(3) Locate (Contains) Name: POST
(4) Click on the "View" button for the only record that meets the criteria Nothing happens.
(5) Click on it again. Form comes up.
(6) Clear search, locate google, click on "Change" button for the only row showing, nothing happens.
(7) Click on it a second time, form comes up.
[attachment deleted by admin]
I tried to replicate this using the Web71.app (changing settings as attached) and found a different problem. There's no error, but clicking the View button does not bring up the form until the second click.
It appears that the row is not selected when one first clicks on the View button for that row, which is what the end user expects. How do I resolve this?
------------------------------------------------
Steps to reproduce:
(1) Modify web71.app as in the attached screens and run the app, open site in IE 10
(2) Browse Customers
(3) Locate (Contains) Name: POST
(4) Click on the "View" button for the only record that meets the criteria Nothing happens.
(5) Click on it again. Form comes up.
(6) Clear search, locate google, click on "Change" button for the only row showing, nothing happens.
(7) Click on it a second time, form comes up.
[attachment deleted by admin]
10
Web Server - Ask For Help / Characters missing upon Save
« on: August 16, 2012, 01:47:14 PM »
This is very odd, but in the last couple of NetTalk releases, my form fields are reverting back to previous values when certain characters are included.
Example:
Original Value: Test
New Value: Test11
After Save: Test11
Original Value: Test11
New Value: Test()
After Save: Test11
Similar things happen with exclamation marks, ampersands, etc.
Does anyone have any idea what is up?
Example:
Original Value: Test
New Value: Test11
After Save: Test11
Original Value: Test11
New Value: Test()
After Save: Test11
Similar things happen with exclamation marks, ampersands, etc.
Does anyone have any idea what is up?
11
Web Server - Ask For Help / Re: NetTalk 6.03 - Missing files in Web folder?
« on: November 24, 2011, 01:21:14 PM »
Thanks... still have some errors, but making progress...
12
Web Server - Ask For Help / NetTalk 6.03 - Missing files in Web folder?
« on: November 24, 2011, 09:25:36 AM »
When I install from scratch, ALL.JS is no longer in the Scripts subfolder, and I get "Error in site JavaScript" when bringing up the base page in my app.
Is this because files are missing from the distribution package, or an indication that I have more things to change when migrating to NT6?
Is this because files are missing from the distribution package, or an indication that I have more things to change when migrating to NT6?
13
Web Server - Ask For Help / Re: Incorrect values - "&" becomes "&"
« on: December 10, 2010, 02:39:10 PM »
Yes, and no.
That fixes it, except I do still want the immediate validation.
I'm still trying to nail down exactly where the string is touched...
That fixes it, except I do still want the immediate validation.
I'm still trying to nail down exactly where the string is touched...
14
Web Server - Ask For Help / Incorrect values - "&" becomes "&"
« on: November 04, 2010, 05:42:18 AM »
If the user enters HTML into a field, it is parsed when it shouldn't be...
Entered:
Tab off of field and it changes to:
Any ideas what may cause this?
Entered:
Tab off of field and it changes to:
Any ideas what may cause this?
15
Web Server - Ask For Help / Re: Compatibility / Possible fixes
« on: May 05, 2010, 06:03:57 PM »
I was using Microsoft Expression and validating my generated pages...
From http://www.w3.org/TR/REC-html40/struct/objects.html#h-13.2: "Start tag: required, End tag: forbidden"
Elsewhere, I've read that "<img /> is a singleton tag" and "In HTML the <img> tag has no end tag. In XHTML the <img> tag must be properly closed."
All very confusing.
I'm still trying to figure out why the Drop Down menu is fine in IE 8, but the menu items (the drop down part with <li><a>, not the menu bar) display incorrectly in IE 6.
From http://www.w3.org/TR/REC-html40/struct/objects.html#h-13.2: "Start tag: required, End tag: forbidden"
Elsewhere, I've read that "<img /> is a singleton tag" and "In HTML the <img> tag has no end tag. In XHTML the <img> tag must be properly closed."
All very confusing.
I'm still trying to figure out why the Drop Down menu is fine in IE 8, but the menu items (the drop down part with <li><a>, not the menu bar) display incorrectly in IE 6.