Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Web Server - Ask For Help / Certificate / key in-memory
« on: October 08, 2018, 07:35:57 AM »
Is there a way to load the certificate / key from memory (or from an encrypted database record) rather than from a file on the hard drive?
2
Web Server - Ask For Help / Security Audit - Configuring to Avoid Exploits
« on: September 09, 2018, 01:07:29 PM »
I recently received the results of a security audit on my application, and there were several weaknesses that I couldn't figure out how to plug. Are there settings I could change for any of the following situations?
(1) When authenticating a user, the application does not assign a new session identifier, but reuses the existing session identifier created before the authentication step. The attack consists in causing a legitimate user to authenticate with a session identifier known to the attacker, and then usurp the session once authenticated using this same identifier. The attacker must create or retrieve a valid session ID and have the victim's browser use it. Depending on the case, this can be done by transmitting the identifier as a URL argument, in a hidden form field or through cookies. *** I see that there is generated code saying "s_web._SitesQueue.Defaults.ChangeSessionOnLogInOut = 1", wouldn't that have prevented this? ***
(2) HTTP header injection in the server response. An injection of HTTP header is possible when user input is returned without being properly escaped in a response header. If a carriage return is retranscribed as is from the request to a response header, an attacker could modify the contents of the following headers, see write a completely different server response. Any Cross-Site Scripting (XSS) attack can usually be reproduced by a header injection, forcing the execution of arbitrary JavaScript. This type of vulnerability can also be used to poison the cache of a proxy serving as an intermediary for users to access the application. Finally, this type of vulnerability can make it possible to pass certain restrictions on authentication flows (CSP / CORS) and the origin of accepted scripts.
(3) Attack by Cross Site Scripting (XSS by Reflection). Parameter values sent by the client browser to the web application are not sufficiently controlled, which could allow an attacker to inject HTML or JavaScript into it. Indeed, the interpretable characters, such as <,>, /, ', ", etc. are not encoded before they are integrated with the response to the client. This vulnerability could be exploited by an attacker to conduct a Cross-Site Scripting (XSS) attack, in order to execute code in the context of the victim's web browser. This type of attack is usually used to access session cookies, allowing the attacker to impersonate the victim on the application.
(4) Denial of service by renegotiation SSL / TLS. The TLS / SSL service allows renegotiation of sessions initiated by the client. Session renegotiation is an operation that requires a larger amount of computation on the server side than the client side, depending on the algorithm used. An attacker could exploit this phenomenon by requesting a large number of renegotiations of concurrent SSL / TLS sessions in order to trigger a denial of service, bypassing, for example, the mitigations limiting the number of TCP sessions opened by IP (only one TCP session needed for this attack). *** Is there a way to limit the number of attempts? ***
(5) Value of session cookies predictable or insufficiently random. Cookies are files stored by the web browser of the visitor to a website and which serve (among other things) to identify a user in time, to prevent him from returning to each page his username and password. However, when the cookie values are predictable or insufficiently random, an attacker can potentially impersonate a user by recreating the cookie on their own machine. The auditors noted the possibility of limiting the complexity of the session token returned by the application at the time of authentication. In addition to the acceptance of session cookies presented in TEC.WEB.018, the session token seems to conform to the size and composition of the one provided by the user:
Indeed, if the client provides, at the moment of authentication, a cookie of 2 uppercase letters, the returned cookie will also consist of 2 capital letters. Recommend modifying the application providing the session cookies so that the value of the latter follows a random distribution. *** I have the session ID length set to 30, is this not the same thing? ***
Issues with possible solutions:
(1) Problem: BEAST Vulnerability (TLSv1.0 with CBC), Vulnerability LUCKY13 (CBC with TLS). LUCKY13 is a time attack against TLS implementations using the weaknesses of the CBC mode (block ciphering). The attack allows the decryption of TLS traffic. Details of the attack can be found at https://eprint.iacr.org/2015/1129.pdf. BEAST is an attack against the TLSv1.0 protocol using weaknesses in the CBC mode (block ciphering). The attack decrypts the SSL / TLS traffic. Full details of the attack can be found in the paper "Here Come The XOR Ninjas" by Thai Duong and Juliano Rizzo, available at: https://bug665814.bmoattachments.org/attachment.cgi?id=540839 ... Solution: In ThisWebServer.Open, set SELF.SSLMethod = NET:SSLMethodTLS_PCI
(1) When authenticating a user, the application does not assign a new session identifier, but reuses the existing session identifier created before the authentication step. The attack consists in causing a legitimate user to authenticate with a session identifier known to the attacker, and then usurp the session once authenticated using this same identifier. The attacker must create or retrieve a valid session ID and have the victim's browser use it. Depending on the case, this can be done by transmitting the identifier as a URL argument, in a hidden form field or through cookies. *** I see that there is generated code saying "s_web._SitesQueue.Defaults.ChangeSessionOnLogInOut = 1", wouldn't that have prevented this? ***
(2) HTTP header injection in the server response. An injection of HTTP header is possible when user input is returned without being properly escaped in a response header. If a carriage return is retranscribed as is from the request to a response header, an attacker could modify the contents of the following headers, see write a completely different server response. Any Cross-Site Scripting (XSS) attack can usually be reproduced by a header injection, forcing the execution of arbitrary JavaScript. This type of vulnerability can also be used to poison the cache of a proxy serving as an intermediary for users to access the application. Finally, this type of vulnerability can make it possible to pass certain restrictions on authentication flows (CSP / CORS) and the origin of accepted scripts.
(3) Attack by Cross Site Scripting (XSS by Reflection). Parameter values sent by the client browser to the web application are not sufficiently controlled, which could allow an attacker to inject HTML or JavaScript into it. Indeed, the interpretable characters, such as <,>, /, ', ", etc. are not encoded before they are integrated with the response to the client. This vulnerability could be exploited by an attacker to conduct a Cross-Site Scripting (XSS) attack, in order to execute code in the context of the victim's web browser. This type of attack is usually used to access session cookies, allowing the attacker to impersonate the victim on the application.
(4) Denial of service by renegotiation SSL / TLS. The TLS / SSL service allows renegotiation of sessions initiated by the client. Session renegotiation is an operation that requires a larger amount of computation on the server side than the client side, depending on the algorithm used. An attacker could exploit this phenomenon by requesting a large number of renegotiations of concurrent SSL / TLS sessions in order to trigger a denial of service, bypassing, for example, the mitigations limiting the number of TCP sessions opened by IP (only one TCP session needed for this attack). *** Is there a way to limit the number of attempts? ***
(5) Value of session cookies predictable or insufficiently random. Cookies are files stored by the web browser of the visitor to a website and which serve (among other things) to identify a user in time, to prevent him from returning to each page his username and password. However, when the cookie values are predictable or insufficiently random, an attacker can potentially impersonate a user by recreating the cookie on their own machine. The auditors noted the possibility of limiting the complexity of the session token returned by the application at the time of authentication. In addition to the acceptance of session cookies presented in TEC.WEB.018, the session token seems to conform to the size and composition of the one provided by the user:
Indeed, if the client provides, at the moment of authentication, a cookie of 2 uppercase letters, the returned cookie will also consist of 2 capital letters. Recommend modifying the application providing the session cookies so that the value of the latter follows a random distribution. *** I have the session ID length set to 30, is this not the same thing? ***
Issues with possible solutions:
(1) Problem: BEAST Vulnerability (TLSv1.0 with CBC), Vulnerability LUCKY13 (CBC with TLS). LUCKY13 is a time attack against TLS implementations using the weaknesses of the CBC mode (block ciphering). The attack allows the decryption of TLS traffic. Details of the attack can be found at https://eprint.iacr.org/2015/1129.pdf. BEAST is an attack against the TLSv1.0 protocol using weaknesses in the CBC mode (block ciphering). The attack decrypts the SSL / TLS traffic. Full details of the attack can be found in the paper "Here Come The XOR Ninjas" by Thai Duong and Juliano Rizzo, available at: https://bug665814.bmoattachments.org/attachment.cgi?id=540839 ... Solution: In ThisWebServer.Open, set SELF.SSLMethod = NET:SSLMethodTLS_PCI
3
Web Server - Ask For Help / NETTALK.TPL Error: Symbol %Guid has no instance
« on: July 30, 2016, 07:52:05 AM »
When I try to compile, I get the following error, repeated once for each occurrence of %Guid in NETTALK.TPL.
(NETTALK.TPL) Error: Symbol %Guid has no instance File=C:\C10\accessory\template\win\NETTALK.TPL, Line=6446 Column=3
If I replace %Guid with %MyGuid, the errors go away.
(NETTALK.TPL) Error: Symbol %Guid has no instance File=C:\C10\accessory\template\win\NETTALK.TPL, Line=6446 Column=3
If I replace %Guid with %MyGuid, the errors go away.
4
Web Server - Ask For Help / NetMainWindow - Window is already open / GPF
« on: February 21, 2014, 10:37:45 AM »
I still get reports of this on certain systems. Is there any way to precede the OPEN(NetMainWindow) with IF STATUS(NetMainWindow)=Window:OK THEN RETURN END or otherwise prevent this "race condition" from causing a GPF?
5
Web Server - Ask For Help / Record Not Found (-2) when clicking on View button after Search; NetTalk 7.2
« on: August 19, 2013, 09:25:03 AM »
I've generated a simple application and found that if I use an immediate locator on a browse, clicking the View button on one of the found records initially results in a "Record Not Found (-2)" error because the primary key ID value hasn't been saved. If I wait a few moments and then click the button, the correct record comes up and there's no error. In the log I notice that the difference on the server side is that a "rowclicked" event occurs before the call to the form in the second case.
I tried to replicate this using the Web71.app (changing settings as attached) and found a different problem. There's no error, but clicking the View button does not bring up the form until the second click.
It appears that the row is not selected when one first clicks on the View button for that row, which is what the end user expects. How do I resolve this?
------------------------------------------------
Steps to reproduce:
(1) Modify web71.app as in the attached screens and run the app, open site in IE 10
(2) Browse Customers
(3) Locate (Contains) Name: POST
(4) Click on the "View" button for the only record that meets the criteria Nothing happens.
(5) Click on it again. Form comes up.
(6) Clear search, locate google, click on "Change" button for the only row showing, nothing happens.
(7) Click on it a second time, form comes up.
[attachment deleted by admin]
I tried to replicate this using the Web71.app (changing settings as attached) and found a different problem. There's no error, but clicking the View button does not bring up the form until the second click.
It appears that the row is not selected when one first clicks on the View button for that row, which is what the end user expects. How do I resolve this?
------------------------------------------------
Steps to reproduce:
(1) Modify web71.app as in the attached screens and run the app, open site in IE 10
(2) Browse Customers
(3) Locate (Contains) Name: POST
(4) Click on the "View" button for the only record that meets the criteria Nothing happens.
(5) Click on it again. Form comes up.
(6) Clear search, locate google, click on "Change" button for the only row showing, nothing happens.
(7) Click on it a second time, form comes up.
[attachment deleted by admin]
6
Web Server - Ask For Help / Characters missing upon Save
« on: August 16, 2012, 01:47:14 PM »
This is very odd, but in the last couple of NetTalk releases, my form fields are reverting back to previous values when certain characters are included.
Example:
Original Value: Test
New Value: Test11
After Save: Test11
Original Value: Test11
New Value: Test()
After Save: Test11
Similar things happen with exclamation marks, ampersands, etc.
Does anyone have any idea what is up?
Example:
Original Value: Test
New Value: Test11
After Save: Test11
Original Value: Test11
New Value: Test()
After Save: Test11
Similar things happen with exclamation marks, ampersands, etc.
Does anyone have any idea what is up?
7
Web Server - Ask For Help / NetTalk 6.03 - Missing files in Web folder?
« on: November 24, 2011, 09:25:36 AM »
When I install from scratch, ALL.JS is no longer in the Scripts subfolder, and I get "Error in site JavaScript" when bringing up the base page in my app.
Is this because files are missing from the distribution package, or an indication that I have more things to change when migrating to NT6?
Is this because files are missing from the distribution package, or an indication that I have more things to change when migrating to NT6?
8
Web Server - Ask For Help / Incorrect values - "&" becomes "&"
« on: November 04, 2010, 05:42:18 AM »
If the user enters HTML into a field, it is parsed when it shouldn't be...
Entered:
Tab off of field and it changes to:
Any ideas what may cause this?
Entered:
Tab off of field and it changes to:
Any ideas what may cause this?
9
Web Server - Ask For Help / Compatibility / Possible fixes
« on: May 04, 2010, 10:10:57 AM »
I'm running a sample page through an IE6 compability checker, and I'm thinking the following changes should be made:
1. In NetWeb.CLW
Old: packet = '<div id="_busy" class="bdiv"><img src="/images/_busy.gif"></img></div>'
New: packet = '<div id="_busy" class="bdiv"><img src="/images/_busy.gif" /></div>'
2. In "After Browse, before buttons," the Save Button set is between the </td> and the </tr>. It should be inside the <td></td>.
Old: packet = clip(packet) & '</div><13,10></td><13,10>'
If p_web.site.UseSaveButtonSet
New: packet = clip(packet) & '</div><13,10></td><13,10>'
If p_web.site.UseSaveButtonSet
packet = clip(packet) & '<td><13,10>'
(existing code)
packet = clip(packet) & '</td><13,10>'
1. In NetWeb.CLW
Old: packet = '<div id="_busy" class="bdiv"><img src="/images/_busy.gif"></img></div>'
New: packet = '<div id="_busy" class="bdiv"><img src="/images/_busy.gif" /></div>'
2. In "After Browse, before buttons," the Save Button set is between the </td> and the </tr>. It should be inside the <td></td>.
Old: packet = clip(packet) & '</div><13,10></td><13,10>'
If p_web.site.UseSaveButtonSet
New: packet = clip(packet) & '</div><13,10></td><13,10>'
If p_web.site.UseSaveButtonSet
packet = clip(packet) & '<td><13,10>'
(existing code)
packet = clip(packet) & '</td><13,10>'
10
Web Server - Ask For Help / "Referer" causes browse button problem; NetTalk 5 Server fix (pr7) in NetWeb.clw
« on: January 25, 2010, 07:37:33 PM »
I already submitted this, but perhaps a spam filter got it.
Took awhile to track down why my browse buttons weren't working in NT5.00pr7, but I finally found the cause:
In NetWeb.clw...
loc:onclick = sub(loc:onclick,1,iq) & '__Referer__=''+escape(location.href)+''&' & sub(loc:onclick,iq+1,size(loc:onclick))
should read
loc:onclick = sub(loc:onclick,1,iq) & '__Referer__=''+escape(location.href)+''&' & sub(loc:onclick,iq+1,size(loc:onclick))
Vince
Took awhile to track down why my browse buttons weren't working in NT5.00pr7, but I finally found the cause:
In NetWeb.clw...
loc:onclick = sub(loc:onclick,1,iq) & '__Referer__=''+escape(location.href)+''&' & sub(loc:onclick,iq+1,size(loc:onclick))
should read
loc:onclick = sub(loc:onclick,1,iq) & '__Referer__=''+escape(location.href)+''&' & sub(loc:onclick,iq+1,size(loc:onclick))
Vince
11
Web Server - Ask For Help / Best approach for history log / audit trail
« on: November 11, 2009, 10:01:24 AM »
I would like to be able to write out a log that details if a record was deleted, or if a value in a particular field was changed. It needs to include the original or deleted value. I thought it would be fairly straightforward, but after trying a few alternatives I have yet to get it working reliably.
(I've tried putting code in both "pre" and "post" change embed points, and saving the initial value to a session variable, but there were quirks such as the saved session value getting changed when the form was called in the update stage).
What is the best way to provide an audit trail that includes the "original" values after a change or deletion?
Is there an example I've missed?
(I've tried putting code in both "pre" and "post" change embed points, and saving the initial value to a session variable, but there were quirks such as the saved session value getting changed when the form was called in the update stage).
What is the best way to provide an audit trail that includes the "original" values after a change or deletion?
Is there an example I've missed?
12
Web Server - Ask For Help / Navigation buttons not working in IE, work in Firefox
« on: August 20, 2009, 03:17:22 PM »
I appear to be stuck on this one.
I have a browse, page-loaded. I click on Last or Next or Search. In Firefox it works as it should. In IE, the "busy" icon appears, and the page never loads. If I press F5, the page (as it should look after a button press) loads.
I've gone as far as writing the page out to disk when it is served, so I can see that the browse section is being sent, but the only difference between the failed send and the F5 send is inclusion of the <SCRIPT> that declares the browse control, and the value of RequestAjax.
I've played with this for days, and days, and days, and I have gotten nowhere.
What am I missing?
I have a browse, page-loaded. I click on Last or Next or Search. In Firefox it works as it should. In IE, the "busy" icon appears, and the page never loads. If I press F5, the page (as it should look after a button press) loads.
I've gone as far as writing the page out to disk when it is served, so I can see that the browse section is being sent, but the only difference between the failed send and the F5 send is inclusion of the <SCRIPT> that declares the browse control, and the value of RequestAjax.
I've played with this for days, and days, and days, and I have gotten nowhere.
What am I missing?
13
Web Server - Ask For Help / Template bug: Hardcoded "MAILBOXES" in NETWEB.TPW (4.36)
« on: August 19, 2009, 06:20:04 AM »
In NetWeb.TPW:
packet = clip(packet) & '<td'&clip(loc:MultiRowStyle)&clip(loc:SelectColumnClass)&'><!--here-->'&p_web.CreateInput('radio','%vx',clip(loc:field),,loc:checked,,,'onclick="MailboxesBrowseControl.value='''&p_web._jsok(loc:field,Net:Parameter)&'''"')&'</td>'&CRLF
if loc:FirstRowId = ''
loc:FirstRow = '<td'&clip(loc:MultiRowStyle)&clip(loc:SelectColumnClass)&'><!--here-->'&p_web.CreateInput('radio','%vx',clip(loc:field),,'checked',,,'onclick="MailboxesBrowseControl.value='''&p_web._jsok(loc:field,Net:Parameter)&'''"')&'</td>'
loc:FirstRowID = loc:field
end
packet = clip(packet) & '<td'&clip(loc:MultiRowStyle)&clip(loc:SelectColumnClass)&'><!--here-->'&p_web.CreateInput('radio','%vx',clip(loc:field),,loc:checked,,,'onclick="MailboxesBrowseControl.value='''&p_web._jsok(loc:field,Net:Parameter)&'''"')&'</td>'&CRLF
if loc:FirstRowId = ''
loc:FirstRow = '<td'&clip(loc:MultiRowStyle)&clip(loc:SelectColumnClass)&'><!--here-->'&p_web.CreateInput('radio','%vx',clip(loc:field),,'checked',,,'onclick="MailboxesBrowseControl.value='''&p_web._jsok(loc:field,Net:Parameter)&'''"')&'</td>'
loc:FirstRowID = loc:field
end
14
Web Server - Ask For Help / 4.35/C7/DLL - "unresolved for export"
« on: June 29, 2009, 05:25:54 PM »
I couldn't get my DLL application to compile, so I tried the example and had the same problem:
_CREATEHEADER@F12NETWEBSERVER29NETWEBSERVERHEADERDETAILSTYPE Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1465,3
W3HEADER@F18NETWEBSERVERWORKER Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1609,3
_CREATESORTHEADER@F18NETWEBSERVERWORKERllsbsbOsbl Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1626,3
_CREATEHEADER@F12NETWEBSERVER29NETWEBSERVERHEADERDETAILSTYPE Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1465,3
W3HEADER@F18NETWEBSERVERWORKER Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1609,3
_CREATESORTHEADER@F18NETWEBSERVERWORKERllsbsbOsbl Is unresolved for export - C:\Users\Public\Documents\SoftVelocity\Clarion7\Accessory\Capesoft\NetTalk\Web Server\MultiDLL (20)\AllFiles.exp:1626,3
15
Web Server - Ask For Help / 4.35 - Wrong record selected, Javascript errors
« on: June 23, 2009, 11:12:40 AM »
A user reported that the wrong record will come up when clicking View (or change) on the first record on a browse after he's viewed or changed any other record.
In other words, open a browse, select the third record (I use the radio button style of browse), click View, click Close, press "First", select the first record, click View, and you'll see the third record instead of the first one.
In initial test here, it appeared to be a problem with the Javascript (see below), but restoring to an older version showed the same behaviour without the Javascript error. I'll include the error anyway....
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Timestamp: Tue, 23 Jun 2009 19:03:29 UTC
Message: Invalid argument.
Line: 136
Char: 7
Code: 0
URI: https://www.passwordsmax.com:444/scripts/all.js
I've also see the error:
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Timestamp: Tue, 23 Jun 2009 18:42:20 UTC
Message: 'pgPasswordsBrowseControl' is undefined
Line: 331
Char: 1
Code: 0
URI: https://www.passwordsmax.com:444/pgRedirectOnLogin
'pgPasswordsBrowseControl' is the name of the procedure.
In other words, open a browse, select the third record (I use the radio button style of browse), click View, click Close, press "First", select the first record, click View, and you'll see the third record instead of the first one.
In initial test here, it appeared to be a problem with the Javascript (see below), but restoring to an older version showed the same behaviour without the Javascript error. I'll include the error anyway....
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Timestamp: Tue, 23 Jun 2009 19:03:29 UTC
Message: Invalid argument.
Line: 136
Char: 7
Code: 0
URI: https://www.passwordsmax.com:444/scripts/all.js
I've also see the error:
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Timestamp: Tue, 23 Jun 2009 18:42:20 UTC
Message: 'pgPasswordsBrowseControl' is undefined
Line: 331
Char: 1
Code: 0
URI: https://www.passwordsmax.com:444/pgRedirectOnLogin
'pgPasswordsBrowseControl' is the name of the procedure.
Pages: [1] 2