2. ASPRunnerPro General questions
  3. Severy security lack ???
This topic is locked

Severy security lack ???

 		6/8/2005 2:03:26 PM
ASPRunnerPro General questions
Pfeiffer author

Hello,
I'm very astonished that in Version 3.2 everything is visible in Explorer like..
....masterkey=4448&action=delete&TargetPageNumber=1&Suchtext=&winword_id=10&Menusprung_url=+&mdelete=1&mdelete1=402329&mdelete1=402327&mdelete1=402326&mdelete1=402325&mdelete1=402324&mdelete1=402323&mdelete1=402322&mdelete1=402321&mdelete1=402320&mdelete1=402319&mdelete1=402318&mdelete1=402317&mdelete1=402316&mdelete1=402330]http://localhost/ATN-Entwicklung/finanz_li...mdelete1=402330
Now every user has the possibility to create an expression which will do something in the program I don't want him to do and I can't control what he is doing.
In my opinion now everything is open to manipulate the application.
Is there a possibility to change this behavior. I cannotl not use this version because of this problem.
Uwe Pfeiffer
Pfeiffer author 6/8/2005

In addition here a comment from another user to the GET Method in Internet Explorer ...
Although this example is functional, it does bring up data security concerns. The end user could easily query ....any month, market, or product by ....replacing the values in the parameter string. The easiest way to prevent this would be to open the ASP page in a full screen browser without the address bar visible. However, a clever user could still obtain the URL by looking through browser history and viewing the popup info while hovering over the history link.
You use the GET method too if you edit a record.

So the user only has to change the url and he will be able to edit every record he wants although the record is not displayed in the list view ???
Sergey Kornilov admin 6/10/2005

Hi,
I'm aware of this security issue and added an additional protection on

all ASP pages.

User won't be able to manipulate the application using browser address line.
To illustrate how it works I have modified generated list.asp page to

print SQL statement for "delete" before and after:
>       response.write strSQL & "
"

        strSQL = AddWhere(strSQL, SecuritySQL("Delete"))

        response.write strSQL & "
"


Here is the output:

delete from [Cars] where [ID]=1

delete from [Cars] where [ID]=1 and ([OwnerID]=3)

delete from [Cars] where [ID]=7

delete from [Cars] where [ID]=7 and ([OwnerID]=3)