Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Security Hole
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Security Hole
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
pig killer View Drop Down
Newbie
Newbie


Joined: 27 July 2003
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote pig killer Quote  Post ReplyReply Direct Link To This Post Topic: Security Hole
    Posted: 27 July 2003 at 11:16am

Hi! I want to Purchase license of your forum. Can I  expect, that if in web wiz forum were found security holes, you would operatively eliminate it? (for example, http://forums.webwiz.net/forum_posts.asp?TID=2271

 – is still work).

 

 
Back to Top
pig killer View Drop Down
Newbie
Newbie


Joined: 27 July 2003
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote pig killer Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2003 at 12:40pm

Hi again!

new bug:

When I post replay message with mode=quote, forum does not check permission on forum == i can post and read message in any forum!
Back to Top
pig killer View Drop Down
Newbie
Newbie


Joined: 27 July 2003
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote pig killer Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2003 at 10:12pm

Hi.

Solution for security hole in post_message_form.asp:

1. ..................
If strMode = "quote" Then
'#####################   Changes: check permission to topic
'Query the database
rsCommon.Open strSQL, adoCon
   If NOT rsCommon.EOF Then    
'##################### ...
        'Get the number this thread is after
        intTotalNumOfThreads = Request.QueryString("NOP")
       
        'Get the return thread page
        intRecordPositionPageNum = Request.QueryString("TPN")

        'Get the message from the database
       
        'Initialise the sql query to get the thread details to be quoted
        strSQL = "SELECT " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.Username, " & strDbTable & "Thread.Message "
        strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " & strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " & strDbTable & "Author.Author_ID "
        strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " & CLng(Request.QueryString("PID"))
'######################### Changes - close database connection

'Reset server object
rsCommon.Close
.........
END IF

 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.