| Author |
 Topic Search  Topic Options
|
tripp2loo 
Newbie
Joined: 19 February 2007
Location: United States
Status: Offline
Points: 7
|
 Post Options
 Thanks(0)
 Quote  Reply
 Posted: 20 February 2007 at 3:36am |
It was me asking this, and yeah, you are right, I don't know crap about internet security 
Looks Like I figured out, it needs to be there. Only thing is, the DB folder is not browsable, but the global.asa file points right to it  |
 |
Leathal
Newbie
Joined: 21 February 2007
Status: Offline
Points: 5
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 February 2007 at 6:32pm |
Very useful information here but I would like to add that a good firewall with HTTP filtering should also be considered when using any kind of web base forum application.
The Access DB thing... If you must use it Access Borg is right about moving he database else were, but I would suggest if you have access to MS SQL to use that instead, I am not sure of this forum will support 2005 as I know MS was giving away a version of it and still may to their MSDN clients which btw costs $400 USD a year and gives you access to pretty much all of Microsoft's products for testing purposes as they call it but without containing any time bombs.
Leathal
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 February 2007 at 2:08pm |
Web Wiz Forums works under mySQL and SQL Server 2005 Express version, both of these are excellent database servers and are both free. The free version of SQL Server 2005 (SQL Server 2005 Express) is free for anyone to download from the Microsoft SQL Server web site, so you don't need to be an MSDN subscriber to download it. mySQL is also free and is just as good as SQL Server when running Web Wiz Forums. Both mySQL 4.1 and mySQL 5+ are supported. Either of these two database systems are much better than Access, and not only for security but also for performance.
|
|
|
|
RAVALON
Groupie
Joined: 31 December 2003
Location: Italy
Status: Offline
Points: 132
|
Post Options
Thanks(0)
Quote Reply
Posted: 20 March 2007 at 1:41pm |
Hello all
i'm one of the first user who develop a personal porting for MySQL (do you remember Borg ?)
I'm runnign 7.x version....i know i have to update to last official version, but i need more time first to update for prevent lost data....
in this time i have a problem.
Yesterday my provider contacted me, saying about 10.000 email starting from my forum without my authorization.
Do you know something about this problem ?
Are there some exploit that abilitate someone to send email from forum ?
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 20 March 2007 at 3:17pm |
|
It would be very difficult for this type of thing to come from the forum, as any email sent requires the user be logged in.
Version 7.96 onwards has extra protection built in to prevent this type of spamming which has only really become bad during the last few months.
More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people.
Edited by -boRg- - 20 March 2007 at 3:36pm
|
|
|
|
RAVALON
Groupie
Joined: 31 December 2003
Location: Italy
Status: Offline
Points: 132
|
Post Options
Thanks(0)
Quote Reply
Posted: 20 March 2007 at 6:40pm |
thank you for your answer Borg 
Also for me is difficult that problema came from forum, but is what provider sayed....maybe they seen subject of my forum in this 10,000 email
One other ask ..... because of my bad english, i've not understand this
*****
More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people.
More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people.
*********
Could you explain me in others words please ? i'm italian and i don't understand...sorry
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 20 March 2007 at 7:29pm |
|
If you have a contact us enquiry form on your site it can be used by spammers to send spam, if left unchecked.
How spammers are now doing it is if you use CDOSYS or some other components, spammer can change the subject so that it contains new line characters with email address, this can be used to trick CDOSYS in to sending 1000's of emails.
For example a remote spammer could send the following subject to an email enquiry form:-
my spam subject; email1@email.com;
email2@email.com;
email3@email.com;
etc.
etc.
by sending this subject along with the enquiry area filled in with a spam email the CDOSYS component can be tricked into sending that form enquiry to 1000's of email address using the Blind Carbon Copy (BCC) method.
Web Wiz Forums is quite protected against this type of spam as not only are the subjects of emails created by the software and not the user, the fields passed to the email component are filtered to prevent any malicious code from getting through.
You may want to ask your web host to forward one of these emails to you with all the headers. If you send this to web wiz support we can have a look through it for you to tell you exactly how the spammer is using your site to send spam.
Edited by -boRg- - 20 March 2007 at 7:33pm
|
|
|
|
RAVALON
Groupie
Joined: 31 December 2003
Location: Italy
Status: Offline
Points: 132
|
Post Options
Thanks(0)
Quote Reply
Posted: 20 March 2007 at 7:39pm |
thanks again Borg.....effectively i use CDOSYS object for send email....
I'm using 7,91 version, so i have to think is not protected from this type of spam...right ?
I'm in contact with server provider developers....I'll ask if they could send me one of these email and after that i post here....
Until this, there are something fast code upgrade that i could insert to protect from this type of spam ??
|
|
