Is it possibble to Request.QueryString("page") ?
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=25859
Printed Date: 03 April 2026 at 11:03am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Is it possibble to Request.QueryString("page") ?
Posted By: SkIpErMan
Subject: Is it possibble to Request.QueryString("page") ?
Date Posted: 18 June 2008 at 3:20pm
|
Hi! Have integreat the Web Wiz Forums in to my site and doing some test to see if it feets my needs and it looks fine!
How ever i would like to use server execute on the default.asp page in an table. To do so I need to call all links in to Request.QueryString("page") so it show up in the same table like this
'IF Request.QueryString("page") = "" THEN
'Server.Execute("default.asp") 'ELSEIF Request.QueryString("page") = "home" OR Request.QueryString("page") = "forumindex" OR Request.QueryString("page") = "staffandmanagement" OR Request.QueryString("page") = "teamnews" THEN 'Server.Execute("ssi/"& Request.QueryString("page") &".asp") 'ELSE 'Server.Execute(""& Request.QueryString("page") &".asp")
'END IF My quations is. Have Web Wiz Forum all ready imlpemented cod where I can do this change or do I have to change all links on every page?
I think a saw something in one of your page, but cant find it again!
Is there any other way to integrate Web Wiz Forums as I have done with out to change all links or use Request.QueryString("page"). I have test Iframe but have read some where it could be use to inject other sites. And with Iframe I have to use scroller and I dont like that!
How ever to change the cod I need licens so I would like to know if there is other options before!
This is how all tables are setup with Web Wiz Forums and I like it
  Best regards
/SkIpErMan
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 19 June 2008 at 12:18pm
|
I'm not really sure what you are trying to do, but I can see the code you are using is completely insecure using a querystring in a server.exceute without first parsing the data is an open invitation to any hacker.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SkIpErMan
Date Posted: 19 June 2008 at 6:00pm
|
Iam just a beginner and use very simple school cod so there should not be any opening for a hacker as far as I know in my cod. Else I have to take my teacher in the ear If I can not use server execute on the Web Wis Forum default.asp, because the cod its not parsed, what option do I have to keep my tables and the forum like the screenshoot shows?
Or should I just give it up and start build and finish my own forum again?
/SkIpErMan
|
Posted By: Scotty32
Date Posted: 19 June 2008 at 6:16pm
|
just enter your site layout to the forums includes/header.asp and includes/footer.asp files. If you already have a Header and Footer file for your site, just enter the link to them eg: <!--#include file="../../includes/header.asp"--> ------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: WebWiz-Bruce
Date Posted: 20 June 2008 at 8:40am
If a teacher is giving this code you should pull them up, it's completely open to a hacker. Server.Execute(""& Request.QueryString("page") &".asp") Using a querysting in Server.Execute without parsing the data means that anyone can easily change the querystring in the URL and call any ASP file on the server they like within the page. This is very dangerious. You should place the querytsing data into a variable then check it's contents are permitted and remove any malious code before using it within Server.Execute. For example:- mysite.com/forum/default.asp?Page=../../badfile This could be sent within the URL to call an ASP file called badfile.asp which isn't even in the forum directory!! This is just an example, but a clever hacker can use this type of thing to do all sorts of damage, and you wouldn't beleive the lengths some hackers go to. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
SkIpErMan wrote:Posted By: SkIpErMan
Date Posted: 20 June 2008 at 12:59pm
|
Thanks! I did not know this. Iam glad you told me about my security hole. Ill gone fix it in!
But still interessted in Web Wiz Forum :)
Thanks again!
Michael / aKa SkIpErMan
|
Posted By: WebWiz-Bruce
Date Posted: 20 June 2008 at 1:34pm
|
As a rule of thumb any data passed from user data from forms etc. or in a querystring should always be parsed and checked for malicious code as they can be used for XSS (Cross site scripting), SQL Injections, DoS attacks, etc.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SkIpErMan
Date Posted: 24 June 2008 at 8:20pm
|
Its not possible to directly call any of my pages becasue they do have cod that checks before they executes. But it would not be secure to do the same execute with the Web Wiz Forum. Ill finish my own forum. Have at least Main and subforums!
Thanks for your help!
/SkIpErMan
|
Posted By: WebWiz-Bruce
Date Posted: 25 June 2008 at 8:45am
|
The code will work with Web Wiz Forums. However, the point I am trying to make is no matter were you use the code you have posted it is insecure. Even if you use the code outside of Web Wiz Forums it is still insecure. If you are going to do any type of coding you need to first learn about creating secure code, or you will find your own forum will be hacked in no time. You need to have a look at things like SQL Injection, and Cross Site Scripting (XSS). The code you presently have no matter were you have it on your site is wide open to XSS hacking. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SkIpErMan
Date Posted: 25 June 2008 at 4:01pm
|
There was alot to read. I could not find any related about my cod. How ever I did found a bite injection in NET. Anyway I do have cod that check all forms and inputs from users and also after but before any of my pages executes in to the cod above!
I made a test with a free version of Acunetix!
Acunetix Threat Level 0 No vulnerabilities have been discovered by the scanner
Scan progress
  You market a bit of my cod with red, so I guess that is the part of cod that are insecure. But I dont know why or how to secure it more than I have done allready!
/SkIpErMan |
Posted By: WebWiz-Bruce
Date Posted: 25 June 2008 at 5:13pm
This is how I would do it to be more secure, although this is just quick and more can be done:-
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SkIpErMan
Date Posted: 28 June 2008 at 1:12am
|
Thanks for your reply!
I have work on my site hard for 9-10 month. Still learning and dont know everything. Its just school cod, examples, my own idees, friends and a teatcher. Have some learning skill from pascal that help me to think like if, else and some matematics.
I have check the Web Viz Forum cod to se how its build. It is professionell coded,look nice and it is clean. Its very diffrent from my school coding and hard to follow for me becuse I dont understand everything. But its good to se how pro do the cod, it gives alot!
Have some session, cupadmins, clanleader, trustee and have wrote special cod for this. Also the gaming cup have lots of co that are speciell. I still learning how to encrypting and solve som problems.
I am still interessted in Web Viz forum, but as usual, everone just whant to login once. I do know your API. I have to learn me your system first to se how I could rebuild my system. And the database, have some importen login issues that I need to the cups!
I realey need to fix this issues (login, database, session, admin) so they fits in together the site can go online.
Have found a good site about SHA-1, salt with low learning skill so Im testing an rebuilding my site I donĀ“t know what cod I am looking after. Have to check and learn before have queastions!
So aim bulding and rebulding with Web Wiz Forum in mind!
Best regards
/ SkIpErMan
|