[FX.php List] Security Concerns with FileMaker Website

Gjermund Gusland Thorsen ggt667 at gmail.com
Wed Jan 24 08:53:37 MST 2007 

Ehh, how are the bots able to but the correct key in the session?!?

Does bots come with brute force techniques these days Mr Knight?!?

ggt667

On 1/24/07, Stephen  Knight <stephen at fmwebschool.com> wrote:
> Hi,
>
> Sessions are actually far from being faultproof - if you do not have a login
> but do require a session to proceed then the bot can easily carry your
> session through. For example the use of cURL is very popular in recent bots
> and curl includes a one line option to turn on a "cookie jar" which will
> collect and pass along any session cookies that you assigned to it on one
> page to the next. It might stop some older less intellegent bots but these
> days it is very easy to pass along cookies - and I would not be surprised if
> within a year or two we will start seeing full blown JS enabled bots which
> will parse the JS on the current pages in order to extract obfuscated data.
>
>
>
> In Kindness
> Stephen K Knight
> http://www.fmwebschool.com
> 800.353.7950 / 386.453.5843
> FMWebschool, we bring the web to life
> FX.PHP PHP XML MySQL CDML ASP
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund Gusland
> Thorsen
> Sent: Wednesday, January 24, 2007 10:29 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Security Concerns with FileMaker Website
>
> I assume you do something like this:
>
> <?
> session_start();
> include_once( $_SERVER['DOCUMENT_ROOT'] . "/projectkey.php" ); if( $key1 !=
> $key2 ) {
>         header( "Location: /index.php?status=log_on" );
>         exit;
> }
>
> ggt667
>
> On 1/24/07, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
> >
> >
> > I have also noticed the bots because I am logging every arrival to my
> > fx.php pages for development and customer support resaons.
> >
> >
> > In my solutions, I am using sessions. Without a current session, the
> > page never gets past the session check on line 3.  The "user" is
> > redirected to the start page to either log in or to start the process
> (whatever it is).
> >
> >
> > So, the bot might hit the page, but never sees data.
> >
> >
> > Works for me, but YMMV.
> >
> >
> > Hope that helps.
> >
> >
> > Jonathan
> >
> >
> >
> >
> >
> >
> >
> > Hello everyone,
> > In the past hour, I've done some analysis of various logs and emails,
> > and I've come to a chilling realization that I've never had before
> > about bots harvesting information from websites -- I knew it happened,
> > but I never knew the scope of the problem until tonight -- and this is a
> low traffic website!
> >
> >
> > So, I have a website which contains a public listing of email
> > addresses and websites from a FileMaker database.  I want to stop
> > unknown bots from crawling the site.  All of the data comes out of
> > FileMaker, nicely formatted as links for the end user's clicking
> > convenience.  I have a solution to fix email addresses from being
> > harvested, but I was wondering if anyone knows of a way to prevent
> > website addresses from being harvested, but still clickable as a
> hyperlink.
> >
> >
> > I thought maybe a PHP redirect link, like redirect.php?id=16 where
> > redirect puts a user at the website listed in record 16, but once the
> > PHP is all said and done, we're still at the linked website, so that
> > doesn't really prevent anything from being harvested.
> >
> >
> > Is there a way to maybe detect is a link was actually clicked by a
> > person, and not just passed through by an automated bot?  PHP is
> > preferable for such a solution -- JavaScript is too easy to turn off.
> > Or, is there a way to specify that only bots from places like Google,
> > Live, and Yahoo are allowed to crawl the site?
> >
> >
> > Hopefully my predicament is clear.  I need to solve this ASAP...
> >
> >
> > --Ed
> > ---------------------
> > http://www.edwardford.net
> >
> >
> >
> >
> >
> >  _______________________________________________
> >  FX.php_List mailing list
> >  FX.php_List at mail.iviking.org
> >  http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> >
> >
> >  --
> >
> >
> >
> > Jonathan Schwartz
> > FileMaker 8 Certified  Developer
> > Associate Member, FileMaker Solutions Alliance Schwartz & Company
> > jonathan at eschwartz.com http://www.eschwartz.com http://www.exit445.com
> > 415-381-1852
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> >
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list