[FX.php List] Security Concerns with FileMaker Website

Stephen Knight stephen at fmwebschool.com
Wed Jan 24 09:12:19 MST 2007


Hi Gjermund,

You actually did not explain your full technique regarding the keys and
simply suggested that sessions would work. Would you care explaining where
the user gets the correct key from? If they have to enter the key based from
their previous knowledge of the system then it becomes a login system (good
way to protect private data against bots, no doubt there), but otherwise you
suggested that a key is put into the session by PHP at one page and examined
on the next which I do not see how would affect a cookie passing bot. 
 


In Kindness
Stephen K Knight
http://www.fmwebschool.com
800.353.7950 / 386.453.5843
FMWebschool, we bring the web to life 
FX.PHP PHP XML MySQL CDML ASP

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund Gusland
Thorsen
Sent: Wednesday, January 24, 2007 10:54 AM
To: FX.php Discussion List
Subject: Re: [FX.php List] Security Concerns with FileMaker Website

Ehh, how are the bots able to but the correct key in the session?!?

Does bots come with brute force techniques these days Mr Knight?!?

ggt667

On 1/24/07, Stephen  Knight <stephen at fmwebschool.com> wrote:
> Hi,
>
> Sessions are actually far from being faultproof - if you do not have a 
> login but do require a session to proceed then the bot can easily 
> carry your session through. For example the use of cURL is very 
> popular in recent bots and curl includes a one line option to turn on 
> a "cookie jar" which will collect and pass along any session cookies 
> that you assigned to it on one page to the next. It might stop some 
> older less intellegent bots but these days it is very easy to pass 
> along cookies - and I would not be surprised if within a year or two 
> we will start seeing full blown JS enabled bots which will parse the JS on
the current pages in order to extract obfuscated data.
>
>
>
> In Kindness
> Stephen K Knight
> http://www.fmwebschool.com
> 800.353.7950 / 386.453.5843
> FMWebschool, we bring the web to life
> FX.PHP PHP XML MySQL CDML ASP
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund 
> Gusland Thorsen
> Sent: Wednesday, January 24, 2007 10:29 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Security Concerns with FileMaker Website
>
> I assume you do something like this:
>
> <?
> session_start();
> include_once( $_SERVER['DOCUMENT_ROOT'] . "/projectkey.php" ); if( 
> $key1 !=
> $key2 ) {
>         header( "Location: /index.php?status=log_on" );
>         exit;
> }
>
> ggt667
>
> On 1/24/07, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
> >
> >
> > I have also noticed the bots because I am logging every arrival to 
> > my fx.php pages for development and customer support resaons.
> >
> >
> > In my solutions, I am using sessions. Without a current session, the 
> > page never gets past the session check on line 3.  The "user" is 
> > redirected to the start page to either log in or to start the 
> > process
> (whatever it is).
> >
> >
> > So, the bot might hit the page, but never sees data.
> >
> >
> > Works for me, but YMMV.
> >
> >
> > Hope that helps.
> >
> >
> > Jonathan
> >
> >
> >
> >
> >
> >
> >
> > Hello everyone,
> > In the past hour, I've done some analysis of various logs and 
> > emails, and I've come to a chilling realization that I've never had 
> > before about bots harvesting information from websites -- I knew it 
> > happened, but I never knew the scope of the problem until tonight -- 
> > and this is a
> low traffic website!
> >
> >
> > So, I have a website which contains a public listing of email 
> > addresses and websites from a FileMaker database.  I want to stop 
> > unknown bots from crawling the site.  All of the data comes out of 
> > FileMaker, nicely formatted as links for the end user's clicking 
> > convenience.  I have a solution to fix email addresses from being 
> > harvested, but I was wondering if anyone knows of a way to prevent 
> > website addresses from being harvested, but still clickable as a
> hyperlink.
> >
> >
> > I thought maybe a PHP redirect link, like redirect.php?id=16 where 
> > redirect puts a user at the website listed in record 16, but once 
> > the PHP is all said and done, we're still at the linked website, so 
> > that doesn't really prevent anything from being harvested.
> >
> >
> > Is there a way to maybe detect is a link was actually clicked by a 
> > person, and not just passed through by an automated bot?  PHP is 
> > preferable for such a solution -- JavaScript is too easy to turn off.
> > Or, is there a way to specify that only bots from places like 
> > Google, Live, and Yahoo are allowed to crawl the site?
> >
> >
> > Hopefully my predicament is clear.  I need to solve this ASAP...
> >
> >
> > --Ed
> > ---------------------
> > http://www.edwardford.net
> >
> >
> >
> >
> >
> >  _______________________________________________
> >  FX.php_List mailing list
> >  FX.php_List at mail.iviking.org
> >  http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> >
> >
> >  --
> >
> >
> >
> > Jonathan Schwartz
> > FileMaker 8 Certified  Developer
> > Associate Member, FileMaker Solutions Alliance Schwartz & Company 
> > jonathan at eschwartz.com http://www.eschwartz.com 
> > http://www.exit445.com
> > 415-381-1852
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> >
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list