Archive of UserLand's first discussion group, started October 5, 1998.

Getting back lost functionality in htmlInterfaces.root

Author:André Radke
Posted:4/22/1999; 9:52:46 AM
Topic:Security Alert: htmlInterfaces.root
Msg #:5192 (In response to 5184)
Prev/Next:5191 / 5193

Lost functionality after closing security hole On April 22, 1999, we identified a security hole in htmlInterfaces.root, a guest database that ships as sample code with Frontier 6. After closing this security hole on your machine, you will be left without the ability to view enclosures of discussion group message thru the regular discussion group web interface. This document describes how to get back the lost functionality without compromising security. (It does not describe how to close the security hole as such, see the above link for information about that topic.) Download and install new enclosure viewer First, you need to download a new script for viewing enclosures of discussion group messages. A table containing this script and some relevant #attributes is attached to this message. You can view that table or download it as a fat page by following the respective links in the header section of this message. When opening the downloaded fat page from within Frontier, you will be asked for an address where the imported object will then be stored. Assuming the standard htmlInterfaces.root is running on your machine and it is open, enter "discussionGroup.enclosures" (without double quotes) into the dialog box. Once you have imported the object, make sure you save htmlInterfaces.root, e.g. by bringing its window to the front and choosing Save Database from Frontier's File menu. Modify config.mainResponder.urls.discussEnclosureViewer Next, open the config.mainResponder.urls table and look for the entry named discussEnclosureViewer. Its value should be something like the following: In that string, replace "raw/messages/" with "enclosures/view$", for example:$ Make sure you save config.root after you made this change. Download mainResponder.root update Finally, you need to install an update to mainResponder.discuss.readMessage. You can obtain this update by bringing the mainResponder.root window to the front and choosing the Update mainResponder.root... command from Frontier's Main menu. You can verify that the update was downloaded and installed successfully by opening the mainResponder.discuss.readMessage script. If there is an entry dated April 22, 1999 under the Changes heading, you have the correct version. Testing the fix You can test the fix by bringing up a discussion group message in your browser which has an enclosure. Click the View link in the header section of that message. You should be taken to a URL of the following form:$111 General information about posting enclosures to discussion group messages is available from the Editing In Frontier page. Fixing other discussion groups If you are running a discussion group on your server which is based on the discussionGroup table in htmlInterfaces.root, you can fix it as well by copying the discussionGroup.enclosures table into your discussion group website table. If the discussion group website has its own #urls table, you need to modify its discussEnclosureViewer field as described above for the config.mainResponder.urls table.

This page was archived on 6/13/2001; 4:49:27 PM.

© Copyright 1998-2001 UserLand Software, Inc.