Google Answers Logo
View Question
 
Q: My website homepage is sometimes crashing... ( No Answer,   3 Comments )
Question  
Subject: My website homepage is sometimes crashing...
Category: Computers
Asked by: cornchip-ga
List Price: $5.00
Posted: 09 Sep 2005 13:48 PDT
Expires: 03 Oct 2005 13:45 PDT
Question ID: 566174
Users are sometimes reporting that when they try to navigate to the
homepage of my website they are getting a runtime error. The error is
the generic .NET message (Server Error in '/' Application... etc...)

The website is http://www.unitville.com/

The users are not giving me any more information, but more than one
person has reported it. I cannot reproduce this problem, nor can
anybody that I have asked.

Can you post a comment if you are successful or unsuccessful when
navigating to the page.

The winner is the person who sees the error and can tell me the steps
to reproduce it.
Answer  
There is no answer at this time.

Comments  
Subject: Re: My website homepage is sometimes crashing...
From: feldersoft-ga on 09 Sep 2005 14:24 PDT
 
Works for me running Firefox under Linux. ;-)

Under vmware when I run IE the site loads fine.  I did find a problem
when I clicked on the "Create a printable Newsletter" link.  Doing
that causes a notification by the IE popup blocker and then page
immediately refreshes to the main page giving me no chance to allow or
display the popup.  Same thing happens with the answerboard.

No .NET crashes
Subject: Re: My website homepage is sometimes crashing...
From: feldersoft-ga on 09 Sep 2005 14:38 PDT
 
Oh one other thing.  I registered for an account and uploaded a random
file for my picture.  I changed a .exe to .jpg and it uploaded fine. 
You may want to restrict picture uploading to paying users, as it may
be a considerable security risk to allow anyone to upload stuff and
then subsequently pull it down.

For example I could create a bogus account upload warez/music/xxx
pictures and then post a URL somewhere with a link to the content.

The file I uploaded was ymesuite.jpg (renamed from ymesuite.exe) which
is the yahoo music engine (random file pulled from my vmware desktop).
 I verified that I could pull it down by going here:

http://www.unitville.com/photos//ymesuite.jpg

Oh woops...as I was composing this I did trigger the error.  When
updating my profile I used <table> (i.e. an html tag) in my nickname. 
You really really need to make sure you sanitize the data people put
in those boxes.  I notice most of your validation is client side. 
This is very dangerous as a malicious user may be able circumvent that
and stick total garbage in your membership database.
Subject: Re: My website homepage is sometimes crashing...
From: feldersoft-ga on 09 Sep 2005 15:01 PDT
 
Ok one last thing.  Changing my name to &amp; shows an ampersand
instead of &amp; for my name when I go to create a newsletter.  This
means you're not sanitizing the information when you push back out of
the database.  It might actually be possible for me to steal other
member's private info by exploiting this property.  Imagine if I could
get some arbitrary html (say form elements) into some of these fields
and then trick other members into filling out those elements while
assuming the data will go to you and it instead goes to me.

When you write an application like this you have to make assumptions
that the user is going to do whatever is in their power to mess up
your app.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy