Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

HUGE security problem in A5 web security :shocked:

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Re: HUGE security problem in A5 web security

    I hope this does not come off as an insult but why stop there?
    Give your programmers your admin login for your database...lol

    The single most common security issue WORLDWIDE is - known keys, or passwords...

    Hardly an Alpha issue.
    NWCOPRO: Nuisance Wildlife Control Software My Application: http://www.nwcopro.com "Without forgetting, we would have no memory at all...now what was I saying?"

    Comment


      #32
      Re: HUGE security problem in A5 web security

      Originally posted by Davidk View Post
      I'm not sure I understand the point of this thread. If there's an issue with security then letting Alpha know about it quietly should have been the only course... not blabbing it here. It was irresponsible to do so and only hurts the Alpha community.
      It does not harm anybody when talking about passwords, not even Alpha. It is a common subject in forums. Here is good article how it should be done.

      Imagine a conversation with developer and customer:

      - We use this function to encrypt passwords, believe me, very secure function.
      - Sounds good!
      - AND we use this function to decrypt passwords, very fast function.

      Comment


        #33
        Re: HUGE security problem in A5 web security

        Exactly!
        I encrypt all of your info to the database...I want to serve it back to you - uhoh, guess we need to decrypt it...shocking!
        NWCOPRO: Nuisance Wildlife Control Software My Application: http://www.nwcopro.com "Without forgetting, we would have no memory at all...now what was I saying?"

        Comment


          #34
          Re: HUGE security problem in A5 web security

          Originally posted by Davidk View Post
          I'm not sure I understand the point of this thread. If there's an issue with security then letting Alpha know about it quietly should have been the only course... not blabbing it here. It was irresponsible to do so and only hurts the Alpha community.
          I brought this up and I can definetely see your point, maybe it was not a good thing to do. At the same time I would have liked anyone else to tell me if they had found out, but I realise now that I might not share this view with all of you.

          Anyway, I have had a lot of very good discussions with Alpha during the last day and I think there will be an update sooner than you think. After the update I will not be concerned about the security anymore but I will let alpha announce the details.

          I also have to say that their reaction to this has been very professional and probably better than I deserve ;) .

          Comment


            #35
            Re: HUGE security problem in A5 web security

            I agree with Peter,Kevin and Robert each security issue automatically will raise a high priority to Alpha team, it's the principle "clear the desk we have to fix it if indeed it's a bug". It's one of the basic goals from AlphaSoftware to keep our apps hooked to the internet as save as possible, simple because we run apps from real estate to highly confidential medical records regulations etc. It's the strength of the community tocome forward with such issues, so i praise Robert for that, i.a.w. if the impact is so high A5 team will deliver a hotfix asap [if confirmed]. Yeap i agree hackers will do anything to get inside your business data at any time just not only now as of today as a starting point but yesterday.
            Peter is correct he raises the question/answer V11 but what about V10?. The reason i ask i know that until today these apps are running in production with large number of users, it's impossible to upgrade these type of apps on the fly from dbf to SQL. I am not even sure there is a risk as i have knowledge about what percussions have taken place [ don't ask i can't share]. This guy is very alert on security for is apps, but all again there are limits so there holes in the bucket.
            What you could do by example with mysql or mariadb split the case move your websecurity tables to a sandbox model, first verify the user in the sandbox then use dynamic connection string applying for that user, reference the userid / name by a guid, link/reference the schema by DB/schema outside of the apps.
            Take extra safeguard even A5 will prevent SQL injection through components security [have checked this?], it's upto you to tide security to the limit not A5 Cooperation, "easy habits are at risk".

            My advice use a database firewall
            ask yourself this : my connection is "host"--port--3306 user "root" -->password "QWERTREWQ" - result "Grant ALL to" user root, remote connection allowed = "*" eq "*%*, happy hackers!

            Comment


              #36
              Re: HUGE security problem in A5 web security

              The next pre-release of Alpha Anywhere (after today) will include a new optional password encryption process. This new process creates a longer fixed length encrypted string for the password. This cannot be decrypted with any known key.

              This process has been in testing for some time, and some of the code has been in Alpha Anywhere since build 2614_4409 (Dec 18, 2014). Any passwords created using the new method will be recognized in that build and any newer build. If you use the new method, you will not be able to easily roll back to a build prior to 2614.

              The pre-release notes will include information about the option as well as information on a utility to update any currently encrypted passwords to the new method. This is not required, but is available for any developer wanting to use the new method. The utility can also roll back new passwords to the current method if necessary.

              Comment


                #37
                Re: HUGE security problem in A5 web security

                Originally posted by JerryBrightbill View Post
                The next pre-release of Alpha Anywhere (after today) will include a new optional password encryption process. This new process creates a longer fixed length encrypted string for the password. This cannot be decrypted with any known key.

                This process has been in testing for some time, and some of the code has been in Alpha Anywhere since build 2614_4409 (Dec 18, 2014). Any passwords created using the new method will be recognized in that build and any newer build. If you use the new method, you will not be able to easily roll back to a build prior to 2614.

                The pre-release notes will include information about the option as well as information on a utility to update any currently encrypted passwords to the new method. This is not required, but is available for any developer wanting to use the new method. The utility can also roll back new passwords to the current method if necessary.
                will this be available for version 11?
                thanks for reading

                gandhi

                version 11 3381 - 4096
                mysql backend
                http://www.alphawebprogramming.blogspot.com
                [email protected]
                Skype:[email protected]
                1 914 924 5171

                Comment


                  #38
                  Re: HUGE security problem in A5 web security

                  Originally posted by GGandhi View Post
                  will this be available for version 11?
                  Read Peter post V11 and before is not supported , so that's clear answer, i would be surprised if A5 team created fix/patch

                  Comment


                    #39
                    Re: HUGE security problem in A5 web security

                    Originally posted by bea2701 View Post
                    Read Peter post V11 and before is not supported , so that's clear answer, i would be surprised if A5 team created fix/patch
                    eric,
                    the question is not directed to you as I quoted his post hoping he will address that, if that is the answer from him, well and good.
                    Last edited by GGandhi; 02-19-2015, 12:16 PM. Reason: spelling error in "from"
                    thanks for reading

                    gandhi

                    version 11 3381 - 4096
                    mysql backend
                    http://www.alphawebprogramming.blogspot.com
                    [email protected]
                    Skype:[email protected]
                    1 914 924 5171

                    Comment


                      #40
                      Re: HUGE security problem in A5 web security

                      correct it not Peter his answer but what A5 team will do , if V11 is still available "in the shop"cq. supported " i hope most of all that fix will be available to users of V11, let me guess....

                      Comment


                        #41
                        Re: HUGE security problem in A5 web security

                        This will only be available in Alpha Anywhere stating with the next pre-release.

                        Comment


                          #42
                          Re: HUGE security problem in A5 web security

                          I started to try to package up a couple of files for those needing better security but stopped on my better judgment. We use Alpha's security but don't use their built-in login dialog. Instead, we use an old dialog (it's just a username and password field so presentation isn't all that important, but you could probably do it in a Dialog2 component also). We also create and change usernames and passwords with dialogs but there are videos about how to do that already available.

                          The difference in our method is that we don't use Alpha's encryption and for our encryption we don't ever decrypt (and couldn't if we wanted). We have a function that takes the entered password as a parameter and encrypts it with a super-long key, but the password is also passed into Alpha's md5() function to create an md5 hash of the password entered by the user. This is one-way--i.e. there is no way to go from the hashed value to the original value (you can see at http://en.wikipedia.org/wiki/MD5 that per computer theory they can theoretically be deciphered but there's nothing like a decrypt function you could use; I also just found Alpha's hmac_hash() function introduced in v11 that might work even better).

                          So when the password is created, it's run through this function and the function output is stored in the table. When the password is entered by the user, it's run through this function and the output is compared to the value in the table. If they match, security success and we redirect to the next page; if not, there's a validation error in the dialog and the security settings wouldn't allow the user to access other pages.

                          We've been using this for a while without issue. We do have our security in SQL but it should be possible in dbf as well. This is running in v11 but should be possible as far back as Alpha's security has had the same basic functionality (at least back to v8 or v9). It's not a turn-key Alpha's-got-video-instructions-to-copy process, but it's do-able for those concerned about their security. Hope that helps.

                          Comment


                            #43
                            Re: HUGE security problem in A5 web security

                            ****
                            Last edited by bea2701; 02-20-2015, 10:51 AM.

                            Comment


                              #44
                              Re: HUGE security problem in A5 web security

                              If you salt the hash, though, stored passwords are "not found" on the site you shared.

                              Comment


                                #45
                                Re: HUGE security problem in A5 web security

                                The procedure described #42 in post is just as if should be done. The problem is just using hash algorithm that is not secure hash standard anymore. Salting unsecure hash does not make it secure. Developer should use just standard accepted algorithms that are know to be secure and accepted in developer community and not write owns. Can xbasic developer use those secure algorithms?

                                Comment

                                Working...
                                X