RE: Simple anon Feedback form. Email not InfoPath.
Hey Folks, Just wanted to chime in and say I've had great success using Guest Account Enabler which you can grab at the following link : http://blogs.devhorizon.com/reza/?p=551 It did the trick for me on two or three separate public facing sites that needed workflows kicked off from an anonymous form submission. In both situations I used the provided HTTP Handler method. Regards, Mark Rhodes -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 26 October 2009 7:08 AM To: ozMOSS Subject: RE: Simple anon Feedback form. Email not InfoPath. Yes, Nintex Workflow 2007 fills all the gaps and more. Latest point release also fixed the issue with system accounts not being able to initiate workflows. Great product and worth every cent. Regards, Paul Online Developer, ICT CEO Sydney -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Chris Denniss Sent: Friday, 23 October 2009 4:38 PM To: ozMOSS Subject: RE: Simple anon Feedback form. Email not InfoPath. Thanks Paul Planning on looking into the anonymous membership provider more, if other solutions are not viable. Looks like kicking off an email from a form in SP OOTB is not as straight forward as hoped. Thanks for the other info as well, more on the Nintex. Would this be just the workflow 2007 product? I need to look into this further... Cheers Paul Noone paul.no...@ceosyd.catholic.edu.au 16/10/2009 2:42 pm Have you enabled anonymous access for the web application? If so, do you have the ViewFormPagesLockDownhttp://technet.microsoft.com/en-us/library/cc263468.aspx feature enabled? If you used a Publishing Portal site template it will be on default. This often catches people out. This should be sufficient to display a list's edit form view and accept submissions. If you're wanting to apply a workflow to the list then you're going to hit another obstacle, which is that a workflow can't be invoked by an anonymous userhttp://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1220669SiteID=1. Unless you're using Nintex that is. :) If you're not then your best is to create an anonymous membership providerhttp://technet.microsoft.com/en-us/library/cc263363.aspx. Be sure to then add the group and user to the site. It's not sufficient to just give them permission to the list. Regards, Paul Online Developer, ICT CEO Sydney -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Chris Denniss Sent: Friday, 16 October 2009 2:14 PM To: ozMOSS Subject: Simple anon Feedback form. Email not InfoPath. Hi All I'm after a few pointers to enable a simple anon browser based feedback form in a SharePoint publishing site. No InfoPath here, we are on the standard CAL. Sure I've come across a way to do this in SPD but can't track it down atm. Have a nice custom list form but this does not work with Anon users. Can anyone point me in the right direction to create simple emailable .aspx feedback form(s) in either SPD or SP, even VS2k8. Keep it simple, new to MS SP and friends. a tut link even. Thanks Chris Disclaimer: Unless explicitly attributed, the opinions expressed in this email are those of the author only and do not represent the official view of Northern Sydney Central Coast Health nor the New South Wales Government. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss Disclaimer: Unless explicitly attributed, the opinions expressed in this email are those of the author only and do not represent the official view of Northern Sydney Central Coast Health nor the New South Wales Government. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
MOSS 2007 Search Engine Vulnerability
Hi Guys I was asked to provide information that MOSS 2007 search engine is free from SQL Injection Vulnerability. We tried to search information on google about this but couldn't really find any resources(formal/papers) to back us up to claim that it's safe from SQL injection It's pain in the backside these network people I tell you (no offense to network guys :D, especially Nathan hehehe) Regards Christian = Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents. Opinions, conclusions and other information in this message that do not relate to the official business of the Company shall be understood as neither given nor endorsed by it. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: MOSS 2007 Search Engine Vulnerability
Hey Christian, I've never heard or seen anything to suggest either way, but I'd be surprised if MS wasn't on top of this, it's a common security threat. Would be very interested to know if it was injectable. You could try your own testing? Punch in something like '--drop dbo.tblname'? Not sure of the SP schema, I'm sure MS would slap my wrist if I knew it off-hand as it's not good practise :) C -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 12:25 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: MOSS 2007 Search Engine Vulnerability Hi Guys I was asked to provide information that MOSS 2007 search engine is free from SQL Injection Vulnerability. We tried to search information on google about this but couldn't really find any resources(formal/papers) to back us up to claim that it's safe from SQL injection It's pain in the backside these network people I tell you (no offense to network guys :D, especially Nathan hehehe) Regards Christian = Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents. Opinions, conclusions and other information in this message that do not relate to the official business of the Company shall be understood as neither given nor endorsed by it. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: MOSS 2007 Search Engine Vulnerability
I have two sets of business cards - one set specifically to deal with network admins and security Nazis :-) The latter has my certs on it. If you want to deal with the security nazi, then send them to securityfocus.com and search the database there. It contains a huge database of vulnerabilities across vendor and product. If anything has been found, it will be here. http://www.securityfocus.com/vulnerabilities Regards Paul (CISSP and former anal retentive security nazi :-) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 10:35 AM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: MOSS 2007 Search Engine Vulnerability
that's great, i wasn't aware of the automated tool although I wasn't surprised someone actually wrote that :) Paul Noone paul.no...@ceosy d.catholic.edu.au To ozMOSS ozmoss@ozmoss.com Sent by: cc ozmoss-boun...@oz moss.com Subject RE: MOSS 2007 Search Engine Vulnerability 10/26/2009 10:47 AM Please respond to ozMOSS ozm...@ozmoss.co m If SQL injection wasn't covered through basic coding best practices then this threat would apply to every single input field within MOSS. I would be very surprised if MS didn't have this covered but have not spent any real time testing. There's an add-on for Firefox than can be used for testing which looks like the following. It basically provides a number of common injections to be inserted into every field (including hidden fields) on a page. You can also override the action and method. (Embedded image moved to file: pic25230.jpg) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 1:35 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) Chris Milne chris.mi...@data aspects.com.auTo Sent by: ozMOSS ozmoss@ozmoss.com ozmoss-boun...@oz cc moss.com Subject RE: MOSS 2007 Search Engine 10/26/2009 10:28 Vulnerability AM Please respond to ozMOSS ozm...@ozmoss.co m Hey Christian, I've never heard or seen anything to suggest either way, but I'd be surprised if MS wasn't on top of this, it's a common security threat. Would be very interested to know if it was injectable. You could try your own testing? Punch in something like '--drop dbo.tblname'? Not sure of the SP schema, I'm sure MS would slap my wrist if I knew it off-hand as it's not good practise :) C -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 12:25 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: MOSS 2007 Search Engine Vulnerability Hi Guys I was asked to provide information that MOSS 2007 search engine is free from SQL Injection Vulnerability. We tried to search information on google about this but couldn't really find any resources(formal/papers) to back us up to claim that it's safe from SQL injection It's pain in the backside these network people I tell you (no offense to network guys :D, especially Nathan hehehe) Regards Christian = Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any
RE: MOSS 2007 Search Engine Vulnerability
The SP Indexing process and how it works - randomized ... http://technet.microsoft.com/en-us/magazine/2007.01.search.aspx There are many more sources available. -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 2:38 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability that;s interesting paul, that probably can save me from this situation. Where can I find info about it? To be honest I'm not quite sure how the query server and its indexes truly work Paul Turner paul.tur...@dws. com.auTo Sent by: ozMOSS ozmoss@ozmoss.com ozmoss-boun...@oz cc moss.com Subject RE: MOSS 2007 Search Engine 10/26/2009 11:22 Vulnerability AM Please respond to ozMOSS ozm...@ozmoss.co m I don’t think it CAN happen... the search (query server) uses the indexed that get populated by the indexer. There is no SQL access, it is reading the index off disk. Regards, Paul Turner Senior Solutions Specialist M: 0412 748 168 P: 08 8238 0912 F: 08 8234 5966 A: 66 Henley Beach Road, Mile End SA 5031 E: paul.tur...@dws.com.au W: www.dws.com.au (Embedded image moved to file: pic22972.jpg)dws logo ADVANCED BUSINESS SOLUTIONS LTD This email and any files transmitted with it are confidential and are only for the use of the person to whom they are addressed. If you are not the intended recipient you have received this email in error and are requested to delete it immediately. Any opinion expressed in this e-mail may not necessarily be that of DWS Pty Ltd. Please consider the environment before printing this email. From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 26 October 2009 1:24 PM To: ozMOSS Subject: RE: MOSS 2007 Search Engine Vulnerability And a little bit of testing reveals that there is definitely some checking going on. Depending on your attempts, SharePoint returns an error I haven’t seen before: Your search cannot be completed because of a service error. Try your search again or contact your administrator for more information. Regards, Paul Online Developer, ICT CEO Sydney From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 26 October 2009 1:50 PM To: ozMOSS Subject: RE: MOSS 2007 Search Engine Vulnerability If SQL injection wasn't covered through basic coding best practices then this threat would apply to every single input field within MOSS. I would be very surprised if MS didn't have this covered but have not spent any real time testing. There's an add-on for Firefox than can be used for testing which looks like the following. It basically provides a number of common injections to be inserted into every field (including hidden fields) on a page. You can also override the action and method. (Embedded image moved to file: pic00628.jpg) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 1:35 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) Chris Milne chris.mi...@data aspects.com.au
Javascript - add onload to _spBodyOnLoadFunctionNames
Hi all, There are two basic methods that I have found to run a js function (inside a Content Editor web part) and neither are working for me. I've tried: _spBodyOnLoadFunctionNames.push(myFunction); function myFunction() { ... } AND function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } addLoadEvent(nameOfSomeFunctionToRunOnPageLoad); addLoadEvent(function() { /* more code to run on page load */ } ); Has anyone else successfully done this and can they provide a working example? ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: Javascript - add onload to _spBodyOnLoadFunctionNames
I haven't added anything to the master. Is that the part I'm missing?? :) I was hoping to do all this on an ad hoc basis using a Content Editor web part. Regards, Paul Online Developer, ICT CEO Sydney From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Steven Berry Sent: Monday, 26 October 2009 3:53 PM To: ozMOSS Subject: RE: Javascript - add onload to _spBodyOnLoadFunctionNames Hey Paul, Have you tried lazy loading your javascript function so im assuming the file is up in the masterpage and your just calling from the body? Such as: http://wonko.com/post/painless_javascript_lazy_loading_with_lazyload Which has events fired off the first instance? Else your functions should work: function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } I've just tested this and works ok on my WSS, loads 1st function and then runs second ok From: Paul Noone [mailto:paul.no...@ceosyd.catholic.edu.au] Sent: Monday, 26 October 2009 3:44 PM To: ozMOSS Subject: Javascript - add onload to _spBodyOnLoadFunctionNames Hi all, There are two basic methods that I have found to run a js function (inside a Content Editor web part) and neither are working for me. I've tried: _spBodyOnLoadFunctionNames.push(myFunction); function myFunction() { ... } AND function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } addLoadEvent(nameOfSomeFunctionToRunOnPageLoad); addLoadEvent(function() { /* more code to run on page load */ } ); Has anyone else successfully done this and can they provide a working example? This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. No responsibility is assumed by the company or its employee to any other person for any loss or damage (whether caused by negligence or not) arising from the use of the information and advice contained herein. Finally, it is your responsibility to check any attachments for viruses and defects before opening or sending them on. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: Javascript - add onload to _spBodyOnLoadFunctionNames
Hi Paul: I have used _spBodyOnLoadFunctionNames.push quite lot in Content Editor web part without problem. Here is one example code: http://littletalk.wordpress.com/2009/05/12/respond-to-sharepoint-survey-by-javascript/ But as I use JQuery as well, not sure if it matters. Cheers Ken From: paul.no...@ceosyd.catholic.edu.au To: ozmoss@ozmoss.com Date: Mon, 26 Oct 2009 16:01:45 +1100 Subject: RE: Javascript - add onload to _spBodyOnLoadFunctionNames I haven’t added anything to the master. Is that the part I’m missing?? J I was hoping to do all this on an ad hoc basis using a Content Editor web part. Regards, Paul Online Developer, ICT CEO Sydney From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Steven Berry Sent: Monday, 26 October 2009 3:53 PM To: ozMOSS Subject: RE: Javascript - add onload to _spBodyOnLoadFunctionNames Hey Paul, Have you tried lazy loading your javascript function so im assuming the file is up in the masterpage and your just calling from the body? Such as: http://wonko.com/post/painless_javascript_lazy_loading_with_lazyload Which has events fired off the first instance? Else your functions should work: function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } I’ve just tested this and works ok on my WSS, loads 1st function and then runs second ok From: Paul Noone [mailto:paul.no...@ceosyd.catholic.edu.au] Sent: Monday, 26 October 2009 3:44 PM To: ozMOSS Subject: Javascript - add onload to _spBodyOnLoadFunctionNames Hi all, There are two basic methods that I have found to run a js function (inside a Content Editor web part) and neither are working for me. I’ve tried: _spBodyOnLoadFunctionNames.push(myFunction); function myFunction() { … } AND function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } addLoadEvent(nameOfSomeFunctionToRunOnPageLoad); addLoadEvent(function() { /* more code to run on page load */ } ); Has anyone else successfully done this and can they provide a working example? This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. No responsibility is assumed by the company or its employee to any other person for any loss or damage (whether caused by negligence or not) arising from the use of the information and advice contained herein. Finally, it is your responsibility to check any attachments for viruses and defects before opening or sending them on. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss