Pathologically Eclectic Rubbish Lister | |
PerlMonks |
Re: The danger of hidden fieldsby cLive ;-) (Prior) |
on Jul 23, 2002 at 04:22 UTC ( [id://184327]=note: print w/replies, xml ) | Need Help?? |
What I am asking is if anyone has any comments that I could make to my employer, or include in a short report so that I will be allowed to fix this potential problem, that would be much appreciated. It would be trivial to write a script to change where the data is written to. So we change it to write to a web page. Then we check to see what gets written from the form submission. then we change uploaded input to rewrite over the company's home page. Or, worse, overwrite a CGI script if we can and use that to create more havoc.HTTP_REFERER is NOT a secure way to check - that can be faked using LWP::UserAgent - ideal solution really depends on the specific situation. If you have trouble convincing your employer, simply post their URL here and I'm sure someone will demonstrate :-) .02 cLive ;-) --
In Section
Seekers of Perl Wisdom
|
|