Re: The danger of hidden fields


Pathologically Eclectic Rubbish Lister
	PerlMonks

Re: The danger of hidden fields

by cLive ;-) (Prior)

on Jul 23, 2002 at 04:22 UTC ( [id://184327]=note: print w/replies, xml )

Need Help??

in reply to The danger of hidden fields

What I am asking is if anyone has any comments that I could make to my employer, or include in a short report so that I will be allowed to fix this potential problem, that would be much appreciated.

It would be trivial to write a script to change where the data is written to. So we change it to write to a web page. Then we check to see what gets written from the form submission. then we change uploaded input to rewrite over the company's home page. Or, worse, overwrite a CGI script if we can and use that to create more havoc.

HTTP_REFERER is NOT a secure way to check - that can be faked using LWP::UserAgent - ideal solution really depends on the specific situation.

If you have trouble convincing your employer, simply post their URL here and I'm sure someone will demonstrate :-)

.02

cLive ;-)

--
seek(JOB,$$LA,0);

Comment on Re: The danger of hidden fields

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://184327]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others having a coffee break in the Monastery: (2)

As of 2024-04-24 17:03 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found