more useful options | |
PerlMonks |
Re: The danger of hidden fieldsby fokat (Deacon) |
on Jul 23, 2002 at 04:26 UTC ( [id://184328]=note: print w/replies, xml ) | Need Help?? |
Well, from your description of the problem it seems to me that your attitude is correct. It bothers me that your boss should pay more attention to security. I know very little about your actual scenario but I think there are a few main risks here (I assume that the script allows the customer data to be written to a file which is specified via a hidden field):
Now, so far you've acted ethically. No matter what people tells you do not try to expose or exploit this flaw without premission from your employer. If you succeed (and this seems easy from your description), this will allow your employer to sue you. You would not be the first to suffer through this nonsense. I say this because it is very tempting to exploit this vulnerability and play a little prank to your company as a proof of concept, but this can get you in serious trouble. If after you ponint this to your boss, they still decide not to fix it, then leave it alone. And in a personal note, look for another job :) Regards
In Section
Seekers of Perl Wisdom
|
|