OMG. I never knew this!!! How do I protect my app against such attacks?
-----Original Message----- From: Jochem van Dieten [mailto:jochemd@;oli.tudelft.nl] Sent: Friday, October 18, 2002 2:45 AM To: CF-Community Subject: Re: Hey Patrick Phoeun Pha wrote: > "Security > Don't use hidden fields to pass any sensitive or important variable > (e.g., "price" or a limitation on record set returns). While it's less > of a problem with ColdFusion, it takes seconds to hack a page written > in Perl or any CGI/server-side language that passes hidden form field > variables. (Hacking 101: simply save the page source as an htm file, > change the hidden variable to a price or limitation you like better, > and pass your new local page to the absolute URL of the processing page." > > How does one pass a local page to the absolute URL of the processing page? By substituting the location of the action page, which is usually a relative URL, with the absolute URL of the action page and pressing "Submit". Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_community Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm