quite scary.
The potential for misuse by "trusted" entities is very real. For our purpose
however it is ensuring security and personal information is not available -
even to me as the core developer.
-----Original Message-----
From: Jim McAtee [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 October 2003 2:22 PM
To: CF-Talk
Subject: Re: security flaw in web services
But what's this have to do with your login security flaw idea? Sure, client
IP
addresses are easily forged. Using this capability to crack even a simple
login mechanism isn't nearly as easy, though. And where's the link between
web
logins and spam? What exactly are you calling spam?
----- Original Message -----
From: "Michael Dinowitz" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, October 02, 2003 9:00 PM
Subject: Re: security flaw in web services
> I can pull up some posts sent to a closed list from a few years back where
there
> was an issue with CFHTTP. Seems that you could forge what would show up in
the
> CGI vars using it. That 'feature' was yanked really fast.
> There's 2 different things here. The first is the reported information and
the
> second is the 'true' information. The reported information (i.e. coming
from
the
> external client) can never be trusted as it can be forged. The 'true'
> information is usually true except when its not. Sometimes its easy to
forge
the
> 'true' information and sometimes not.
>
>
> > But surely that's email only - not web pages?
> >
> >
> >
> > -----Original Message-----
> > From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
> > Sent: Friday, 3 October 2003 2:49 p.m.
> > To: CF-Talk
> > Subject: Re: security flaw in web services
> >
> >
> >
> > You can fake the reported IP. I had mentioned this as a possible spam
thing
> > and
> > I've actually seen it in the wild with spam from 2 different places.
> >
> > > > checking amount of attempts per IP - ip can be forged
> > >
> > > You can't fake an IP and expect TCP/IP to work.
> > >
> > > Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
