At 03:10 AM 5/9/2007, Eric wrote: > Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machine....and they set the post action to be the live server authenticate file....what is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector.
> Any thoughts? A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Offsite forms can be submitted to use your email templates as Spam blasters or else to send Spam to you, and such submittals can be automated so they'll do their dirty work without any human intervention. I just recently had this problem with some creep attacking a site of mine with a robot every couple of hours and solved it this way: <CFIF CGI.HTTP_REFERER DOES NOT CONTAIN "http://mywebsite.com";> Error message presented (mine is quite nasty) <CFABORT> </CFIF> I'm not sure how someone could spoof a domain name to defeat this, probably by screwing around with the headers but they'd have to know or be determined enough to figure out what they needed to do. Certainly you're not going to explain to them in your error message that they didn't submit the message from the proper page on your site, although they will know that and can experiment if they want. Did someone say that not all browsers will send HTTP_REFERER information? That could make this method less than ideal. .. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277572 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
