What about an ecommerce system that hits the test ecom system when in dev mode? If I knew your code did that, or suspected, I'd try it and use one of the many common test CC numbers, like 4111111111111111. Actually, I've seen that number work on sites even in 'production' mode as well.
On Sat, May 14, 2011 at 4:51 AM, Russ Michaels <r...@michaels.me.uk> wrote: > > although I can't really think how spoofing the host_name would do any harm. > In any of my apps all it does it determine whether to use live or dev > settings which would only cause an error if the host name was wrong. > > On Fri, May 13, 2011 at 10:10 PM, Jason Durham <jqdur...@gmail.com> wrote: > >> >> Dave pretty much summed it up. Anybody who knows what a HOSTS file is, >> knows how to mask the server_name. :) >> >> Jason Durham >> >> >> On Fri, May 13, 2011 at 2:28 PM, Dave Watts <dwa...@figleaf.com> wrote: >> >> > >> > > I have recently discovered a security flaw that I have reported to the >> > Adobe >> > > team regarding the use of the variable cgi.host_name. >> > > >> > > As you know, the cgi.host_name is typically the hostname of the server >> or >> > > the websites domain name. I've discovered an exploit that allows a user >> > to >> > > basically change this variable to anything they want for the user's >> > current >> > > session. This exploit could be spread across sessions in instances >> where >> > a >> > > website is caching absolute links using the cgi.host_name variable. It >> > could >> > > also be used to take advantage of applications that assume the >> > cgi.host_name >> > > variable is a constant, therefore developed applications don't take >> > > precautions to sanitize this variable before inserting it into a >> database >> > > could have issues. >> > >> > While it's a good thing you're telling people about this, I'm not sure >> > I'd categorize it as a security flaw with CF, or even a security flaw >> > in general. >> > >> > CF doesn't have anything to do with creating or validating many of the >> > CGI variables. They're provided by the browser's HTTP request headers, >> > or by the web server. CF just uses what it's given. Of course, those >> > values are inherently untrustworthy and should always be sanitized. >> > >> > Dave Watts, CTO, Fig Leaf Software >> > http://www.figleaf.com/ >> > http://training.figleaf.com/ >> > >> > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on >> > GSA Schedule, and provides the highest caliber vendor-authorized >> > instruction at our training centers, online, or onsite >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344700 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
