On Thu, Dec 18, 2008 at 10:18 AM, shawn gorrell <chees...@yahoo.com> wrote: > Something to understand is that "action" pages are not the only pages that > can be exploited or part of an exploit.
Frinstance? Suppose I have a page that lists all of my users. http://somehost/myapp/index.cfm?event=showusers On this page, I execute a select query and display the results. If someone else tricks me into loading that page on my own machine using <img src=http://somehost/myapp/index.cfm?event=showusers>, then what is the risk? I definitely understand the problem of not protecting the page http://somehost/myapp/index.cfm?event=deleteuser or http://somehost/myapp/index.cfm?event=deleteuser&userid=1. If I'm missing something, please let me know. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
