Forgive me if this came through and no one responded, but I didn't see my message in the list, so here goes again just in case. I've also added a little more info to my original scenario/question.
I was trying to respond to Shawn's statement: >>Something to understand is that "action" pages are not the only pages that >>can be exploited or part of an exploit. Can anyone give an example of a Cross Site Forgery exploit that would have an impact on a non-action page? Suppose I have a page that lists all of my users. http://somehost/myapp/index.cfm?event=showusers On this page, I execute a select query and display the results. If someone else tricks me into loading that page on my own machine using <img src=http://somehost/myapp/index.cfm?event=showusers>, then what is the risk? It would be a roundabout way to do a denial of service. But otherwise, it doesn't expose any information and doesn't cause any damage. I definitely understand the problem of not protecting the page http://somehost/myapp/index.cfm?event=deleteuser or http://somehost/myapp/index.cfm?event=deleteuser&userid=1. If I'm missing something, please let me know. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
