But in cf is it not possible to write a subscript into the
appication file to check where a link is coming from and
redirect it if it is not from the same domain? Or, would the
HTTP_REFERER override is anyway? I'm most likely wrong, and I
agree with the fact that unless you are writing a
This can't stop anything. Both HTTP_HOST and HTTP_REFERER are set by
the
browser, and can be changed by anyone writing an HTTP client:
cfhttp ...
cfhttpparam type=header name=Host value=...
cfhttpparam type=header name=Referer value=...
/cfhttp
How about a hidden flash app that uses
How about a hidden flash app that uses the xmlload method to grab the
http_host/http_referer from the server in a hash format that is then
passed with all forms/urls? On the next pages, the hash returned by
flash would be compared with a hash of the
cgi.http_host/cgi.http_referer returned by
2004 3:42 p.m.
To: CF-Talk
Subject: RE: Protect action pages
How about a hidden flash app that uses the xmlload method to grab the
http_host/http_referer from the server in a hash format that is then
passed with all forms/urls? On the next pages, the hash returned by
flash would be compared
likely wrong, and I
agree with the fact that unless you are writing a major porn site that is
just asking to be hacked, it is not worth the time or trouble
Rino
From: Dave Watts [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Subject: RE: Protect action pages
Date
I want to protect action pages from unauthorized forms that are not on the
same server, namely spammers. I wrote this simple script that will work in
conjunction with my other form validation scripts to ensure a referrer comes
from the same CGI.HTTP_HOST.
cftry
cfscript
message = ;
errors = 0
Be aware that in IE when using a _javascript_ to forward or request a page, like window.location, you lose the cgi.http_referer on the targeted page.
Nick Han
[EMAIL PROTECTED] 02/27/04 12:09PM
I want to protect action pages from unauthorized forms that are not on the
same server, namely
-3651
Email: [EMAIL PROTECTED]
WWW: http://www.evoch.com/
-Original Message-
From: Stan Winchester [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 3:09 PM
To: CF-Talk
Subject: Protect action pages
I want to protect action pages from unauthorized forms that are not on the
same
I want to protect action pages from unauthorized forms that
are not on the same server, namely spammers. I wrote this
simple script that will work in conjunction with my other
form validation scripts to ensure a referrer comes from the
same CGI.HTTP_HOST.
This can't stop anything. Both
soemwhere else.u think this will help?
- Original Message -
From: Stan Winchester
To: CF-Talk
Sent: Friday, February 27, 2004 2:09 PM
Subject: Protect action pages
I want to protect action pages from unauthorized forms that are not on the
same server, namely spammers. I wrote this simple
nope.
-Original Message-
From: brobborb [mailto:[EMAIL PROTECTED]
Sent: February 27, 2004 1:47 PM
To: CF-Talk
Subject: Re: Protect action pages
I wrap my action pages in a CFSWITCH.
fAll of the values in my cases are names of certain actions, such as
update or delete or Send order
I wrap my action pages in a CFSWITCH.
fAll of the values in my cases are names of certain actions,
such as update or delete or Send order.
On every form sent is a hidden field named action.So, if
there is no form.action variable present, then it gives them
a custom error or forwards
-
From: brobborb [mailto:[EMAIL PROTECTED]
Sent: Fri 2/27/2004 3:47 PM
To: CF-Talk
Cc:
Subject: Re: Protect action pages
I wrap my action pages in a CFSWITCH.
fAll of the values in my cases are names of certain actions, such as update or delete or Send order.
On every form
Not so much, because I can view the source of your original form, find all the hidden fields and their values and add them to my spoofed form.
This is very difficult to do.
Would sessions help?Not allow access to the action page if a session is not defined?Much beyond that I'm not sure
Doesn't this assume spammers/hackers know what the error checking involved, or is testing the HTTP_HOST and HTTP_REFERER just too common and spammers know to always try spoofing that one? With this wrapped in a CFTRY/CFCATCH block, even if the spammer tries to throw an error to see any underlying
my action values will now be 336464, 4894484, and 893hg3kgj4ui4
thanks :)
- Original Message -
From: [EMAIL PROTECTED]
To: CF-Talk
Sent: Friday, February 27, 2004 3:04 PM
Subject: RE: Protect action pages
if I save your page to my hardrive and edit the 'hidden' action field, could I
Doesn't this assume spammers/hackers know what the error
checking involved, or is testing the HTTP_HOST and
HTTP_REFERER just too common and spammers know to always try
spoofing that one? With this wrapped in a CFTRY/CFCATCH
block, even if the spammer tries to throw an error to see any
Not so much, because I can view the source of your original
form, find all the hidden fields and their values and add
them to my spoofed form.
This is very difficult to do.
Yes, and in most cases it's probably not worth your trouble to try to
prevent it.
Would sessions help?Not allow
Thanks, that answers my question very well. I guess, I'd better come up with something else then. Thanks to all who have put in their comments. I was hoping there would be an easy solution from a user point of view, but I guess not.
Doesn't this assume spammers/hackers know what the error
I'm
Stan Winchester wrote:
I was hoping there would be an easy solution from a user point of view, but I guess not.
Lets see how well this one holds up:
I put this on my form display page:
cfset variables.myUUID=CreateUUID()
cfset client.OriginalFormStamp=variables.myUUID
and this:
input
Lets see how well this one holds up:
I put this on my form display page:
cfset variables.myUUID=CreateUUID()
cfset client.OriginalFormStamp=variables.myUUID
and this:
input
type=hidden
name=FormUID
value=#Hash(variables.FormUID)#
Note the value in the hidden-in-plain-sight
.
If your application requires user authentication make sure you authenticate
on every page, including form action pages.
- Original Message -
From: Stan Winchester [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, February 27, 2004 1:09 PM
Subject: Protect action pages
I want
Dave Watts wrote:
What's to stop me from using CFHTTP to request the form, find out the
CFID/CFTOKEN values for the Client variables, then use CFHTTP to post data to the action page along with the matching CFID/CFTOKEN?
Nothing, but I'm curious to see if anything can be done.Against a multi-step
: Friday, February 27, 2004 5:58 PM
To: CF-Talk
Subject: RE: Protect action pages
Dave Watts wrote:
What's to stop me from using CFHTTP to request the form, find out the
CFID/CFTOKEN values for the Client variables, then use CFHTTP to post
data to the action page along with the matching CFID/CFTOKEN
I guess all the suggestions so far are just piecemeal solutions.They're not all 100% foolproof.To make the action page 100 percent secured, it has been constructed within a security framework, perhaps driven by a database, where a query security check is run before performing the said action.
One
25 matches
Mail list logo
