This is a very important question in my opinion... and I have
been scrounging the net looking for a solution I can implement.
I would certainly appreciate someone throwing a light switch
so I can see the solution more clearly. As Dave clearly points
out... we can NOT use the
Unfortunately, this doesn't prevent anyone from
intentionally posting data from wherever they want.
It's trivial to build an HTTP POST request and
specify whatever Referer header you like. I typically
demonstrate this with a netcat or telnet client in
the Fig Leaf security class,
This is a very important question in my opinion... and I have been
scrounging the net looking for a solution I can implement.
I would certainly appreciate someone throwing a light switch so I can see
the solution more clearly. As Dave clearly points out... we can NOT use the
cgi.http.referrer
Is there a way I can narrow down a hackers ability to
post a form to one of my action templates.
Http-referrer is not reliable, I know.
JS
__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
cflocation url=http://www.fbi.gov;
/cfif
Tony
-Original Message-
From: j s [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 24, 2002 10:19 AM
To: CF-Talk
Subject: Verify form post was from my server.
Is there a way I can narrow down a hackers ability to
post a form to one of my action
Dave-
I suppose you'd tell me to take your class if I ask
you what you propose to do to slim the chances of this
happening.
JS
Dave said-
Unfortunately, this doesn't prevent anyone from
intentionally posting data
from wherever they want. It's trivial to build an HTTP
POST request and
specify
I have used this before... it is only part of our overall
security structure but you would place this at the top of
your action page. If the referrer is not from your domain
they are bounced out to whatever location you desire.
cfif findnocase(www.yoursite.com,cgi.http_referer) is 0
7 matches
Mail list logo
