19, 2011 12:10 PM
To: cf-talk
Subject: Re: cgi.host_name Security Exploit
What about an ecommerce system that hits the test ecom system when in
dev mode? If I knew your code did that, or suspected, I'd try it and
use one of the many common test CC numbers, like 4111.
Actually, I
Agreed. Using CGI.HOST_NAME for dev/test/live switching opens you up
to all sorts of abuse.
Here's what I switch on:
createObject( 'java', 'java.net.InetAddress' ).getLocalHost().getHostName()
I have a configuration file that maps from all the known (partial)
hostname matches to different tiers
What about an ecommerce system that hits the test ecom system when in
dev mode? If I knew your code did that, or suspected, I'd try it and
use one of the many common test CC numbers, like 4111.
Actually, I've seen that number work on sites even in 'production'
mode as well.
On Sat, M
although I can't really think how spoofing the host_name would do any harm.
In any of my apps all it does it determine whether to use live or dev
settings which would only cause an error if the host name was wrong.
On Fri, May 13, 2011 at 10:10 PM, Jason Durham wrote:
>
> Dave pretty much summe
Dave pretty much summed it up. Anybody who knows what a HOSTS file is,
knows how to mask the server_name. :)
Jason Durham
On Fri, May 13, 2011 at 2:28 PM, Dave Watts wrote:
>
> > I have recently discovered a security flaw that I have reported to the
> Adobe
> > team regarding the use of the
> I have recently discovered a security flaw that I have reported to the Adobe
> team regarding the use of the variable cgi.host_name.
>
> As you know, the cgi.host_name is typically the hostname of the server or
> the websites domain name. I've discovered an exploit that allows a user to
> basica
Greetings and Salutations My Fellow Programmers!
I have recently discovered a security flaw that I have reported to the Adobe
team regarding the use of the variable cgi.host_name.
As you know, the cgi.host_name is typically the hostname of the server or
the websites domain name. I've discover
7 matches
Mail list logo