> Lets discuss this issue, but my gut reaction is that the proper fix to > this issue is defensive programming by the application developer. It I agree. What's next, sanity checking in the server against SQL attacks? (ie: "some.adp?id=1; delete from users;")
The most common (only?) cause of hijackable applications is not sanity checking input. > is likely not possible to completely enforce in the server alone. In any any case, AOLserver doesn't pretty to be a shiny-happy-anyone-can-do-it-is-is-safe server like another Tcl based product I found a major security flaw in! (http://bas.scheffers.net/vgn-needs-login-exploit.html) Just my 2 cents... Bas. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
