Dick,
Surely this could be remedied by implementing the onsubmit javascript event
of the particular form in question to instantiate a javascript confirm
object.
i.e. The unsuspecting administrator opens the mailicious link which causes
the (let's say) uninstall server action form to be submitted. However, the
onsubmit event would kick in giving the javascript confirm object
(Dialogue - [Are you sure you wish to....?])
Otherwise, I agree it is truely a scary situation which I hope i never have
to be found in. Fortunately for me, I always disable the HTML administration
feature of IIS, but am in fact in the process of developing a web based
server administration module for our hosting clients. So, thanks for
pointing this security hole out to me at my early stage of development of my
system.
Regards,
Dave
Dave Wilson
Internet Technology Manager,
BizNet Solutions
<Allaire Premier Partner>
Co-Founder CFUG Ireland
http://www.cfug.ie
224, Lisburn Road
Belfast BT9 6GE
Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com
email: [EMAIL PROTECTED]
----- Original Message -----
From: Dick Applebaum <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 10, 2000 7:07 AM
Subject: Browser Security hole
> This was posted to another ug... scary
>
> Dick
>
> Zope.Org posts a security alert of concern to users of all Web
> applications...
>
> http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
>
> --------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
