thread) but there was a security vulnerability in I believe CF4. The cracker
could save the administrator login page, modify password length column to
anything he wanted to (like 1000000) and send it over with a lot of garbage
as the password (1000000 chars). It apparently killed the server (100% cpu
utilization). One cannot rely on 'maxlength' property in the form, need to
validate anything and everything that ever enters user's pc.
TK
-----Original Message-----
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 5:58 PM
To: CF-Talk
Subject: RE: Protect action pages
Dave Watts wrote:
>What's to stop me from using CFHTTP to request the form, find out the
>CFID/CFTOKEN values for the Client variables, then use CFHTTP to post
>data to the action page along with the matching CFID/CFTOKEN?
Nothing, but I'm curious to see if anything can be done. Against a
multi-step attack like that, I don't think anything can stop a 'foreign'
post other than the type-in-what-you-see-in-the-box box bit.
Serves to point up the importance of data validation.
--
-------------------------------------------
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
