<!--- DumpCGI.cfm --->
<cfdump var="#cgi#">
<!--- Spoof.cfm --->
<cfhttp url=""> <cfhttpparam type="CGI" name="REMOTE_ADDR" encoded="false"
value="132.145.1.2">
<cfhttpparam type="CGI" name="REMOTE_HOST" encoded="false"
value="spoof.com">
</cfhttp>
<cfoutput>#cfhttp.fileContent#</cfoutput>
Perhaps if there's a real web-server in the middle it will fix those CGI
variables, but at least using JWS they can be spoofed. I know I've spoofed
REMOTE_HOST before when demonstrating the security (or lack thereof) of one
client's application and that was using iPlanet web-server and CFMX.
Best regards,
Sam
----------------------------------------
Blog http://www.rewindlife.com
TeamMM http://www.macromedia.com/go/team
----------------------------------------
> -----Original Message-----
> From: Dave Watts [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 20, 2004 11:22 AM
> To: CF-Talk
> Subject: RE: Blocking IP address
>
> > Is it possible for a browser to block the CGI.remote_host
> > variable, or will there always be some IP address there?
>
> The only CGI variables that are provided by the browser are
> the ones that
> begin with "HTTP_". The others are provided by the server
> environment. So
> no, I don't think a browser can affect CGI.REMOTE_HOST.
>
> Dave Watts, CTO, Fig Leaf Software
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
