Sam
----------------------------------------
Blog http://www.rewindlife.com
TeamMM http://www.macromedia.com/go/team
----------------------------------------
> -----Original Message-----
> From: Samuel R. Neff [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 20, 2004 11:43 AM
> To: CF-Talk
> Subject: RE: Blocking IP address
>
> The browser can spoof REMOTE_HOST and even REMOTE_ADDR. Try this out:
>
> <!--- DumpCGI.cfm --->
> <cfdump var="#cgi#">
>
> <!--- Spoof.cfm --->
> <cfhttp url=""> > <cfhttpparam type="CGI" name="REMOTE_ADDR" encoded="false"
> value="132.145.1.2">
> <cfhttpparam type="CGI" name="REMOTE_HOST" encoded="false"
> value="spoof.com">
> </cfhttp>
>
> <cfoutput>#cfhttp.fileContent#</cfoutput>
>
> Perhaps if there's a real web-server in the middle it will
> fix those CGI
> variables, but at least using JWS they can be spoofed. I
> know I've spoofed
> REMOTE_HOST before when demonstrating the security (or lack
> thereof) of one
> client's application and that was using iPlanet web-server and CFMX.
>
> Best regards,
>
> Sam
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
