I guess I just don't understand what the vulnerability is when HTML is allowed to pull back into a form the path info for a file field upon resubmission.
Can you give me a concrete example of an exploit that can be built into a website that might be used if the change I suggested occurred. And, no, I wouldn't want everyone to have to stop wearing a helmet just because I might choose to not wear one. But that's a bogus argument anyway. If lawmakers were really trying to save money from uninsured motorists injuries, they would force car drivers to wear helmets, also, which would protect far, far greater numbers of injured, uninsured motorists. But they don't do that...why? Because it would be a great inconvenience to the vast majority of lawmakers who never ride a motorcycle. So, if it doesn't affect them, they don't care. Rick -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, May 25, 2006 1:32 AM To: CF-Talk Subject: RE: Any reason why a file field can be submitted back to the page it's on? > You mean that a malicious programmer could be hired by > someone to code web pages for them and then take advantage of > the person hiring them. Am I understanding? > > If that's the case, then I still think that burden should be > on the person hiring the programmer...get someone you > trust...if you don't trust them, don't hire them. No, that's not what I meant at all. I meant exactly what I wrote: any malicious programmer could exploit it in their own web pages. Just like malicious programmers exploited ActiveX vulnerabilities in IE, and cross-site scripting vulnerabilities, etc, etc. If the browser lets you do something, it lets ANYONE do that thing, not just Rick the trustworthy programmer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241426 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
