So, the whole W3C security idea is to prevent pre-population of filefields...right?
I guess it wouldn't be possible to allow the functionality only when a user is uploading files from their own system and not from an external source? Or is that what the proposed Javascript and Active X alternatives do? Rick -----Original Message----- From: Jim [mailto:[EMAIL PROTECTED] Sent: Thursday, May 25, 2006 5:51 AM To: CF-Talk Subject: Re: Any reason why a file field can be submitted back to the page it's on? I could make a website which has a form and filefield pre populated with C:\WINDOWS\system32\config\SAM You visit my website using a machine running windows I log your IP and auto submit the form using javascript I now have the IP of your machine and the logins to your machine Rick Faircloth wrote: > I guess I just don't understand what the vulnerability is when HTML > is allowed to pull back into a form the path info for a file field upon > resubmission. > > Can you give me a concrete example of an exploit that can be built > into a website that might be used if the change I suggested occurred. > > And, no, I wouldn't want everyone to have to stop wearing a helmet > just because I might choose to not wear one. But that's a bogus > argument anyway. If lawmakers were really trying to save money > from uninsured motorists injuries, they would force car drivers to > wear helmets, also, which would protect far, far greater numbers > of injured, uninsured motorists. But they don't do that...why? > Because it would be a great inconvenience to the vast majority of > lawmakers who never ride a motorcycle. So, if it doesn't affect them, > they don't care. > > Rick > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 25, 2006 1:32 AM > To: CF-Talk > Subject: RE: Any reason why a file field can be submitted back to the > page it's on? > > > >> You mean that a malicious programmer could be hired by >> someone to code web pages for them and then take advantage of >> the person hiring them. Am I understanding? >> >> If that's the case, then I still think that burden should be >> on the person hiring the programmer...get someone you >> trust...if you don't trust them, don't hire them. >> > > No, that's not what I meant at all. I meant exactly what I wrote: any > malicious programmer could exploit it in their own web pages. Just like > malicious programmers exploited ActiveX vulnerabilities in IE, and > cross-site scripting vulnerabilities, etc, etc. If the browser lets you do > something, it lets ANYONE do that thing, not just Rick the trustworthy > programmer. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241431 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
