What if the HTTP POST didn't get as far as ColdFusion? We have an ongoing case where the web server throws a 500 error, and we don't know why the page doesn't get to CF.
thx Chris ---------- Original Message ---------------------------------- From: "Ken Wexel" <[EMAIL PROTECTED]> Reply-To: [email protected] Date: Tue, 8 May 2007 23:26:01 -0400 >When I ran into this problem previously, I'd set a value into the user >session and set the same value as a hidden form field. On post, if >the two didn't match, I knew the posting was invalid. Can be >something as simple as a long numeric value.. > >On 5/8/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: >> That's where I started....but the thing is, I think they can spoof that >> variable? Or not? >> >> >> >> -------------------------------------------------------- >> >> >> Eric J. Hoffman >> Managing Partner >> 2081 Industrial Blvd >> StillwaterMN55082 >> mail: [EMAIL PROTECTED] >> www: http://www.ejhassociates.com >> tel: 651.717.4105 >> fax: 651.717.4101 >> mob: 651.245.2717 >> Adobe Solutions Partner >> Microsoft Certified Partner >> >> -------------------------------------------------------- >> >> This message contains confidential information and is intended only for >> [EMAIL PROTECTED] If you are not [email protected] you should not >> disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] >> immediately by e-mail if you have received this e-mail by mistake and delete >> this e-mail from your system. E-mail transmission cannot be guaranteed to be >> secure or error-free as information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman >> therefore does not accept liability for any errors or omissions in the >> contents of this message, which arise as a result of e-mail transmission. If >> verification is required please request a hard-copy version. >> -------------------------------------------------------- >> >> -----Original Message----- >> >> From: AJ Mercer [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 08, 2007 9:53 PM >> To: CF-Talk >> Subject: Re: defeating offline form posts >> >> Have a look at the CGI variables >> in particular CGI.HTTP_REFERER >> This is the page before the current one - it should have your server >> details >> in there, other wise discard. >> >> >> On 5/9/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: >> > >> > Curious question here. If I think about this, if someone takes a >> form >> > of ours for login, for example, and makes a local copy on their >> > machine....and they set the post action to be the live server >> > authenticate file....what is the best way to detect this and defeat >> it? >> > Noone has ever gained access this way as of yet, but we are studying >> > possibilities, and this seems to me to be an attack vector. >> > >> > >> > >> > Any thoughts? A check to see if the referrer was the domain >> > name/login file name? Or can that be spoofed as well then? >> > >> > >> > >> > Thanks~! >> > >> > -------------------------------------------------------- >> > >> > >> > Eric J. Hoffman >> > Managing Partner >> > 2081 Industrial Blvd >> > StillwaterMN55082 >> > mail: [EMAIL PROTECTED] >> > www: http://www.ejhassociates.com >> > tel: 651.717.4105 >> > fax: 651.717.4101 >> > mob: 651.245.2717 >> > Adobe Solutions Partner >> > Microsoft Certified Partner >> > >> > -------------------------------------------------------- >> > >> > This message contains confidential information and is intended only >> for >> > [EMAIL PROTECTED] If you are not [email protected] >> you >> > should not disseminate, distribute or copy this e-mail. Please notify >> > [EMAIL PROTECTED] immediately by e-mail if you have received >> this >> > e-mail by mistake and delete this e-mail from your system. E-mail >> > transmission cannot be guaranteed to be secure or error-free as >> information >> > could be intercepted, corrupted, lost, destroyed, arrive late or >> incomplete, >> > or contain viruses. Eric J. Hoffman therefore does not accept >> liability for >> > any errors or omissions in the contents of this message, which arise >> as a >> > result of e-mail transmission. If verification is required please >> request a >> > hard-copy version. >> > -------------------------------------------------------- >> > >> > >> > >> >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277394 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
