So if I understand it right, you're basically using the javascript popup to piggy back on someones elses security access.
How cool is that!! Cheers, I'm going to have a play with that (on my sites of course) and make sure I cover it Mark -----Original Message----- From: Russ Michaels (Snake) [mailto:[EMAIL PROTECTED] Sent: 08 September 2004 09:11 To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] Tips on securing a form. Yes because the javascript your putting in the form is being saved in the database and displayed on another page. Your not altering the original page. This allows you to gain access to pages and data that only the person logged into the site should be able to see. Russ > -----Original Message----- > From: Mark Smyth [mailto:[EMAIL PROTECTED] > Sent: 07 September 2004 17:24 > To: '[EMAIL PROTECTED]' > Subject: RE: [ cf-dev ] Tips on securing a form. > > Hi Russ > > I'm a pit confused. Is entering the javascript into > formfields and then altering the HTML any different than > viewing the source of a form, saving a local copy and then > altering the HTML and posting it? > > Thanks > Mark > > -----Original Message----- > From: Russ Michaels (Snake) [mailto:[EMAIL PROTECTED] > Sent: 07 September 2004 17:03 > To: [EMAIL PROTECTED] > Subject: RE: [ cf-dev ] Tips on securing a form. > > > Well you make sure that SQL cannot be inserted by using > CFQUERYPARAM around > your values, so any altering of formfields or URLs's wont allow code > execution. There isn't much you can do about general text > fields as thes > eare intended for people to type text into. But as long as > you stop code > execution then nothing they put here will do any damage. You > may want to do > validation to stop ang TAGS being typed into the fields, and > stop arbitray > code from calling individual pages on your site, otherwise > people can then > use javascript and the likes to get at peoples data. An > example of this. > Lets say u have a site where you can view peoples profiles or > comments, such > as a forum for instance. In my post or comment or profile I > could put some > javascript that popped up a new window and loaded the > personal settings page > into that windows (which would load that persons setting cozz they are > logged in). Now because my code is on the calling page that > popped up that > window, I can now manipulate anything in that window, which > means I can > alter the form action to submit any form to a URL on my > server instead and > thus grab and of that persons info such as username/password > etc when they > click save, or I can just grab anything that is on that page > intitially and > use an IMG tag to send all the values as attributes to a .cfm > page on my > server. Or indeed I can popup any old page from my own server > that tells > that person they have logged out and to log back in, bam I > have their login > details. Now apply this example to sites that take orders, > store credit > details, private information about peeople and you can see > how easy it is to > steal peoples databases without the correct code in place to > stop it. I can > tell you for a start that I discovered you can do this sort > of thing with > the Worldpay payment gateway unless you implement code to avoid it. > > I hope I haven't given you lot any ideas now :-) > > Russ Michaels > Macromedia/Allaire Certified ColdFusion Developer > > CFDeveloper > The free resource and community for ColdFusion developer. > http://www.cfdeveloper.co.uk > > Join the CFDeveloper discussion lists. > To subscribe send an e-mail to [EMAIL PROTECTED] > > > > -----Original Message----- > > From: Stephen Adams [mailto:[EMAIL PROTECTED] > > Sent: 07 September 2004 16:33 > > To: 'Dev > > Subject: [ cf-dev ] Tips on securing a form. > > > > Hi, > > > > I have a simple form, which mainly uses drop down list, but there > > are a couple of textareas and textfields. Can anyone tell me where I > > can find tutorial/tips on how to programmatically secure this form. > > > > At the moment my for submits straight to an INSERT query, I just > > want to make sure no one can attack the site through this form. > > > > > > > > -- > These lists are syncronised with the CFDeveloper forum at > http://forum.cfdeveloper.co.uk/ > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > CFDeveloper Sponsors and contributors:- > *Hosting and support provided by CFMXhosting.co.uk* :: > *ActivePDF provided > by activepdf.com* > *Forums provided by fusetalk.com* :: *ProWorkFlow provided by > proworkflow.com* > *Tutorials provided by helmguru.com* :: *Lists hosted by > gradwell.com* > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > -- > These lists are syncronised with the CFDeveloper forum at > http://forum.cfdeveloper.co.uk/ > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > CFDeveloper Sponsors and contributors:- > *Hosting and support provided by CFMXhosting.co.uk* :: > *ActivePDF provided by activepdf.com* > *Forums provided by fusetalk.com* :: *ProWorkFlow > provided by proworkflow.com* > *Tutorials provided by helmguru.com* :: *Lists > hosted by gradwell.com* > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > -- These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ CFDeveloper Sponsors and contributors:- *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* To unsubscribe, e-mail: [EMAIL PROTECTED] -- These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ CFDeveloper Sponsors and contributors:- *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* To unsubscribe, e-mail: [EMAIL PROTECTED]
