Kevin You can see the javascript comment that contains the name of the server side method. However, knowing this wouldn't enable a malicious person to invoke it because the actual call is encrypted using a session key. In your example this is the first argument of the cspRunServerMethod() function 'JS_5bPNT...'
A session key is used to encrypt the method call and is decrypted using the same key when the csp request is received by the server. An attempt to decrypt the string using the wrong session key will fail and the method won't be executed. So only the exact csp session that created the page can successfully decrypt the string and then execute the method. However, knowing the name of the method fall into a security category known as 'information leaks'. Anyone attempting to hack into a system may be able to take advantage of information leaks to discover background information that may be useful to support other forms of attack. Regards George George James Software VC/m - The force of change www.georgejames.com +44-1932-252568 > -----Original Message----- > From: kevin furze [mailto:[EMAIL PROTECTED] > Posted At: 20 August 2004 07:27 > Posted To: Cach� Newsgroup > Conversation: generated csp code #server calls > Subject: generated csp code #server calls > > > just a question that we don't need to rush to answer, just curious > because its in an intranet environment > > I created a csp page and included a call to #server > when its generated into html code, I see the following > > // invoke #server(csp.findadealer.formLoad()) > return > > (cspRunServerMethod('JS_5bPNTkxV3Jgt1F6bgw_b/p_AE5pIg3Ue8DtjEajG291W- > b32/arpdfdvr5vftA','') == 1); > > so the question is, I can see the > // invoke #server(csp.findadealer.formLoad()) > > what's the quick way to get that hidden. (seems like a > security hole ?? > ) > > > kev >
