On Thu, Mar 8, 2012 at 8:35 AM, Dave Shuck <[email protected]> wrote: > Yes, the problem is that it *is* a valid event, which is why I say this is > not a vulnerability.
Exactly--the trick here is how are you supposed to account for every bad URL parameter someone would throw at you? Are they concerned about the ".cgi" part specifically? I can go to amazon.com or any web site and tack crap on the end of a URL and I don't always get a 404--the stuff they don't care about just gets ignored, and it's not as if the .cgi (what year is it again? ;-)) would get executed. I understand the concern about it not basically explicitly saying "nothing to see here" by returning a 404, but I don't see how you could possibly account for that. Well, now that I say that actually I do. It's ugly, but you *could* "know" what URL arguments *should* be passed to each event and if any other than the known good ones come in throw a 404, but then you're having to track known good url params for every event in your app. But, it'd work. :-) -- Matthew Woodward [email protected] http://blog.mattwoodward.com identi.ca / Twitter: @mpwoodward Please do not send me proprietary file formats such as Word, PowerPoint, etc. as attachments. http://www.gnu.org/philosophy/no-word-attachments.html -- To post to this group, send email to [email protected] For more options and to unsubscribe, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://svn.mach-ii.com/machii/ Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
