| Author |
 Topic Search  Topic Options
|
deathchaoz 
Newbie
Joined: 06 June 2005
Status: Offline
Points: 3
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Location
Posted: 06 June 2005 at 12:13am |
|
Someone changed their location to their name on the web wiz forum I use, How could they have done it?
|
 |
sfd19
Senior Member
Joined: 20 December 2004
Status: Offline
Points: 263
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 June 2005 at 7:35am |
|
By manipulating the form submission on register.asp
To prevent it you must add a check that the submitted country matches one of your list.
Also, you should seriously warn that user.
|
|
|
|
dj air
Senior Member
Joined: 05 April 2002
Location: United Kingdom
Status: Offline
Points: 3627
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 June 2005 at 8:19am |
|
this can be seen as a security hole.
i'll let boRg know about this
|
|
deathchaoz
Newbie
Joined: 06 June 2005
Status: Offline
Points: 3
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 June 2005 at 10:15am |
 sfd19 wrote:
By manipulating the form submission on register.asp
To prevent it you must add a check that the submitted country matches one of your list.
Also, you should seriously warn that user.
|
Happen to be able to tell me how?
|
|
sfd19
Senior Member
Joined: 20 December 2004
Status: Offline
Points: 263
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 June 2005 at 4:47pm |
|
You would have add a table to the database and put all country names in
it. Then you had to change the country submission form on register.asp.
Plus, plus, plus,..,..
I doubt that it's worth the time since unlike dj air I do not see it as
a security hole. The country gets checked for invalid tags and SQL
injection, so there won't be a problem with it. Warn the user and if he
does it again, ban him.
As a user, you need to have some knowledge to manipulate the form
submission, so that problem will not occur very often, if it does ever
happen again at all.
|
|
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 June 2005 at 10:15pm |
One way of doing it is to copy source to your pc, make whatever changes tou want to dropdowns, and run the source from your pc.
Form handlers however should check that the http_referrer they get is from their domain.
|
Lead me not into temptation... I know the short cut, follow me.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 June 2005 at 9:48am |
|
This isn't really a security whole, in fact I have done it myself using standard Firefox plugins.
The country drop down doesn't check if the country entered is in the
list as user may change the list or even change it to a text field and
let the users type their own country in.
Instead to keep security the country that the users enters is run
through security filters to filter out an malicious code that the user
may try and enter.
|
|
|
|
