Archive of UserLand's first discussion group, started October 5, 1998.

Re: zope security alert

Author:Brent Simmons
Posted:5/9/2000; 8:54:19 PM
Topic:zope security alert
Msg #:17141 (In response to 17139)
Prev/Next:17140 / 17142

if the server only performs content changes with a POST request, it becomes significantly more difficult to force damaging changes in the url query string

It may be difficult, but it's possible to use JavaScript to submit a form via POST. And it's not that really difficult -- in fact, some people on this dg are probably running such code multiple times a day without necessarily knowing it.

Manila does use POST requests pretty much every time content can be changed. Even though that makes Manila more secure than systems that use args in the URL, it's not enough. So a referer check is still a good idea.




This page was archived on 6/13/2001; 4:55:08 PM.

© Copyright 1998-2001 UserLand Software, Inc.