Security flaw in web server?
Scenario:
Website XYZ has a form. When the form is filled out and the user clicks on submit, the fields are emailed to a mailbox.
If I copied the source code of the website, pasted it in notepad and "modified" a few lines of code, saved it as index.html on my desktop and opened it, if I fill out the form and click submit, should it process the info just as it would normally from the actual website?
Website XYZ has a form. When the form is filled out and the user clicks on submit, the fields are emailed to a mailbox.
If I copied the source code of the website, pasted it in notepad and "modified" a few lines of code, saved it as index.html on my desktop and opened it, if I fill out the form and click submit, should it process the info just as it would normally from the actual website?
Comments
-
tiersten Member Posts: 4,505Assuming you make it POST/GET to the correct address and the necessary referer faking if it checks then yes.
This is why the form mail scripts which are written correctly only accept emails to a hardcoded list of recipients. If they didn't then you'd be able to spam people via the script.
The ability to alter the page isn't a security flaw BTW. -
phoeneous Member Posts: 2,333 ■■■■■■■□□□The ability to alter the page isn't a security flaw BTW.
That I know.
I always thought that the server would check the source of the form against itself even if the mailto address associated with the submit button hasnt been changed. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□That's a lot of work. Just use the Tamper Data add-on for Firefox
-
tiersten Member Posts: 4,505I always thought that the server would check the source of the form against itself even if the mailto address associated with the submit button hasnt been changed.
As Dynamik pointed out, there are significantly easier ways to tampering with form submissions since you control the client.
The form mail scripts also need to sanitise the inputs like subject, from and content since you can do tricks with control characters to get through the checking/protection within the script. -
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■I have no clue
I once found a Perl script that allowed you to specifiy the recipient via a hidden HTML form field. Any script kiddy could spam with it.
There is no way to keep someone from being a DB and emailing you garbage unless you use a security check such as captcha (type the words in the image above). But the script will be secure if it is looking into the data provided by the client and removong this like ` and ; and there is a way to look handle SQL injection provided that is required.