Next-in-Thread Next-in-Thread
 Next Message Next Message

Security problem with POST 

Forum: CCI for Perl
 Re: What I can do with CCI : Client control ? (Kannan Thiruvengadam)
Re: Respond to: What I can do with CCI : Client control ? (Adrian Howard)
Re: What I can do with CCI, with what is already available; What should NOT be allowed through CCI (Kannan Thiruvengadam)
Date: 1995, Feb 07
From: Adrian Howard 

>As you know, Functionality (5) in the listing can be
>achieved using Functionality (1) if the URL
>that you go to, is a form. This itself can
>be considered an authentication (the server
>voluntarily accepting [in fact asking for]
>data from the client).

Yes and no... The problem is that the data looks like it has come from the Mosaic user. Since there is no authentication on connections from a CCI client to a browser, the user has no control over who can POST data in their name. Not a nice situation.

Currently a trusted HTML client/server connection will be made insecure by the addition of a browser listening for CCI connections. 

>I wonder what situations can require
>a user to merely post data using CCI, and also
>about what might happen to the disk on
>the server, if such a thing is allowed.
>
>Point : (it's an opinion) "Posting" should always
>be done through form-filling.

What if you're not sending textual data? What if you're sending a 50k database update? What if there needs to be an (easily automated) negotiation between the client and server on what data needs to be sent?

Adrian

 Next-in-Thread Next-in-Thread
 Next Message Next Message
Inline:
 1 1
 All All
 Outline:
 1 1
 2 2
 All All

 Add Add
 to: "Security problem with POST"

 Members Members
 Subscribe Subscribe
 Admin Mode Admin Mode
 Show Frames Show Frames
 Help Help

Earn money with Scour!
Google
 
Web www.HyperNews.org
Earn money with Scour!