|
|
Posted by shimmyshack on 04/22/07 20:21
On 22 Apr, 16:05, j...@lycos.com wrote:
> > On Apr 22, 12:23 am, j...@lycos.com wrote:
>
> Thanks for the informative replies, gents. I forgot to mention that
> for this application that it was intended to work off a server on the
> company intranet so has some insulated security based on that (I can't
> access it from home). It began as a means to keep an electronic log
> for a 'testy' piece of equipment where messages could be passed from
> those who don't currently have access to any email. Their entries
> make it to the database log just fine where they can be queried and
> read but to ensure speedy remedies or responses to issues (by those
> who may otherwise 'forget' to check the database for any new entries),
> the ability to send an email as a teaser seemed like a good idea.
> Hence, the struggle to get some semblence of this working.
>
> thanks again,
> John
I see, although it is protected to a degree, the way the values are
printed to the screen in fact makes it vunerable to attack from
outside, unfortunately. It's not a massive problem, but you should use
best practise and escape and filter wherever input is printed to
screen or obtained from a source like a user or database and then
used. This kind of webpage is what an external attacker is looking for
when s/he wants to gain access to an intranet!
Navigation:
[Reply to this message]
|