[nycphp-talk] First Demo App for Tuesday Presentation
Kenneth Downs
ken at secdat.com
Fri Oct 20 15:49:21 EDT 2006
csnyder wrote:
> On 10/20/06, Kenneth Downs <ken at secdat.com> wrote:
>
>> We have put up a demo app that demonstrates Andromeda. The URL is:
>>
>> http://dhost2.secdat.com/demo_peds
>>
>> The username and password are both "guest". Please feel free to look
>> around. Feel free to make any changes you want to, beat it up, etc.
>>
>> This guest user is actually an "admin" user, so you have full powers in
>> the app, short of creating new users.
>>
>> We will be looking at the code used to produce this app at the
>> presentation on Tuesday.
>>
>>
>
> Please don't hate me, Ken, but your sample application is vulnerable
> to cross-site scripting attacks. It seems you're not properly escaping
> values in forms?
>
As an open-source developer, I'm always happy when somebody reviews and
comments :)
> Or at least, not in this form:
> http://dhost2.secdat.com/demo_peds/index.php?gp_skey=6
>
>
You are right. We do "escape when sending", and the htmlentities() call
was missing from the library routine.
Thanks, good catch, it is fixed now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20061020/54c49892/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ken.vcf
Type: text/x-vcard
Size: 261 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20061020/54c49892/attachment.vcf>
More information about the talk
mailing list