httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Hidden Form Field Vulnerability (fwd)
Date Fri, 20 Feb 1998 02:37:31 GMT
I really think that this silly "hole" is caused by moron designers more
than anything else and that this doesn't belong in a web server, it is
just a company trying to get more publicity, and their solution is mildly
questionable anyway.

---------- Forwarded message ----------
Date: Thu, 19 Feb 1998 14:29:41 -0500
From: omar syed <osyed@lerc.nasa.gov>
To: brian@organic.com
Cc: marcs@znep.com, brian@hyperreal.org, osyed@lerc.nasa.gov
Subject: Hidden Form Field Vulnerability

Hi Brian and Marc,

Miora Systems Consulting has posted to the Web some white papers 
describing vulnerabilities with using hidden form fields in Web 
pages. They also describe a solution to the problem which bascially
amounts to encrypting and decrypting the hidden form fields
so that when a user views the source of the document they cannot
make sense of the field values.

The white papers can be found at:
  http://www.miora.com/files/index.htm

Suggestion (thus the reason Im writting to you): this 
encryption/decryption capability would be a
great feature to build into the apache server.  If the 
EncryptHiddenFields option was turned on for a document (the
document could be the result of a CGI program) the server would
parse the document and encrypt the values of all hidden fields.
The server would probably also have to add a hidden field which
lists the names of the fields that were encrypted.
When the form is posted the server would decrypt only the 
encrypted fields before passing them on to the CGI program.

Im not a member of the apache developers list and don't have the
time to commit to working on this.  But I thought I would bring
this to the attention of the apache developers.  Could you please
forward this to the list.

I think this would be a very valuable capability that the
apache Web server could provide.  It could probably be added as
another module.  I think other servers will eventually provide this 
type of capability, but I would love to see apache be the first :-)

Omar Syed


Mime
View raw message