| Re: Semi-bug, slight misdesign? GET requests. [message #14157 is a reply to message #14143] |
Thu, 06 November 2003 16:12   |
Ilia
Messages: 13241
Registered: January 2002
Karma:
|
Senior Member
Administrator
Core Developer |
|
|
Well, given the nature of certain browsers, it would be trivial to 'fake' a post request. It'd just require a little bit of JavaScript, which would trigger on <body onLoad="hack();">. This would submit the form result to the forum effectively causing a POST request as the current user.
The solution is to disallow FUDcode and only allow plain text inside messages, signatures & private messages and use cookie session, which expire as soon as the browser is closed.
E-mail confirmation is secure because it validates a random key unique to each user. The only copy of that key is the one send to the user via e-mail. I do not see how you could trick a person into validating a different account.
FUDforum Core Developer
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]