[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] Re: MV 4.04 and va= on scan
****** message to minivend-users from Mike Heins <mikeh@minivend.com> ******
Quoting Barry Treahy (Barry@bstent.com):
>
> My next question, whic is realted, is that is the variable created with va=
> is not in a scratch variable but rather in a space named value? I've got for
> examples of what I tried, simple process of eliminate I suppose, but I do not
> understand why only the last worked. Can someone educate me on this? This
> wasn't intuitive to me and I guess I'm really missing something basic here...
The basic thing is it would never be secure to let someone set
a scratch space variable in a URL. The the [value ...] stuff is
expected to be tainted, but scratch must be secure so you can
use it to set your form actions and run code.
The [value ...] tag translates [ to [, so there is no way
for someone to pass an MV tag via that route.
Otherwise someone could do something with [set ...] ... [/set] and
mv_click. This essentially is what MS Outlook allows you to do....oops!
--
Internet Robotics, 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.7621 fax 7501 <mikeh@minivend.com>
Unix version of an Outlook-style virus:
It works on the honor system. Please forward this message to everyone
you know, and delete a bunch of your files at random.
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list