[thelist] "email to a friend" link

Chris Blessing webguy at mail.rit.edu
Wed Sep 11 14:53:01 CDT 2002


Madhu-

How would that send the source code?  The only thing that ever gets
transferred is the URL itself, not the code of the page at said URL.

Certainly you could send whatever link you like by manipulating the link's
querystring, but again it's just a url.

Chris Blessing
webguy at mail.rit.edu
http://www.330i.net

> There is a big security risk in this approach. A clever person could trick
> your script into sending the source code of your ASP pages by manipulating
> the URL.
>
> For instance, take a URL like:
> http://www.example.com/sendtoFriend.asp?link=/article/tutorial1.asp
> (I couldn't be bothered encoding the URL, sorry. ;)
>
> By just changing the URL, you could get something like this:
> http://www.example.com/sendtoFriend.asp?link=/cgi-bin/AddToCart.asp
>
> which, in the absence of any other checks and controls, would happily send
> the source code of the page, possibly containing database login and
> password details.
>
> Just something to keep in mind.
>
> Regards,
>
> Madhu




More information about the thelist mailing list