[Zope] sending form data offsite SOLVED!
Ed Colmar
ed@greengraphics.net
Wed, 19 Mar 2003 22:12:18 -0800 (PST)
Not really, no.
It would be possible to attack that exact page/method anonymously, but
Since the URL is hard coded in, it is not possible to direct it to another
server... Interesting idea though. Maybe I will incorperate this in to
my product designed to do http anonymizing.
Thanks for the note!
-ed-
On Tue, 18 Mar 2003, Oliver Bleutgen wrote:
> Ed Colmar wrote:
> > Thanks again for all the tips!
> >
> > Heres what I ended up with for anyone else trying to do the same thing:
> >
> > --------------
> >
> > I made an external method:
> >
> > def formsender(self, url, params):
> > """ This method is used to transparently send form data to an external
> > server """
> > import urllib
> > encodedParams = urllib.urlencode(params)
> > print url
> > print encodedParams
> > try:
> > result = urllib.FancyURLopener().open(url, encodedParams)
> > urllib.FancyURLopener().close()
> > return result.read()
> > except:
> > return 0
> >
> >
> > ---------------
> >
> > Then in dtml I placed this code on the page that the form points to:
> >
> > <dtml-call "REQUEST.set('params', REQUEST.form)">
> > <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')">
> > <dtml-var "formsender(url, params)">
>
> I'm a bit late to the game here, but haven't you just constructed a nice
> anonymizing http attacking engine? As I see it, formsender could be
> called through the web, so
>
> http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_attackingpayload
>
> would be possible, right?
>
> cheers,
> oliver
>
>
>
--
Green Graphics ::: Print and Web Design ::: 510.923.0000