[Zope] sending form data offsite SOLVED!
Ed Colmar
ed@greengraphics.net
Thu, 20 Mar 2003 00:15:11 -0800 (PST)
Oops... My mistake.
You are right. I thought you were referring to the dtml method not the
external method.
I'll hard code the url into the external method to secure it
Thanks!
-ed-
On Wed, 19 Mar 2003, Ed Colmar wrote:
>
> Not really, no.
>
> It would be possible to attack that exact page/method anonymously, but
> Since the URL is hard coded in, it is not possible to direct it to another
> server... Interesting idea though. Maybe I will incorperate this in to
> my product designed to do http anonymizing.
>
> Thanks for the note!
>
> -ed-
>
>
>
> On Tue, 18 Mar 2003, Oliver Bleutgen wrote:
>
> > Ed Colmar wrote:
> > > Thanks again for all the tips!
> > >
> > > Heres what I ended up with for anyone else trying to do the same thing:
> > >
> > > --------------
> > >
> > > I made an external method:
> > >
> > > def formsender(self, url, params):
> > > """ This method is used to transparently send form data to an external
> > > server """
> > > import urllib
> > > encodedParams = urllib.urlencode(params)
> > > print url
> > > print encodedParams
> > > try:
> > > result = urllib.FancyURLopener().open(url, encodedParams)
> > > urllib.FancyURLopener().close()
> > > return result.read()
> > > except:
> > > return 0
> > >
> > >
> > > ---------------
> > >
> > > Then in dtml I placed this code on the page that the form points to:
> > >
> > > <dtml-call "REQUEST.set('params', REQUEST.form)">
> > > <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')">
> > > <dtml-var "formsender(url, params)">
> >
> > I'm a bit late to the game here, but haven't you just constructed a nice
> > anonymizing http attacking engine? As I see it, formsender could be
> > called through the web, so
> >
> > http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_attackingpayload
> >
> > would be possible, right?
> >
> > cheers,
> > oliver
> >
> >
> >
>
>
--
Green Graphics ::: Print and Web Design ::: 510.923.0000