[Zope] sending form data offsite SOLVED!

Ed Colmar ed@greengraphics.net
Wed, 19 Mar 2003 22:12:18 -0800 (PST)


Not really, no.

It would be possible to attack that exact page/method anonymously, but
Since the URL is hard coded in, it is not possible to direct it to another
server...   Interesting idea though.  Maybe I will incorperate this in to
my product designed to do http anonymizing.

Thanks for the note!

-ed-



On Tue, 18 Mar 2003, Oliver Bleutgen wrote:

> Ed Colmar wrote:
> > Thanks again for all the tips!
> >
> > Heres what I ended up with for anyone else trying to do the same thing:
> >
> > --------------
> >
> > I made an external method:
> >
> > def formsender(self, url, params):
> >     """ This method is used to transparently send form data to an external
> > server """
> >     import urllib
> >     encodedParams = urllib.urlencode(params)
> >     print url
> >     print encodedParams
> >     try:
> >         result = urllib.FancyURLopener().open(url, encodedParams)
> >         urllib.FancyURLopener().close()
> >         return result.read()
> >     except:
> >         return 0
> >
> >
> > ---------------
> >
> > Then in dtml I placed this code on the page that the form points to:
> >
> > <dtml-call "REQUEST.set('params', REQUEST.form)">
> > <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')">
> > <dtml-var "formsender(url, params)">
>
> I'm a bit late to the game here, but haven't you just constructed a nice
> anonymizing http attacking engine? As I see it, formsender could be
> called through the web, so
>
> http://yourserver/wherever/formsender?url=www.victimdomain.tld&params=bad_attackingpayload
>
> would be possible, right?
>
> cheers,
> oliver
>
>
>

-- 
Green Graphics   :::   Print and Web Design   :::   510.923.0000