[TYPO3-mvc] Can forms be easily manipulated?
Chris Wolff - AERTiCKET AG
cwolff at aer.de
Mon Dec 15 09:58:56 CET 2014
Hi Jan,
im not quite shure what you mean by property id.
i Know about 2 ids types
uid = Unique ID this identifies an Object / Database Record Uniqulie
pid = Page id / Parent Id. This usualy revers tot he Page a record is Stored on.
Your Form Usually only contains the uid. As you propepertly dont wan't user allow to modifiy
The page an object ist stored on.
To your question. Is it possible to replace the uid of an object. To alter another Object instead the one given to you.
Im not shure but i guess you could easyly test it by mondifieing the form you get from the browser with the development tools of your browser
And trying to resubmit the result.
(i guess it should not be possible as the form usally contains a "__referrer" arguments. But i have never tested it.)
Regards chris
-----Ursprüngliche Nachricht-----
Von: typo3-project-typo3v4mvc-bounces at lists.typo3.org [mailto:typo3-project-typo3v4mvc-bounces at lists.typo3.org] Im Auftrag von Jan Kornblum
Gesendet: Freitag, 12. Dezember 2014 16:40
An: typo3-project-typo3v4mvc at lists.typo3.org
Betreff: Re: [TYPO3-mvc] Can forms be easily manipulated?
Hi Chris,
thanks a lot. Yes, i think i've read about something like this (also regarding the encryption key is used for generating the hash) anywhere but i was not sure any more.
Despite: If there is a trusted form containing a property "pid", this pid might be modified and extra work would be neccessary to make it safe. Correct?
Kind regards, Jan
_______________________________________________
TYPO3-project-typo3v4mvc mailing list
TYPO3-project-typo3v4mvc at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc
More information about the TYPO3-project-typo3v4mvc
mailing list