Re: [mod-security-users] Hidden Fields
Brought to you by:
victorhora,
zimmerletw
From: Markus R. <we...@mr...> - 2006-02-26 10:14:31
|
Ivan Ristic schrieb: > Diego Pellegrino wrote: >> Using mod_security, how can i prevent that users change forms parameters >> in POST requests? is it possible? > > Not possible, unless your hidden form field value is constant (probably > not the case). > > There's some chance this will be supported in the next release. > this would be very complicated. there are two problems: 1) you have to know which fields are hidden and which not. in a get or post request you only get the pair name=value, no info about hidden or not hidden. 2) you have to know the initial value of a field. there are two ways to "protect" hidden fields: 1) use session vars, that are stored on the server either in a file or db. with this you only send "sessionId" to the browser, field values are stored on the server. 2) another way would be to use md5-hashes for hidden fields. compute md5-hashes of each or all hidden fields and send it also as hidden field. so you can recompute the hash and check whether values have changed or not. i think mod_security could not really help with this problem. only if you use an output-filter that checks for type=hidden and compute md5-hashes... markus |