[nycphp-talk] First Demo App for Tuesday Presentation
csnyder
chsnyder at gmail.com
Fri Oct 20 14:47:17 EDT 2006
On 10/20/06, Kenneth Downs <ken at secdat.com> wrote:
> We have put up a demo app that demonstrates Andromeda. The URL is:
>
> http://dhost2.secdat.com/demo_peds
>
> The username and password are both "guest". Please feel free to look
> around. Feel free to make any changes you want to, beat it up, etc.
>
> This guest user is actually an "admin" user, so you have full powers in
> the app, short of creating new users.
>
> We will be looking at the code used to produce this app at the
> presentation on Tuesday.
>
Please don't hate me, Ken, but your sample application is vulnerable
to cross-site scripting attacks. It seems you're not properly escaping
values in forms?
Or at least, not in this form:
http://dhost2.secdat.com/demo_peds/index.php?gp_skey=6
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list