[Zope] sending form data offsite SOLVED!
Oliver Bleutgen
myzope@gmx.net
Tue, 18 Mar 2003 18:53:18 +0100
Ed Colmar wrote:
> Thanks again for all the tips!
>
> Heres what I ended up with for anyone else trying to do the same thing:
>
> --------------
>
> I made an external method:
>
> def formsender(self, url, params):
> """ This method is used to transparently send form data to an external
> server """
> import urllib
> encodedParams = urllib.urlencode(params)
> print url
> print encodedParams
> try:
> result = urllib.FancyURLopener().open(url, encodedParams)
> urllib.FancyURLopener().close()
> return result.read()
> except:
> return 0
>
>
> ---------------
>
> Then in dtml I placed this code on the page that the form points to:
>
> <dtml-call "REQUEST.set('params', REQUEST.form)">
> <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')">
> <dtml-var "formsender(url, params)">
I'm a bit late to the game here, but haven't you just constructed a nice
anonymizing http attacking engine? As I see it, formsender could be
called through the web, so
http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_attackingpayload
would be possible, right?
cheers,
oliver