Details of your problem can't be figured out from your page link at
http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on
http://kopool.net/process9.asp your server side code is just
picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form
http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)
What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)
The way to do that is:
- the data from
http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to
display in the confirmation form
fields on
http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)
Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">
Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">
--
_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________
| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
|
http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "
http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
