Surveys problem?

Dan Mitchell Manila-Newbies@userland.com
Mon, 02 Dec 2002 13:29:13 -0800 

> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--B_3121680554_1148368
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable

One of my web-savvy students today told me that he was able to make the edi=
t
link work on one of my sites by substituting the word EDIT in the RUN url.
He also was able to substitute DELETE! Yikes!

Hi is logged in as a site member, but not as an editor of any sort.

Further explanation:

This link appears to him when he goes to the survey page:

http://www.domain.com/music1/surveys/run/dan@mitchell.fhda.edu/howHighIsThe=
S
ky001

He can change it manually to

http://www.domain.com/music1/surveys/EDIT/dan@mitchell.fhda.edu/howHighIsTh=
e
Sky001
or
http://www.domain.com/music1/surveys/DELETE/dan@mitchell.fhda.edu/howHighIs=
T
heSky001

and it works!=20

Not good, right?

Dan
--

d    a    n        m    i    t    c    h    e    l    l

music department | de anza college
http://faculty.deanza.fhda.edu/mitchelldan/
office: 408.864.8511
apple distinguished educator | class of 2000

Please address all college email to: mitchelldan AT deanza dot edu
(Replace =B3AT=B2 with =B3@=B2 and =B3dot=B2 with =B3.=B2 to form the email address.)


--B_3121680554_1148368
Content-type: text/html; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable

<HTML>
<HEAD>
<TITLE>Surveys problem?</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Verdana">One of my web-savvy students today told me that he was=
 able to make the edit link work on one of my sites by substituting the word=
 EDIT in the RUN url. He also was able to substitute DELETE! Yikes!<BR>
<BR>
Hi is logged in as a site member, but not as an editor of any sort. &nbsp;<=
BR>
<BR>
Further explanation:<BR>
<BR>
This link appears to him when he goes to the survey page:<BR>
<BR>
<FONT COLOR=3D"#0000FF"><U>http://www.domain.com/music1/surveys/run/dan@mitch=
ell.fhda.edu/howHighIsTheSky001<BR>
</U></FONT><BR>
He can change it manually to<BR>
<BR>
<FONT COLOR=3D"#0000FF"><U>http://www.domain.com/music1/surveys/EDIT/dan@mitc=
hell.fhda.edu/howHighIsTheSky001<BR>
</U></FONT>or<BR>
<FONT COLOR=3D"#0000FF"><U>http://www.domain.com/music1/surveys/DELETE/dan@mi=
tchell.fhda.edu/howHighIsTheSky001<BR>
<BR>
</U></FONT>and it works! <BR>
<BR>
Not good, right?<BR>
<BR>
Dan<BR>
--<BR>
<HR ALIGN=3DCENTER SIZE=3D"3" WIDTH=3D"95%"><FONT COLOR=3D"#333333"><B>d &nbsp;&nbs=
p;&nbsp;a &nbsp;&nbsp;&nbsp;n &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;m &n=
bsp;&nbsp;&nbsp;i &nbsp;&nbsp;&nbsp;t &nbsp;&nbsp;&nbsp;c &nbsp;&nbsp;&nbsp;=
h &nbsp;&nbsp;&nbsp;e &nbsp;&nbsp;&nbsp;l &nbsp;&nbsp;&nbsp;l<BR>
</B><BR>
music department | de anza college<BR>
</FONT><FONT COLOR=3D"#0000FF"><U>http://faculty.deanza.fhda.edu/mitchelldan/=
<BR>
</U></FONT><FONT COLOR=3D"#333333">office: 408.864.8511<BR>
apple distinguished educator | class of 2000<BR>
<HR ALIGN=3DCENTER SIZE=3D"3" WIDTH=3D"95%"></FONT><B>Please address all college =
email to: <I>mitchelldan AT deanza dot edu<BR>
</I>(Replace &#8220;AT&#8221; with &#8220;@&#8221; and &#8220;dot&#8221; wi=
th &#8220;.&#8221; to form the email address.)</B><BR>
</FONT>
</BODY>
</HTML>


--B_3121680554_1148368--