What I am asking is if anyone has any comments that I could make to my employer, or include in a short report so that I will be allowed to fix this potential problem, that would be much appreciated.

It would be trivial to write a script to change where the data is written to. So we change it to write to a web page. Then we check to see what gets written from the form submission. then we change uploaded input to rewrite over the company's home page. Or, worse, overwrite a CGI script if we can and use that to create more havoc.

HTTP_REFERER is NOT a secure way to check - that can be faked using LWP::UserAgent - ideal solution really depends on the specific situation.

If you have trouble convincing your employer, simply post their URL here and I'm sure someone will demonstrate :-)

.02

cLive ;-)

--
seek(JOB,$$LA,0);