Vulnerability in EPiServer.Forms
I was told that it's possible to replace which page is loaded when for examle the editor click the "crate new page" button.
This should be done somewhere in the web.config but I can't fina any information on it.
I found a blogpost from DropIT that has done something similiar but thats for cms5 and Im using 4.62B.
Anyone can shed some light on this?
DropIT has as you say solved this. They have added a HttpModule that goes in an alters the postback to a page showing Extension pages aswell. You could have a look at the Dropit.Extension.dll in reflector and see how they have solved it.
If I understand you correctly you're talking about doing this in CMS 4. There is actually a function for replacing pages in the EPiServer interface with your own custom ones. This is enabled by setting the web.config value EPfEnableAlternateFiles to true and placing a page with the same name as the episerver one in a folder called edit_.
That switch comes with a performance cost btw. Make sure you test it.
There is a standard asp.net 2.0 way of "redirecting" files this way. Just can't remember how and what. It is configurable in web.config.
thanks for the answers I will test it out.