subject:"Preventing unauthorized use of a CGI script"

Re: Preventing unauthorized use of a CGI script

2006-02-07 Thread David Dorward

On Mon, 2006-02-06 at 22:28 -0600, David Gilden wrote:
> Just wanted hear opinions on how effective this is, as way of preventing 
> email relaying stoping 
> unauthorized use my script.

> This from a script that connects a  page to sendmail
> my $referer = referer; # what page called the script, check the domain
> exit if $referer = ($referer !~ /www\.mydomain\.com/i);

> If somebody from a foreign domain trys to invoke my script it should exit 
> with out a trace.
> Yes?

If you mean X puts up a form on another site with the action pointing
towards your form handler, and visitor Y to that site submits that form.
Then yes ... providing that X didn't put the form in a directory called
www.mycdomain.com.

It will also block legitimate users of your site as the referer header
is (a) optional (b) sometimes munged in the name of privacy (although in
violation of the HTTP spec - probably due to laziness in that
overwriting the referer header with junk means that the software doesn't
need to recalculate the content-length).

If you are trying to stop spammers from using the form handler to send
many messages, then no. Forging a referer header is trivial.

-- 
David Dorward   
"Anybody remotely interesting is mad, in some way or another."
 -- The Greatest Show in the Galaxy

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Preventing unauthorized use of a CGI script

2006-02-06 Thread David Gilden

Greetings,

Just wanted hear opinions on how effective this is, as way of preventing email 
relaying stoping 
unauthorized use my script.

This from a script that connects a  page to sendmail

#!/usr/bin/perl 

use CGI qw/:standard/;

#..snip..

my $referer = referer; # what page called the script, check the domain
exit if $referer = ($referer !~ /www\.mydomain\.com/i);

#..more code below etc...


If somebody from a foreign domain trys to invoke my script it should exit with 
out a trace.
Yes?

Thanks,

Dave Gilden


Visit my schedule page for up to the minute performance info:


Endorsing Artist for the Moog Music:


==
 Cora Connection: Your West African Music Source
  Resources, Recordings, Instruments & More!
    
==

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Preventing unauthorized use of a CGI script

Preventing unauthorized use of a CGI script

2 matches

Site Navigation

Mail list logo

Footer information