I have a perl cgi script in the cgi-bin directory that is invoked by a variety
of forms. The script logs all from parameters to a text file that is also
contained within the cgi directory. If there's a problem accessing the script,
it emails me a message. In the last few months, the emails have indicated that
someone is executing the scripts directly. For example, someone has sent a
request like the following:
<website>/cgi-bin/foobar.cgi
Checking the access logs reveals that the request is not related to the script
being invoked by a malformed web page. Being naive, I added the following to my
script:
if ((param('one_of_my_vars") eq "") || (referer() eq ""))
{
my $server = quotemeta( $ENV{HTTP_HOST} || server_name() );
unless ( referer() =~ m|^https?://$server/| ) {
print ("There's been a problem processing the information you sent to
us. ");
....
print ("We sorry for the inconvenience.");
$email_subject = "PROBLEM: NOTIFY WEB PROGRAMMER--SOMEONE SUBMITTED CGI
DIRECTLY";
$email_body = "Referer: " . referer();
$email_body .= "\nParameters: " . join(", ", param());
&mail_message(WEBMASTER, WEBMASTER, $email_subject, $email_body);
exit;
}
}
This basic structure was stolen from an O'Reilly book. This book also mentioned
that this approach was naive as a sophisticated hacker could spoof all of this.
(Actually, I did something different but there code was nicer.)
It goes without saying that I've quadruple checked the script to insure that no
harm can come from some miscreant doing this, but I'm still letting miscreants
do something I don't want them to do.
My question is what can I do to insure that the Perl scripts are only invoked
from forms on my site.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
