I usually do a combination of things.
* You can check domains, but they can be spoofed,
so that in itself is not a cure. It's a start.
* Does the site have a static IP? You can set
the script only to run if called from that IP.
Once again 'spoofable' but less than a domain
on its own.
* Use the CGI.pm module's built-in data limit
function. You can set POST_MAX to a reasonable
level to avoid buffer overflow issues, or just
set DISABLE_UPLOADS = 1 if no files are going
to be uploaded.
* Are you on UNIX? Most of my sites are on some
flavor of *NIX and I run my scripts suid. You
can explicitly tell the script that it can
run -only- as the user, not even as the httpd
daemon. (#!/usr/bin/perl -U with the script
directory chmod'd 4711)
Scot Robnett
inSite Internet Solutions
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Sebastian Nerz [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 24, 2002 10:22 AM
To: [EMAIL PROTECTED]
Subject: Checking who called a cgi-script
Hy,
I need to check which server (or better: which formular) gave data to a
cgi-script (executed this script)
(I am writing on a contact-script but I dont want every server to be
able to execute this script!)
How could I do this?
(A link or source for informations would be enough)
Many thanks!
regards
Sebastian Nerz
PS I am sorry for my english - it's quite terrible!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
