Here is something I just hacked together to check domains...perl -c says the
syntax is okay, but I didn't test it on a web server. You can also put IP
addresses in the @good_domains array and I think it should work.
Keep in mind that this by itself is *not* something that will guarantee
security. Anybody that knows how to spoof a domain will subvert this...so
use the other tools available to you as well.
############################################################
#!/usr/bin/perl -w
use strict;
# What domain referers will we accept?
my @good_domains = ('domain1.com','www.domain1.com',
'domain2.com','www.domain2.com');
# Initialize a variable to hold success message
my $good_one = "";
my $domain = "";
# Request the referer header to see who requested the cgi
my $referer = $ENV{'REFERER'};
# Compare the referer against your "good list"
for $domain(@good_domains) {
if ($domain = $referer) { # If the referer matches a
$good_one = "success"; # domain in your list, set
last; # $good_one as "success" and
} # skip looking at the rest of
} # them since we found a good one
# If the referer doesn't match any of the domains
# in your accepted domain list (hence $good_one has
# not been set to "success"), don't allow the CGI
# to be used.
if($good_one ne "success") {
print "Content-type: text/html\n\n";
print <<EOF;
Nice try. This script can only be
run from our server, so go away.
EOF
exit;
}
else {
do_something(); # Do whatever you do to process the form
}
############################################################
Regarding "attachments not being possible," a good Perl cracker can figure
out how to send commands through your contact form, and using commands to
upload a file where a file should not be uploaded may be difficult, but it's
not impossible.
To make it impossible, you need to start your script with:
#!/usr/bin/perl -w -U
# Notice the -U in the shebang line. This forces the
# script to run as "you" and not as the httpd daemon.
# Someone trying to run your script from a remote host
# can't, because they can't be you, then can only use
# HTTP. Whatever directory the script is running in
# needs to be chomd'd to 4711 (suid).
use strict; # This plus taint checking
# (-w) forces your hand to
# optimize your code and not
# do various silly, security-
# violating things.
use CGI; # Use the CGI.pm module to
# parse form input.
use CGI::Carp 'fatalsToBrowser'; # Send errors to browser,
# just makes debugging more
# convenient.
$CGI::DISABLE_UPLOADS = 1; # Disable *all* uploads.
Scot Robnett
inSite Internet Solutions
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Sebastian Nerz [mailto:[EMAIL PROTECTED]]
Sent: Saturday, May 25, 2002 8:48 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Checking who called a cgi-script
Hy,
inSite Internet Solutions schrieb:
>
> I usually do a combination of things.
>
> * You can check domains, but they can be spoofed,
> so that in itself is not a cure. It's a start.
How can I check this?
>
> * Does the site have a static IP? You can set
> the script only to run if called from that IP.
> Once again 'spoofable' but less than a domain
> on its own.
I have a static IP, but once again:
How to check wich IP called the script?
>
> * Use the CGI.pm module's built-in data limit
> function. You can set POST_MAX to a reasonable
> level to avoid buffer overflow issues, or just
> set DISABLE_UPLOADS = 1 if no files are going
> to be uploaded.
It's just for a forum and a contact-script... No attachements are
possible.
>
> * Are you on UNIX? Most of my sites are on some
> flavor of *NIX and I run my scripts suid. You
> can explicitly tell the script that it can
> run -only- as the user, not even as the httpd
> daemon. (#!/usr/bin/perl -U with the script
> directory chmod'd 4711)
It's a Linux-System, so: yes :-)
>
> Scot Robnett
> inSite Internet Solutions
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
Many thanks!
regards
Sebastian Nerz
>
> -----Original Message-----
> From: Sebastian Nerz [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 24, 2002 10:22 AM
> To: [EMAIL PROTECTED]
> Subject: Checking who called a cgi-script
>
> Hy,
>
> I need to check which server (or better: which formular) gave data to a
> cgi-script (executed this script)
> (I am writing on a contact-script but I dont want every server to be
> able to execute this script!)
>
> How could I do this?
> (A link or source for informations would be enough)
>
> Many thanks!
>
> regards
>
> Sebastian Nerz
>
> PS I am sorry for my english - it's quite terrible!
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
