Results 1 to 3 of 3
  1. #1

    CGI Order Form/Dynamic Referer Question

    I have a cgi order form which a spammer and a bot were taking advantage of and sending out thousands of emails through.

    Im trying to make my order form so that if the client doesnt come from my site then the form wont process.

    The Form is called:
    ordernow.cgi

    Each product has its details stored in a mySQL DB and product 2 for example is reached by:

    ordernow.cgi?pkid=2

    Altering the pkid to say 3 gets different values from the mySQL DB:

    The client inputs their details and the billing info is then passed to the order.cgi for processing. This is what a spammer+bot were using to send out spam.

    I added this to the order.cgi

    $referer = $ENV{HTTP_REFERER};
    $path = $ENV{QUERY_STRING};

    if ( $referer ne "http://www.mydomain.com" ){
    print "HTTP_REFERER not equal to http://www.mydomain.com<br><br>
    REFERER = $referer <br><br>
    PATH = $path
    ";
    exit(0);
    }else{

    However the referer is actually:

    REFERER = http://www.mydomain.com/ordernow.cgi?pkid=2

    Though its dynamic in that the referer can be anything from pkid2 to pkid20.

    I want to make it so this line of script:
    if ( $referer ne "http://www.mydomain.com" ){

    Will actually be:
    http://www.mydomain.com/ordernow.cgi?pkid=2 to http://www.mydomain.com/ordernow.cgi?pkid=20

    How do I do that? Any help is greatly appreciated.

  2. #2
    if ( $referer !~ /^http:\/\/www.mydomain.com\/ordernow.cgi\?pkid=\d+$/ )
    {
    ...............
    }

    However spoofing the referer its no big deal this days.

  3. #3
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    It sounds like you need to review your script and make sure that there is no way for the request to alter to/from headers.

    Also, like sugegsted before -- referrer is easy to spoof.

    In addition to reviewing your script, I would also make sure that your email server was not an open relay.

    Finally, if you are still getting bombarded, you can always add a CAPTCHA check.
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •