[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OK, .. this one's a stumper.

To: silug-discuss@silug.org
Subject: Re: OK, .. this one's a stumper.
From: Casey Boone <caseyboone@gmail.com>
Date: Fri, 27 Jan 2006 17:33:05 -0600
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=NVxZNSYk77rNGQ9ICZxYQ62mp6GcbJeotD7Xh9hq1AjA5GI0p3Piiizizp0Mbn4JzTk4ovPF1zXf2zYeBOepD45TaCQknO8J622hBEB0r+SPVZ+kS5faUnXuZgdmaf5CCL0Jd6iFNTMz/P6WYgPV4Jz9cLFeUyavDhEFmWkpjt0=
In-Reply-To: <4.3.2.7.2.20060127094652.01af8da0@mail.omnitec.net>
Organization: Southern Illinois Linux Users Group
References: <4.3.2.7.2.20060127094652.01af8da0@mail.omnitec.net>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org
User-Agent: Thunderbird 1.5 (Windows/20051201)

how about this, set up server side such that when the page containing
the form is requested, the requesting ip is added to a
list/database/whatever and when the script that processes the form is
called, check the list.  also limit the number of requests per ip
(assuming it passes being on the list)

also you could put some kind of session information into the form page
that gets submitted along with everything else, and your form processor
checks that the session info matches what it would expect (again using a
list/db/whatever)

HTH

Casey


L. V. Lammert wrote:
> Everyone knows mailer scripts are a security hole, .. historically,
> they are restricted by referer URL & recipient address patterns.
> Recipient works pretty well, as the only allowed output email address
> can be tightly controlled.
>
> Unfortunately, it seems like there some of the script kiddies have
> found ways to get around the referer URL - i.e. By posting the form
> directly to the form mailer, they are apparently also forging the
> environment variables to satisfy the referer check. I tried changing
> from referer URL to matching the server address, .. but it DNW either.
> (Obviously, the first action was to delete the calling document so it
> cannot be invoked in any form on the server.)
>
> Is anyone aware of a more secure way to valdate the source document
> other than referer URL or server address? Or is there a way to secure
> the mailer itself (callable from a number of domains)?
>
>     Thanks!
>
>     Lee
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- OK, .. this one's a stumper.
  - From: "L. V. Lammert" <lvl@omnitec.net>

Prev by Date: Re: OK, .. this one's a stumper.
Prev by thread: Re: OK, .. this one's a stumper.
Next by thread: [OT] Woo Hoo
Index(es):
- Date
- Thread