Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Nov 2009
    Posts
    23
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Secure form submission

    I've got an upload.cgi page that I'm submitting form data to.

    I want to make it so only my page can submit data to this site.

    I've racked my brain trying to think of ways to prevent external sites from submitting data.

    Things I've tried:
    • .htaccess - closest feature it offers is blocking the referring URL, which is too easy to spoof
    • storing the file in a directory above the working directory, however this does not work for you cant go higher than where your URL points.
    • using PHP::Interpreter and including bulletin session files to verify the user is logged in, host doesn't support PHP::Interpreter


    So I ask of you my fellow programmers..

    How can I make it so that only http://upload.fortressgamers.com can submit to upload.cgi ?
    Last edited by absoleet; 08-18-2010 at 08:45 PM.

  • #2
    Regular Coder ahayzen's Avatar
    Join Date
    Jun 2009
    Posts
    110
    Thanks
    8
    Thanked 11 Times in 11 Posts
    Hi

    If you can use php then a simple way to do this would be to create a random session variable and then verify that it is the same so:

    File 1 (User enters on this page)
    PHP Code:
    <?php
    session_start
    ();
    $_SESSION['randcheck']=hash('sha256'mt_rand());
    echo 
    '
    <form method="post" action="file2.php">
    <input type="hidden" name="randcheck" value="' 
    $_SESSION['randcheck'] . '">
    Input elements go here.
    </form>'
    ;
    ?>
    File 2

    PHP Code:
    session_start();
    if (
    $_POST['randcheck']==$_SESSION['randcheck'])
    {
    session_destroy();
    // User has come from file1
    // Put here what you want when user has come through correctly
    }
    else
    {
    session_destroy();
    // User Hasn't come from file1 (redirect to file1)
    die(header("Location: file1.php"));

    Andy

  • #3
    New Coder
    Join Date
    Nov 2009
    Posts
    23
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Thnx Andy.

    Unfortunately I'm actually submitting from PHP > CGI

    So far best method I have come up with is to have the PHP page generate a random hash, put it in a hidden field, inject it into a database along with a unique ID, a 'secret key' and an expiry date.


    on the perl end, query the database using the hash, get the key and compare.

    Downside: user can still get to "form.php" copy source HTML, upload to their host and submit data to "page.cgi" if the hash hasn't expired.

    We're doing good here though team, lets keep brainstorming!

  • #4
    Regular Coder ahayzen's Avatar
    Join Date
    Jun 2009
    Posts
    110
    Thanks
    8
    Thanked 11 Times in 11 Posts
    Ok

    Well try this:

    Just pretend that upload.cgi is now file2.

    If you look at http://php.net/manual/en/function.header.php, you can see that you can tell the browser what content-type you are outputting. EG in php to output PDF you put:

    This is example 1 on the site.
    PHP Code:
    <?php
    // We'll be outputting a PDF
    header('Content-type: application/pdf');
    ?>
    So why not say we are outputting CGI?
    PHP Code:
    <?php
    // We'll be outputting a CGI
    header('Content-type: application/cgi');
    ?>
    So back to the script it would become:

    File 1
    PHP Code:
    <?php 
    session_start
    (); 
    $_SESSION['randcheck']=hash('sha256'mt_rand()); 
    echo 

    <form method="post" action="file2.php"> 
    <input type="hidden" name="randcheck" value="' 
    $_SESSION['randcheck'] . '"> 
    Input elements go here. 
    </form>'

    ?>
    File 2
    PHP Code:
    session_start(); 
    if (
    $_POST['randcheck']==$_SESSION['randcheck']) 

    session_destroy(); 
    // User has come from file1 
    header('Content-type: application/cgi');
    echo 
    '
    Put your CGI code here!
    '


    else 

    session_destroy(); 
    // User Hasn't come from file1 (redirect to file1) 
    die(header("Location: file1.php")); 

    That should work?

    Also the randcheck is different every time and so they can't take the HTML source.

    Andy
    Last edited by ahayzen; 08-19-2010 at 08:20 PM.

  • #5
    New Coder
    Join Date
    Nov 2009
    Posts
    23
    Thanks
    4
    Thanked 0 Times in 0 Posts
    nice.

    I'm doing file uploads, PHP has some time & POST limits (20MB) which were my main reasons for going to perl.

    What I did as a workaround was give the file being uploaded chmod 0000 until I approved.

    However, I do like your thinking, I may see if I can implement this, I dont think it would be affected by the max POST size.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •