...

View Full Version : Secure form submission



absoleet
08-18-2010, 08:39 PM
I've got an upload.cgi page that I'm submitting form data to.

I want to make it so only my page can submit data to this site.

I've racked my brain trying to think of ways to prevent external sites from submitting data.

Things I've tried:

.htaccess - closest feature it offers is blocking the referring URL, which is too easy to spoof
storing the file in a directory above the working directory, however this does not work for you cant go higher than where your URL points.
using PHP::Interpreter and including bulletin session files to verify the user is logged in, host doesn't support PHP::Interpreter


So I ask of you my fellow programmers..

How can I make it so that only http://upload.fortressgamers.com can submit to upload.cgi ?

ahayzen
08-18-2010, 09:36 PM
Hi

If you can use php then a simple way to do this would be to create a random session variable and then verify that it is the same so:

File 1 (User enters on this page)


<?php
session_start();
$_SESSION['randcheck']=hash('sha256', mt_rand());
echo '
<form method="post" action="file2.php">
<input type="hidden" name="randcheck" value="' . $_SESSION['randcheck'] . '">
Input elements go here.
</form>';
?>


File 2



session_start();
if ($_POST['randcheck']==$_SESSION['randcheck'])
{
session_destroy();
// User has come from file1
// Put here what you want when user has come through correctly
}
else
{
session_destroy();
// User Hasn't come from file1 (redirect to file1)
die(header("Location: file1.php"));
}


Andy

absoleet
08-18-2010, 10:25 PM
Thnx Andy.

Unfortunately I'm actually submitting from PHP > CGI

So far best method I have come up with is to have the PHP page generate a random hash, put it in a hidden field, inject it into a database along with a unique ID, a 'secret key' and an expiry date.


on the perl end, query the database using the hash, get the key and compare.

Downside: user can still get to "form.php" copy source HTML, upload to their host and submit data to "page.cgi" if the hash hasn't expired.

We're doing good here though team, lets keep brainstorming!

ahayzen
08-19-2010, 08:16 PM
Ok

Well try this:

Just pretend that upload.cgi is now file2.

If you look at http://php.net/manual/en/function.header.php, you can see that you can tell the browser what content-type you are outputting. EG in php to output PDF you put:

This is example 1 on the site.


<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');
?>


So why not say we are outputting CGI?


<?php
// We'll be outputting a CGI
header('Content-type: application/cgi');
?>


So back to the script it would become:

File 1


<?php
session_start();
$_SESSION['randcheck']=hash('sha256', mt_rand());
echo '
<form method="post" action="file2.php">
<input type="hidden" name="randcheck" value="' . $_SESSION['randcheck'] . '">
Input elements go here.
</form>';
?>


File 2


session_start();
if ($_POST['randcheck']==$_SESSION['randcheck'])
{
session_destroy();
// User has come from file1
header('Content-type: application/cgi');
echo '
Put your CGI code here!
';
}
else
{
session_destroy();
// User Hasn't come from file1 (redirect to file1)
die(header("Location: file1.php"));
}


That should work?

Also the randcheck is different every time and so they can't take the HTML source.

Andy

absoleet
08-23-2010, 10:47 PM
nice.

I'm doing file uploads, PHP has some time & POST limits (20MB) which were my main reasons for going to perl.

What I did as a workaround was give the file being uploaded chmod 0000 until I approved.

However, I do like your thinking, I may see if I can implement this, I dont think it would be affected by the max POST size.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum