Potential http referrer issue

[imsickofwebpro]

Hi All,

I have a question for you programming/server gurus.

My company's webhosting provider is blaming my php form script for knocking down their servers. They're saying our bandwidth increase overloaded the servers; which i find hard to believe or if it did I'm angry and surprised.

I used the following script to block form spammers from using our form to send emails:

<?php if ($_POST && $_SERVER['HTTP_REFERER'] == "http://www.domain.ca/thankyou.php") {



Not the best preventative measure but it was a quick fix until we finish redesigning our new website.

let me know what you think.

Thanks,
SR

[wige]

Crude, but it should be somewhat effective. It is also important to make sure that the data submitted via the form is thoroughly validated before you execute the logic of the form. Otherwise an attacker could insert unexpected commands into the form that can cause issues with the server.

[Tech Manager]

Your overall question is a bit vague. I'm not sure whether you added the script you mentioned after the bandwidth problems or before. In either case it is unlikely that the snippet you've shown had anything to do with a bandwidth problem.

As for my thoughts:

$_SERVER['HTTP_REFERER'] is a completely unreliable variable. IT is set by the user agent and can be modified. The specs suggest (and I strongly concur) that the variable cannot be trusted. There are better solutions to prevent your forms from being used for email spam.

If you are properly validating your variables you can eliminate the fear of having your forms hijacked to send email.

Use regular expressions to check for acceptable input including the type and number of characters you will allow.

Watch for the insertion of newlines into your email variables. These can be used to add additional headers, cc: and bcc:. Use the nl2br() to eliminate newlines from being inserted into your email variables.

If your regular expressions are sound you can pretty much eliminate additional issues. And, of course, add a script that cuts down on the possiblity of a remote automated process. Some use CAPTCHA, I prefer using randomly generated questions with sessions variables.

If you've got additional details I would be happy to help.

[imsickofwebpro]

Thanks for the quick response Wige.

I know the [http Referer] technique is bit crude but it was a patch job. Currently we validate our forms using javascript and alerts, typically only properly validating phone numbers and emails. For all other columns we just check if at least one charatcer is present.

I remember a discussion you had with Tech_Manager regarding proper hijack preventation techniques but the whole process discussed seemed so cumbersome.

Anyways, I saved those post and will re-read them…




…….. And speak of the devil, I just saw tech_manager flash a post on the screen!

[Tech Manager]

WARNING: Throw away your javascript validation. I repeat: WARNING: Throw away your javascript validation.

Never trust javascript validation unless you are using it with an SSI on the backend. Feel free to run the form variables through javascript initially, but when it comes to processing the actual form you need to rely on a server side language such as PHP, ASP, etc.

Client-side javascript can be turned off and is easily manipulated in other ways.

[imsickofwebpro]

Hi Tech Manager,

Thanks for the quick response, your guru guidence is always appreciated. I'm glad you agree that it is highly unlikely that the HTTP_Referer snippet is the cause of the server chaos. It was most likely an untalented tech guy looking for someone to blame.

I do understand your strong suggestion of properly validating form data. I admit I took the lazy approach. I don't like captchas so i will implement proper validation and also include your new-line prevention variable(good idea, thanks!).

Thanks again guys for your excellent responses and i'll let you know how it goes.

-Scott

[imsickofwebpro]

"WARNING: Throw away your javascript validation. I repeat: WARNING: Throw away your javascript validation."

No way man!!! Javascript forever!

lol...

[imsickofwebpro]

javascript just pops right up on the screen for you!

[Tech Manager]

Quote:

Originally Posted by imsickofwebpro

javascript just pops right up on the screen for you!

Yes it does. And that's what makes it so convenient to hack.

[Tech Manager]

Incidentally, if you were relying solely on javascript to validate your form data it is entirely possible that your site contributed to a major increase in bandwidth. An improperly protected for makes it very easy to hijack your webform and use it to send extremely high volumes of email.