ERROR - Invalid Referrer

I had my cgi up and working but it would not actually send the emails to me
from the form so I made some changes to my cgi now all I get is this error
message. I dont think I got any hair left this is driving me crazy.
Haaalp!!!
ERROR - Invalid Referrer

Before anyone answers this I just tried something else and it worked. I
don't know why or what but it worked. So now that I got it to work maybe
somebody can explain to me why what I did made it work and what the part of
the script I deleted does. Here goes.

@valid_ref = ('http://mydomain.com/') ;
foreach $ref (@valid_ref) {
if ($ENV{'HTTP_REFERER'} =~ m/$ref/i) {$is_valid = 1 ; last ;}
}

if (! $is_valid) {
print "Content-type: text/html\n\nERROR - Invalid Referrer\n" ;
exit 0 ;
}
All I did was delete this bottom part off and everything worked after that
and I started getting emails. What is this bottom part for and if it dont
work why was it there to start with? Or is there something in that part that
needs to be changed? Any and all help is appreciated.

> I had my cgi up and working but it would not actually send the emails to
me
> from the form so I made some changes to my cgi now all I get is this error
> message. I dont think I got any hair left this is driving me crazy.
> Haaalp!!!
> ERROR - Invalid Referrer
>
>

In article <QP9nd.82515$Tq1.32198@bignews1.bellsouth.net>, Jeff Houston wrote:
>Before anyone answers this I just tried something else and it worked. I
>don't know why or what but it worked. So now that I got it to work maybe
>somebody can explain to me why what I did made it work and what the part of
>the script I deleted does. Here goes.
>
>@valid_ref = ('http://mydomain.com/') ;
>foreach $ref (@valid_ref) {
>if ($ENV{'HTTP_REFERER'} =~ m/$ref/i) {$is_valid = 1 ; last ;}
>}
>
>if (! $is_valid) {
>print "Content-type: text/html\n\nERROR - Invalid Referrer\n" ;
>exit 0 ;
>}
>All I did was delete this bottom part off and everything worked after that
>and I started getting emails. What is this bottom part for and if it dont
>work why was it there to start with? Or is there something in that part tha
t
>needs to be changed? Any and all help is appreciated.

Oy.  Put -down- the keyboard, and slowwwwwly back away.  Before you break
anything else, preferably.

I don't know what CGI script you're using (looks like one of the lousier
versions of FormMail from the snippet you presented), but HTTP_REFERER is
remarkably easy to spoof.

That you don't know what it is or what the code above is meant to prevent
says that you shouldn't be let near a system at the administrative level.
Contratulations, you've likely just let your system become an open
CGI-exploitable mail relay, if my estimation of what you're carving up is
actually correct.

I suggest you hire a professional before you manage to get your system
listed on just about every RBL through sheer ignorance.

--
Vorxion - Founder of the knocking-shop of the mind.

"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop.  Applied by me to the field of consulting.  :)

The Sci-Fi fan's solution to debt:  Reverse the polarity on your charge card
.

Wow
Good thing I didn't ask for someone to chop my head off instead of asking
for help or I would be in a heck of a mess right now.

> Oy.  Put -down- the keyboard, and slowwwwwly back away.  Before you break
> anything else, preferably.
>
> I don't know what CGI script you're using (looks like one of the lousier
> versions of FormMail from the snippet you presented), but HTTP_REFERER is
> remarkably easy to spoof.
>
> That you don't know what it is or what the code above is meant to prevent
> says that you shouldn't be let near a system at the administrative level.
> Contratulations, you've likely just let your system become an open
> CGI-exploitable mail relay, if my estimation of what you're carving up is
> actually correct.
>
> I suggest you hire a professional before you manage to get your system
> listed on just about every RBL through sheer ignorance.
>
> --
> Vorxion - Founder of the knocking-shop of the mind.
>
> "You have it, you sell it, you've still got it--what's the difference?"
> --Diana Trent, "Waiting for God", on why a modelling agency is really a
> knocking-shop.  Applied by me to the field of consulting.  :)
>
> The Sci-Fi fan's solution to debt:  Reverse the polarity on your charge
card.

In article <Zednd.82584$Tq1.43087@bignews1.bellsouth.net>, Jeff Houston wrote:
>Wow
>Good thing I didn't ask for someone to chop my head off instead of asking
>for help or I would be in a heck of a mess right now.

That -was- help.  I advised you that you were probably doing your system
(and its owner) a grave disservice, and you should stop and let a
knowledgeable professional work on it before you do more harm than you
already have by blindly removing a (fallible) sanity check in the existing
software.

If you want a -specific- kind of answer, contract someone that you can fire
when you don't like what you hear.

You already got more advice than you paid for, so I shouldn't complain very
loudly if I were you.

--
Vorxion - Founder of the knocking-shop of the mind.

"You have it, you sell it, you've still got it--what's the difference?"
--Diana Trent, "Waiting for God", on why a modelling agency is really a
knocking-shop.  Applied by me to the field of consulting.  :)

The Sci-Fi fan's solution to debt:  Reverse the polarity on your charge card
.

Jeff Houston <hous6751@bellsouth.net> wrote:

> @valid_ref = ('http://mydomain.com/') ;
> foreach $ref (@valid_ref) {
> if ($ENV{'HTTP_REFERER'} =~ m/$ref/i) {$is_valid = 1 ; last ;}
> }
>
> if (! $is_valid) {
> print "Content-type: text/html\n\nERROR - Invalid Referrer\n" ;
> exit 0 ;
> }
> All I did was delete this bottom part off and everything worked after that
> and I started getting emails. What is this bottom part for and if it dont
> work why was it there to start with?

[I'm smiling and happy, this is not a flame:]

1. The "bottom part" is there to prevent others from using your script
as an open proxy through which they can spam others;
2. It was put there to prevent the situation described in (1);

Anyway, Vorxion is right. Hands off the keyboard, back away slowly, and
rethink the whole thing. If you're not aware of the security
considerations that every experienced CGI programmer should know, then
you have no business dorking around with CGI. Among other things, you
can end up losing your hosting, or worse, internet service (if the
machine is on a host on your dialup, cable, DSL, ISDN, whatever) after
thousands of reports flood in about your open proxy.

Finally, this is a newsgroup for freelancers, not a general help group.
Sometimes the regulars will offer a hand, but that's not really what
this group is about. Chances are good that if you offered up a few
bucks to have someone put your script right (or replace it with
something less risky, if that's warranted) you'd get a quick offer.

That all said, good luck with the thing.

--
Art Sackett,
Patron Saint of Drunken Fornication