Re: virtual domain name and relative URLs
by John.ksi(at)webplus.net
|
Date: |
Mon, 28 Feb 2000 13:39 EST |
To: |
hwg-servers(at)hwg.org |
|
todo: View
Thread,
Original
|
|
>This worked, but I discovered that it introduced a security hole. Anyone
>could potentially install a copy of the form in their web account and run
>messages thru the myorg.com email server. We've since plugged the
>hole by adding code to the FormHandler script to check the
>HTTP_REFERER value.
Sorry if this seems like a non-answer, but even before you started
using virtual servers (and checking the referer), anybody could put
a form on any server ANYwhere and still have it invoke your CGI.
>So my question is, is there a way for the sysadmin to configure the
>server so that we webmasters can use relative URLs and virtual domain
>names together?
Not sure there's a single answer that can apply to all web sites.
So without a comprehensive look at how your web server is used and
managed, I'd perhaps stick to your sysadmin's advice. In any case,
I suspect the "security hole" as you describe it already exists.
If you really don't want any ol' person using their OWN forms on
your CGI's, then maybe add a password field in the form that the
CGI checks for. I say this, tho', without really knowing what is
desired to be accessible and what needs to be protected.
-John Koch - - - __o
Knowledge Systems, Inc. - - - - _ \<,_
<John.ksi(at)webplus.net> - - (_)/ (_)
HWG: hwg-servers mailing list archives,
maintained by Webmasters @ IWA