Hi there,

I'm trying to find out if environmental variables such
as $ENV{'HTTP_REFERER'} can be forged?

In other words, can someone fake the $ENV{'HTTP_REFERER'} and gain access to a program that properly checks for valid referrers?

thanks for your help.

peace.

Yeah I could fake my referer to bypass your checks. I could create fake cookies too.

Hello Klangan,

I am guessing you were thinking of using some sort of identity or sanity check with $ENV{vars}

Server $ENV variables and their content are not a basis for security for the web after grade 1.

Read / use them for generally untrusted reasons.

It is just like giving away your Bank card number and pin to a telephone sales person. Trust = -0.

Do you need to secure the OS that runs the web service ?

Do you need to secure something on a web site ?

And how much $$ are you willing to pay Paul ?? (-:

cornball

Hi,

Well, of course that depends on the ENV. =) HTTP_REFERER is not to be trusted and can be forged easily, whereas REMOTE_USER is to be trusted.

Cheers,

Alex
--
Gossamer Threads Inc.

Hi Cornball,

I'm just trying to make absolutely sure that only one specific site is allowed to use a particular script I made. I'm using LWP to contact the server and currently checking the REMOTE_ADDR variable, but it sounds like that can be faked also.

It sound like my best bet is to give the script a convoluted name(so someone can't find it easily) then have my LWP script pass in a username and password, thereby authorizing access.

(The script provides access to user info (long story) - which is why I'm concerned about someone else finding it.) All data is transfered via SSL.

Anyway, thanks for the info everyone, I appreciate the feedback.

peace.

klangan

REMOTE_ADDR is a lot harder to fake than the referer.

Adding a username and password will increase security so its always good to secure something properly if the data inside is sensitive.

Thanks Paul,

Sounds like I'm on the right check.

peace.

klangan