Looking through my logs I've noticed that rate.cgi really gets a hammering. And yet, very few links have been rated that I can see.

Does the admin script use rate.cgi at any point during page rebuilds or link validation?

Or am I seeing a security flaw and perhaps the use of the script for some other purpose such as a spam session.

Cheers!

Mike

The admin panel does not physically access rate.cgi...but simply the data files held in /admin/data/rates/.

It could even be that search engines following the link to rate.cgi, when they scan your directory....as this counts for a 'hit' on pretty much all servers.

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

I doubt that it is search engines because none of the other link scripts are getting the same attention.

Rate cgi is also being rated as one of the highest entry and exit pages and the numbers are identical meaning that whatever is accessing rate.cgi doesn't go anywhere else on the site.

Mike

It may just be that people are goint to the rate page, but not rating anything, just looking. I get several hits on my deadlink reporter, but the links reported are good, so I figure it's curiosity...


Leonard
aka PerlFlunkie

I'm getting around 6000 hits a month on the rate.cgi and as I said, rate.cgi is listed as an entry page and exit page for those 6000 (ie they came directly to the site to rate.cgi and left straight afterwards.

Mike

Maybe you can make rate.cgi use the same security as add.cgi, that is, mod it to use db_refferer? You would need to change the error message to "The rate feature cannot be accessed directly. Please visit the site and click on 'rate'." or something like that... Try adding this:

# Check the referer.
if (@db_referers and $ENV{'HTTP_REFERER'}) {
$found = 0;
foreach (@db_referers) {
$ENV{'HTTP_REFERER'} =~ /$_/i and $found++ and last;
}
if (!$found) {
&site_html_add_failure ("Auto submission is not allowed in this directory. Please visit the site to add your entry.");
return;
}
}

under this in rate.cgi:

sub main {
# --------------------------------------------------------
local (%in) = &parse_form;

Let us know if it works...
PS-- FYI, everytime a browser has to go to the server for something, it counts as a hit, so if a page has the html code, and five pictures (gif, jpeg...) then one visit to that page counts as six 'hits'.


Leonard
aka PerlFlunkie