Prevent access to CGI scripts based on the source of the HTML form
https://stackoverflow.com/questions/4330320
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a website, powered by MODx, that is centered around a form. Access to the webpage with the form is restricted to registered members (handled by MODx). The user fills out a few text entries, selects a file for upload, then hits submit. The specified action is a submit.py CGI script under /cgi-bin that logs the submitted information and saves the file, and it executes perfectly.
The only concern I have is that any form (apparently), if they specify the right URL for the <form> action attribute, seems to be able to link their form to my CGI script. Meaning that they can write the following on their own page:
<form action="http://my-site.com/cgi-bin/submit.py">
<!-- blah blah blah -->
</form>
and the data will be sent to my CGI form and processed (undesirable behavior).
My question is this: is there a way to restrict execution of the script based on the HTML form that sent the data? Am I missing something really obvious?
I've searched online and found a slightly related issue of CSRF, but if there's a way apart from token authentication to prevent unauthorized use of the CGI script, I would love to hear it.
Solution
You can make a once use token that must be sent with your form to ensure it is valid (this is what you mentioned).
Though this could be grabbed and sent as well.
Checking the referrer isn't useful because it is easily spoofed, or absent (some proxies filter it).
In short, without using the token to mitigate it, you are in trouble. Except everyone else on the web has this problem :)
