[Nms-cgi-devel] Re: [Nms-cgi-support] referrer problem

[Jonathan S. <jn...@ge...>]

On Mon, 2004-08-23 at 09:03, John wrote:
> We are using your script for form to email feedback and we are
> receiving results. However our web stats show that the cgi script is
> not being called - but we are receiving form results. 
> A recent example= We received 7 form results but web stats show the
> script was only visited /used twice. 
> Script is set to 1 referer and allow to 1 recipient. Allow empty
> referer is set to 1 becuase of firewalls so effectively we cant check
> referers. How can we control to only allow form results from our site.

It would probably be useful to see the http logs for the accesses to
FormMail that you don't believe originated on the site as well as
examples of the messages that you think are being sent from elsewhere.

Unfortunately the referer check is not particularly secure because it is
trivially spoofed by even the simplest custom client (such as spammers
might use), this is why TFmail doesn't even include such a check.  It is
unlikely that FormMail will ever be given any more secure method of
checking the origin of the request, however it is possible that we may
consider adding some functionality to the TFmail to ensure that the
request comes from a controlled page - this could be implemented by
having the program itself generate the form page (TFmail currently
allows the creation of a templated page to be displayed on a GET
request) and send some token (such as a cookie or hidden field value)
which can only be used once and will be sent back to the TFmail on form
submission, thus ensuring with a relatively high degree of confidence
that the submission was from your form.  Unfortunately we do not have
this functionality available currently, but I would recommend that you
consider a switch to TFmail as this is where we are putting all our
development effort.  I have copied the developers list in case anyone
has got a better idea about how to go about this and the time to
implement it.

/J\