can this (http://www.kdcgrohl.com/testing/flexbook.pl) be modified so that $gbook can be defined on the form? the point would be to have multiple $gbook and only one pl file. can this be done?
:confused:

It's technically possible, but I wouldn't suggest it with this particular guestbook script. The $gbook variable specifies a direct path to the HTML file it's going to write to. If that was passed from the form as a hidden field, someone could save the HTML, modify the path, and potentially nudge your guestbook into writing over any file it had access to. There are guestbook scripts out there that support multiple books. Try looking around at www.cgi-resources.com.

ok, i see your point, but isnt that an easy fix by adding a sub to check that the referrer is from www.url.com? i would realy like to use this script, i'm already using it as a guestbook on the site in question, but would like to also use it as a comment area for individual items. i would need to set $gbook and $success from the form, or just set $success to be whatever $gbook is. help would be very appreciated, as i really would need to use a version of this script. thanks...

True, you could do a check on the referer, but it can be easily forged. Why not just make multiple copies of the script and have your various guestbooks call their own copy? That will also prevent people from forging the referer and creating their own guestbooks on your server, eating away at your resources.

well, that would work, but thats what i was trying to avoid. i host the perl file on another server, and i dont really want to fill it up with perl files from another site. basically, what i'm saying is i have a site, and i webmaster for a nother site. the site i maintain doesnt have a cgi-bin but mine does, i dont wanna fill it up with crap for the other site, thus i only want one extra script in there, instead of 15 or 16 extras. i'm sure you can see my problem. so can you help out with a referrer checking sub and how to define $gbook from the form and how to set $success to equal whatever $gbook is? thanks...

hmmmm, ok, been looking at it. can i just add a sub like this(i know this is probably the wrong syntax, fix would be appreciated):

sub referer {
if($ENV{'HTTP_REFERER'} = /'http://www.url.com'/) { &error("REFERER"); }
}

and add this to sub error:

$ERR{"REFERER"} = "The script must be called from a certain referer.";

and put this as the first action:

&referer;

wouldnt that do the referer check for me? can you correct my syntax errors in the sub?

will this set $success to be whatever $gbook is?:

$success = $gbook;

now how do i go about setting $gbook in the form?

Perhaps an alternative that doesn't require the HTTP_REFERRER environment variable and doesn't require multiple copies of the script.

In place of $gbook = "/path/to/guestbook.html"; put

$gbook = { 'gb1' => '/path/to/guestbook1.html', 'gb2' => '/path/to/guestbook2.html, 'gb3' => '/path/to/guestbook3.html', };

Then in the post form have a select menu with a name of 'gb' and values of gb1, gb2, gb3. Then, just before the script writes to the guestbook (line 209) do

$gbook = $$gbook{ $TAG{gb} } or die 'Invalid guestbook indentifier';

ok, but i need to set the gb# in a hidden field. how would that work?

You should also use CGI.pm to parse your form input. The current parse_form routine will break under certain circumstances. Strict, warnings, and taint mode should all be used as well.

man, thats more work than i really wannna do for this, i'd like to keep it kinda simple, cant i just do what i asked last time without using the cgi.pm

ok, but i need to set the gb# in a hidden field. how would that work?

About the same as the select menu. Just set the name to 'gb' (or whatever you want to call it so long as it matchs in the line $gbook = $$gbook{ $TAG{gb} } or die 'Invalid guestbook indentifier';), and set the value to 'gb1', 'gb2', 'gb3' (or whatever you want to call these so long as they match what is in this line $gbook = { 'gb1' => '/path/to/guestbook1.html', 'gb2' => '/path/to/guestbook2.html, 'gb3' => '/path/to/guestbook3.html', };)

man, thats more work than i really wannna do for this, i'd like to keep it kinda simple, cant i just do what i asked last time without using the cgi.pm

You can if you're willing to accept the pitfalls, but the way the script stands now I wouldn't recommend redistributing it to anyone else.

Originally posted by jeffmott
You can if you're willing to accept the pitfalls, but the way the script stands now I wouldn't recommend redistributing it to anyone else. [/B]

well, it will be for this sites use only. so what can you tell me about my referer idea, and can i define $gbook in the form without cgi.pm?

so what can you tell me about my referer idea

you don't need it anymore, which is good since it could be forged

and can i define $gbook in the form without cgi.pm

The instructions in my pervious posts still stands. CGI.pm, strict, warnings, and taint were all recommendations to find and fix various bugs in the program.

ok, i'm gonna go try what you posted.

ok, wait a second, that wont work. the problem is i cant be editing this pl file constantly to add/remove from the gbook line. thats why i wanted to set in in the form, that way, no editing to the pl file, ever. thats why i was thinking of checking the referrer. i'm not really woried about leeching from my server. so can i use the referer thing? what would be the correct syntax? how do i set the $gbook using a hidden field? sorry, but perl isnt my thing, i'm a javascript person...

Originally posted by kdcgrohl
i'm not really woried about leeching from my server.

Really? What's your root password then? Please let me know when the guestbook is done so I can tell all my friends. ;) Part of running stuff on the Internet is the responsibility to ensure that it's secure against abuse.

As for passing the hidden field, that's just basic HTML in your form (based on Jeff's example)...

<input type="hidden" name="gbook" value="gb1">

ok then, i would like to know, if i do the referer check thing, how exactly this could be still used for another page? please enlighten me, any my root password is, hey, wait a minute....

I'm currently developing a script that checks the referer before the program allows the main perl sub to run. How can the referer be forged? I might need to re program my program.
Thanks in advance.
Scriptage

How can the referer be forged? Easy.. it's just another header that gets sent to the web server with the page request, just the same as the page being requested, as well as cookies that the client has for your domain, etc. Basically...

GET /script.pl HTTP/1.1
Referer: http://some.url.here

Might not be perfect since I haven't messed with HTTP commands for a while, but something close. Someone could write a script of their own that connects to your server with a forged header and messes with it, or they could telnet in directly to the web server.

Thanks for your reply.
I wrote a program that counts individual page hits along with total hits to a site. It creates a new record in a database with the name of a parameter "link"; so I'm really in the same situation as kdcgrohl, if you can forge a header and send the referer as my site then anybody can add records on my site.

If you send me a link to a working version of the guestbook kdcgrohl, I'll see if I can make a guestbook that looks the same and supports multiple books.

Regards

Originally posted by jeffmott
Perhaps an alternative that doesn't require the HTTP_REFERRER environment variable and doesn't require multiple copies of the script.

In place of $gbook = "/path/to/guestbook.html"; put

$gbook = { 'gb1' => '/path/to/guestbook1.html', 'gb2' => '/path/to/guestbook2.html, 'gb3' => '/path/to/guestbook3.html', };

Then in the post form have a select menu with a name of 'gb' and values of gb1, gb2, gb3. Then, just before the script writes to the guestbook (line 209) do

$gbook = $$gbook{ $TAG{gb} } or die 'Invalid guestbook indentifier';

can i set that in a seperate file? how?

Originally posted by jeffmott
Perhaps an alternative that doesn't require the HTTP_REFERRER environment variable and doesn't require multiple copies of the script.

In place of $gbook = "/path/to/guestbook.html"; put

$gbook = { 'gb1' => '/path/to/guestbook1.html', 'gb2' => '/path/to/guestbook2.html, 'gb3' => '/path/to/guestbook3.html', };

Then in the post form have a select menu with a name of 'gb' and values of gb1, gb2, gb3. Then, just before the script writes to the guestbook (line 209) do

$gbook = $$gbook{ $TAG{gb} } or die 'Invalid guestbook indentifier';

can i set that in a seperate file? how?

ok, lets just say for example, i use the script here (http://www.kdcgrohl.com/testing/flexbook.pl) that has been modified to check referer. how would i define $fileurl in the form instead of in the pl file? i cant for the life of me figure out how to do that, i've been trying for a while how to use an input from the form in this script.

can i set that in a seperate file? how?

You could but you'd still have to modify the original script to include the external scripts. And since you'd be replacing one line statements in two very different places, it'd end up being more work.