PHP _POST processing from different servers

This site is best viewed in a modern browser with JavaScript enabled.

PHP _POST processing from different servers

ValNZ

I was wondering if it is possible for other servers to send POST to my server?

For example lets say I have a page that requires certain POST parameters be set so that they can see the page. Is it possible for someone to write a simple script on their own site that sends these POST parameters to my site? Such as a transaction page that uses a $_POST['item'] and displays details on it.

If so, isn't this a huge security breach? How can I prevent this?

NogDog

Sure it's possible. I do it for legitimate reasons all the time using PHP's cURL functions. It's only a huge security breach if you allow non-logged-in users to perform actions that would be potentially detrimental, or you don't use sufficiently strong log-in techniques to prevent unauthorized access.

ValNZ

So I could use a session to prevent this?

What if I don't allow anyone to access the script that processes the POST form without SESSION['logggedin'], they won't be able to? Will they be able to make their own _POST script and go to that page if they were also logged in to my site with that session?

NogDog

ValNZ;1298669 wrote:
So I could use a session to prevent this?

What if I don't allow anyone to access the script that processes the POST form without SESSION['logggedin'], they won't be able to?

Yes, that would be a typical approach.

Will they be able to make their own _POST script and go to that page if they were also logged in to my site with that session?

Yes, they could. They could even write a cURL script to go to the login page, enter their login credentials, and save the resulting session ID cookie, which they would then send with their POST request so that they have a valid session. If they are smart enough and find it worthwhile enough to do so, you'll likely never be able to tell whether it's from a "live" source or a script. If it's really a problem for you, then you could try adding a "captcha" field to the form. Even that is somewhat vulnerable if they really, really want to do this. (E.g.: their script could grab the captcha image, send it to some sweat shop in a 3rd world country where some poor soul sits there waiting to type in a response, which the script then uses to submit its request to your site.)

ValNZ

So there's no way to stop this except using a captcha?

Would having a session that say stores the last page the user was on stop this?

eg on the form page set _SESSION['lastpage'] to the page, and on the resulting form submit page if that 'lastpage' session is not the form page, then redirect them?

NogDog

In which case they could add a step to their script to go to that page first, then call the form processing page. This assumes, of course, that they are clever enough and/or persistent enough to guess that this is a required step. Also, in addition to cURL, there are probably browser-based tools that could do all of this, too (such as those designed for automated web testing -- though they'd have the same problems dealing with captcha images.)