Like hack4life stated this is a pretty well known problem. Solving it isn't to hard. Legitimate clients will send an HTTP referer, thus for some unsuspecting user who clicks on a redirect link in an email they will send a blank referer, or off a website that referer. So simply add some logic in your script to check the referer, a quick and dirty in php for example (yes, this code is horrible and ugly, but it's a reasonably clear example): <HTML> <HEAD> <TITLE>You are now leaving example.org</TITLE> <?php if (preg_match ("/example\.org\//i", $_SERVER["HTTP_REFERER"] )) { print "<META http-equiv=\"refresh\" content=\"1;URL="; echo $_SERVER["QUERY_STRING"]; print "\">"; print "</HEAD>"; print "<BODY bgcolor=\"#ffffff\">"; print "<P>[1] Redirecting you to:"; print "<A HREF=\""; echo $_SERVER["QUERY_STRING"]; print "\">"; echo $_SERVER["QUERY_STRING"]; print "</A>, if it doesn't work click on the link.</P>"; print "<P>"; echo $_SERVER["HTTP_REFERER"]; print "</P>"; } else { print "</HEAD>"; print "<BODY bgcolor=\"#ffffff\">"; print "<P>Someone has tried to use this site's web redirector in an attempt to make a link appear legitimate.</P>"; } ?> Obviously this is not bullet proof, anyone who hacks their client to send fake referer's can get around it, but then we aren't trying to block that kind of person, we're simply trying to prevent widespread abuse by a spammer/etc. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Mar 22 2003 - 01:04:43 PST