I'm encountering a problem with the 'verify referrer' in Jack's Formail.php, and I can't see why on earth this is not working.
From the instruction: By placing lumbroso.com in the referers array, this also allows http://www.lumbroso.com, ftp.lumbroso.com, lumbroso.com/dir/file/, any other http address with lumbroso.com in it and lumbroso.com's IP (216.64.145.194) address to access this script as well, so no users will be turned away.
Well when I add my domain as instructed, it always comes up I'm "sending from an unauthorised domain". I'm sure the script can't be bugged as its so widely used. Therefore does anyone know whats causing this to happen. I need this security so I would like to sort it out.
Here's the relevant code:
// referers.. domains/ips that you will allow forms to
// reside on.
$referers = array ('chillisauce.co.uk');
// function to check the referer for security reasons.
// contributed by some one who's name got lost.. Thanks
// goes out to him any way.
function check_referer($referers){
if (count($referers)){
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];
for ($x=0; $x < count($referers); $x++){
if ($referers[$x] == $referer){
$found = true;
}
}
if (!$found){
print_error("You are coming from an <b>unauthorized domain.</b>");
error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
}
return $found;
} else {
return true; //Not a good idea, if empty, it will allow it.
}
}
if ($referers)
check_referer($referers);
This is the key part, it takes the 3rd part of the referer..
i.e. in http://www.peter.com, it would take www.peter.com. So, you must use "www.chillisauce.co.uk"
if ($referers[$x] == $referer){
$found = true;
}
}
To modify it so it is a little less secure, but accepts just domains, you could use..
if (stristr ($referers[$x], $referer)){
$found = true;
}
}
but as I say.. this would mean a referer of 'sauce.co.uk' would be able to use the script.
Bookmarks