I have a form mail script written in ASP on my site that our hosting provider built but if you have a virus protection software and it is enabeled it will give you a No Referer error what can I do to keep this form happening and people that submit the form having do disable their anti-virus software?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ASP Form Mailer
- Thread starter rebelfan
- Start date
HTTP_REFERER is part of the HTTP Request header.
Your code will read it with a line that looks something like this:
MyString = Request.ServerVariables("HTTP_REFERER")
So, take a look at your code and find this line... then try to figure out wht your code does with this value... it is probably just some security feature in the code to prevent webcrawler bots sending email but who knows.
IMHO if someone has a personal firewall or virus protection program that is causing their computer to send partial or malformed HTTP Requests then that is their own fault... your site is probably not the only one that gives them trouble.
Your code will read it with a line that looks something like this:
MyString = Request.ServerVariables("HTTP_REFERER")
So, take a look at your code and find this line... then try to figure out wht your code does with this value... it is probably just some security feature in the code to prevent webcrawler bots sending email but who knows.
IMHO if someone has a personal firewall or virus protection program that is causing their computer to send partial or malformed HTTP Requests then that is their own fault... your site is probably not the only one that gives them trouble.
- Thread starter
- #3
Here is what it says about the HTTP_REFERER:
if Request.ServerVariables("Content_Length") = 0 then
call AddErrorMsg("No form data submitted.")
end if
'Check if referer is allowed.
if UBound(referers) >= 0 then
validReferer = false
referer = GetHost(Request.ServerVariables("HTTP_REFERER"))
for each host in referers
if host = referer then
validReferer = true
end if
next
if not validReferer then
if referer = "" then
call AddErrorMsg("No referer.")
else
call AddErrorMsg("Invalid referer: '" & referer & "'.")
end if
end if
end if
What do I need to do to keep this for effecting people?
if Request.ServerVariables("Content_Length") = 0 then
call AddErrorMsg("No form data submitted.")
end if
'Check if referer is allowed.
if UBound(referers) >= 0 then
validReferer = false
referer = GetHost(Request.ServerVariables("HTTP_REFERER"))
for each host in referers
if host = referer then
validReferer = true
end if
next
if not validReferer then
if referer = "" then
call AddErrorMsg("No referer.")
else
call AddErrorMsg("Invalid referer: '" & referer & "'.")
end if
end if
end if
What do I need to do to keep this for effecting people?
theniteowl
Programmer
rebelfan, put in a
response.write referer
line after the referer = GetHost(Request.ServerVariables("HTTP_REFERER"))
so that you can test to see what is coming through.
The HTTP_REFERER CAN be blocked from clientside so that it does not pass to the web server or a false value can be sent. So, you may not be able to use the referer validation code effectively.
Since you said you get "No referer" messages that means according to the above code that the referer value is blank.
You need to consider why the referer authentication check is there and if you need it. If not, you can remove that whole section of code.
It would appear that a list of valid referers is maintained and compared to, to prevent someone from getting to this from an unauthorized source. You need to determine if that is truly an issue for you and if you decide to bypass the referer code then look at what potential security issues you might need to consider addressing differently.
Good luck.
response.write referer
line after the referer = GetHost(Request.ServerVariables("HTTP_REFERER"))
so that you can test to see what is coming through.
The HTTP_REFERER CAN be blocked from clientside so that it does not pass to the web server or a false value can be sent. So, you may not be able to use the referer validation code effectively.
Since you said you get "No referer" messages that means according to the above code that the referer value is blank.
You need to consider why the referer authentication check is there and if you need it. If not, you can remove that whole section of code.
It would appear that a list of valid referers is maintained and compared to, to prevent someone from getting to this from an unauthorized source. You need to determine if that is truly an issue for you and if you decide to bypass the referer code then look at what potential security issues you might need to consider addressing differently.
Good luck.
- Thread starter
- #5
theniteowl
Programmer
I do not know.
Why is the code there in the first place?
What is the nature of the form and it's data?
HTTP_REFERER can be blocked or spoofed so it is not a good method of providing security.
'referers' appears to be an array.
First the script checks to make certain the array has been established, if it has not then it skips the entire rest of that script.
If the array exists then it grabs the HTTP_REFERER value and begins looping through referers comparing the array values against HTTP_REFERER. If it finds a match it sets the flag validReferer to true and that will cause it to skip the rest of the checking.
If validReferer is not true it then checks to see of the referer value is blank. If blank it gives out the "No Referer" message. If it was not blank then it is obviously still not one in the array so it gives out an invalid referer message.
I assume that 'referers' is a list of valid locations or filenames that can submit to the ASP page to process the email.
When the form info passes to the ASP page to submit as email it wants to make certain that the info coming in is truly from someone filling out your form and not someone trying to send junkmail through your ISP's mailer.
I do not know enough about the rest of the code or what it submits to to really say what problems you might have if you bypassed this checking. It is possible that someone could use the security hole to send unauthorized mail through the ISP's system. I would not think this much control over their email security would be left in your hands though.
Why is the code there in the first place?
What is the nature of the form and it's data?
HTTP_REFERER can be blocked or spoofed so it is not a good method of providing security.
'referers' appears to be an array.
First the script checks to make certain the array has been established, if it has not then it skips the entire rest of that script.
If the array exists then it grabs the HTTP_REFERER value and begins looping through referers comparing the array values against HTTP_REFERER. If it finds a match it sets the flag validReferer to true and that will cause it to skip the rest of the checking.
If validReferer is not true it then checks to see of the referer value is blank. If blank it gives out the "No Referer" message. If it was not blank then it is obviously still not one in the array so it gives out an invalid referer message.
I assume that 'referers' is a list of valid locations or filenames that can submit to the ASP page to process the email.
When the form info passes to the ASP page to submit as email it wants to make certain that the info coming in is truly from someone filling out your form and not someone trying to send junkmail through your ISP's mailer.
I do not know enough about the rest of the code or what it submits to to really say what problems you might have if you bypassed this checking. It is possible that someone could use the security hole to send unauthorized mail through the ISP's system. I would not think this much control over their email security would be left in your hands though.
- Thread starter
- #7
Since this is an email script the check of HTTP_REFERER is probably to prevent others from using your ASP page to send their own email... probably an anti-spam measure.
I'd keep an eye on your web logs for this page just to make sure it isn't being abused.
I'd keep an eye on your web logs for this page just to make sure it isn't being abused.
DotNetGnat
Programmer
yes i agree with Sheco. You should contend yourself to find the actual problem instead of just removing the piece of code and making it to work......by doing that you are defeating the purpose of that piece of code...just keep an eye out for "backdoor" events...
-DNG
-DNG
- Thread starter
- #10
Here is an example what it says on the e-mail after a form is submitted. I don't know if it has anything to do with the referer though.
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
REMOTE_ADDR: 208.148.213.46
I'm not a programmer and not sure how to find the acutal problem but if anyone would like to help me I would greatly appreciate it.
Thanx
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
REMOTE_ADDR: 208.148.213.46
I'm not a programmer and not sure how to find the acutal problem but if anyone would like to help me I would greatly appreciate it.
Thanx
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
