Intermittent Error on Form Submit

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Intermittent Error on Form Submit

Sorry this CGI is only available to ...

Mardi_Gras

8:51 pm on Jul 19, 2005 (gmt 0)

A very small number of visitors to one of my sites are telling me they cannot submit my contact form. They get an error mesage that says Sorry this CGI is only availble to sites hosted by (provider).

The provider's idea was to tell all my users to flush their browser cache and delete cookies before submitting the form. Right.

Since we are in the middle of a major campaign and cannot move the site at this moment, I am looking for a fix. Any ideas? Is it my script, the user's browser, or the host causing the problem?

By the way, I cannot reproduce the error but I have had enough complaints to know it is real.

wdr1

11:45 pm on Jul 19, 2005 (gmt 0)

My guess would be that the referer is being checked & doesn't have the expected site. Do you get the error if you copy & paste the submission url into the location bar? Could be the referer has to be 'www.site.com' and the affected users are surfing to 'site.com'?

Again, this is all guessing.

HTH,
-Bill

WWMike

3:59 pm on Jul 20, 2005 (gmt 0)

I agree with the reply above. The script is probably trying to eliminate remote access from outside domains and is not accounting for subdomains (which should be valid). To test that theory try submitting your form from both domain.com/form.html and www.domain.com/form.html to see if it happens to you. If it does, you can either add the missing variation to the script where it checks for that or better yet, ask your host to always redirect one variation to the other.

Mardi_Gras

4:21 pm on Jul 20, 2005 (gmt 0)

Thanks, guys. I will give that a try.

SeanW

4:59 pm on Jul 20, 2005 (gmt 0)

If it's your script (ie you can edit it), look for references to $ENV{'HTTP_REFERER'} (and yes, the mispelling is intentional). Remove the check.

Sean

WWMike

8:23 pm on Jul 20, 2005 (gmt 0)

Even if it is your script, I strongly suggest that you DON'T remove the domain check unless you're perfectly OK with the extremely likely possibility that some malicious or curious person will remotely submit your script countless times per second, filling up your inbox and leaving you scrambling to disable the script as you curse yourself and everyone else while struggling to put the domain check back in so that your script can go back live.

Just add all possible VALID domains to the list and do it right the first time.

The sections in question should look something like this:

@okaydomains=("http://mydomain.com", "http://www.mydomain.com");

sub valid_page
{
if (@okaydomains == 0)
{return;}
$DOMAIN_OK=0;
$RF=$ENV{'HTTP_REFERER'};
$RF=~tr/A-Z/a-z/;
foreach $ts (@okaydomains) {
if ($RF =~ /$ts/)
{ $DOMAIN_OK=1; }
}
if ( $DOMAIN_OK == 0) {
print "Content-type: text/html\n\n Sorry....Cant run from here!";
exit;
}
}

SeanW

9:05 pm on Jul 20, 2005 (gmt 0)

extremely likely possibility that some malicious or curious person will remotely submit your script countless times per second

There are easier, better ways to do this, such as recording the IP address and not taking any action if a certain threshold is exceeded. A dbm file will take care of this easily.

HTTP_REFERER is supplied by the client, and as such, can't be trusted. It is not a security mechanism.