Quote:
Originally posted by Shoplifter
I've been having a lot of trouble with people being able to create
ID's without any problem using ACPayPostBack.cgi and the various other postback CGI's. These guys do not know the script passes, but they can still use them to create accounts.
I'm just in the process of renaming all the cgi's, but what else can be done to improve security with these scripts once the hackers find their locations once again? Are all the cgi's from various processors vulnerable?
|
Depending on the script and usage it would be possible to log the ip of the members you send off to the billing processor and only allow recent ones through your postback.
If you do this be aware of AOL and other ISP's who use multiple proxies with their users.
You could also use a session id and sent it with the outgoing request to your processor in a field that will get returned. Store it in a DB and only allow one account to be made for each session.
Also remove sessions after a set time has passed.