Postback script vulnerablilities - GoFuckYourself.com

Shoplifter · 07-07-2003, 04:06 PM

I've been having a lot of trouble with people being able to create
ID's without any problem using ACPayPostBack.cgi and the various other postback CGI's. These guys do not know the script passes, but they can still use them to create accounts.

I'm just in the process of renaming all the cgi's, but what else can be done to improve security with these scripts once the hackers find their locations once again? Are all the cgi's from various processors vulnerable?

DerekT · 07-07-2003, 04:59 PM

Im not too familiar with those scripts, however you could add referer checking at the top of each script. If the visitor is not comming from a "trusted" referer they could be redirected elsewhere and the account would not be created.

If you need code I could write something for you if a few mins.

Acolyte · 07-07-2003, 05:17 PM

Quote:

Originally posted by Shoplifter
I've been having a lot of trouble with people being able to create
ID's without any problem using ACPayPostBack.cgi and the various other postback CGI's. These guys do not know the script passes, but they can still use them to create accounts.

I'm just in the process of renaming all the cgi's, but what else can be done to improve security with these scripts once the hackers find their locations once again? Are all the cgi's from various processors vulnerable?

Depending on the script and usage it would be possible to log the ip of the members you send off to the billing processor and only allow recent ones through your postback.

If you do this be aware of AOL and other ISP's who use multiple proxies with their users.

You could also use a session id and sent it with the outgoing request to your processor in a field that will get returned. Store it in a DB and only allow one account to be made for each session.
Also remove sessions after a set time has passed.

Madball · 07-07-2003, 05:21 PM

Change your CGI security key, change File Name of CGI & make sure the cgi-bin directory can't be listed.

On top of that, make sure you don't have any executable files on your page that somebody might have placed there that help attackers locate the CGI files.

07-07-2003, 04:06 PM	#1
Shoplifter Richest man in Babylon Industry Role: Join Date: Jan 2002 Location: Posts: 10,002 Posts: 5,826	Postback script vulnerablilities I've been having a lot of trouble with people being able to create ID's without any problem using ACPayPostBack.cgi and the various other postback CGI's. These guys do not know the script passes, but they can still use them to create accounts. I'm just in the process of renaming all the cgi's, but what else can be done to improve security with these scripts once the hackers find their locations once again? Are all the cgi's from various processors vulnerable?

07-07-2003, 04:59 PM	#2
DerekT Confirmed User Join Date: Jun 2001 Location: Apple Valley, MN Posts: 112	Im not too familiar with those scripts, however you could add referer checking at the top of each script. If the visitor is not comming from a "trusted" referer they could be redirected elsewhere and the account would not be created. If you need code I could write something for you if a few mins.

07-07-2003, 05:21 PM	#4
Madball Confirmed User Join Date: May 2002 Location: Oslo, Norway Posts: 748	Change your CGI security key, change File Name of CGI & make sure the cgi-bin directory can't be listed. On top of that, make sure you don't have any executable files on your page that somebody might have placed there that help attackers locate the CGI files.