Alternate HTML & CGI with Some Security Provisions

Vol. 3. No. 1 — November 1997

Alternate HTML & CGI with Some Security Provisions

© Thomas N. Robb, 1997
Kyoto Sangyo University

This contains the sample HTML and sample CGI for a more secure version of the submission page. With this version, all classes using the page would have to know the same password (up to 10 letters). Changing the password involves modifying the CGI code itself, which isn’t very convienient and isn’t perfectly secure since anyone with an account in the school might have ‘read permission’ for the CGI programs. While this CGI is not resistant to dedicated hackers within the school it should provide reasonably good protection against most simple pranks.

 <HTML> <BODY> <FORM METHOD=POST action="http://www.kyoto-su.ac.jp/cgi-bin/paperalt.cgi">

<table border=0 <tr>

<td><b>What is your instructor's name? --></b></td> <td> <select name="tchremail"> <option value="trobb@cc.kyoto-su.ac.jp"> Press mouse here! <option value="ishii@cc.kyoto-su.ac.jp"> Thomas Robb <option value="robb-m@cc.kyoto-su.ac.jp"> Takeo Ishii </select></td>

</tr> <tr> <td>Enter your password here--></td> <td><input type=text name="psword" size=10</td>> </tr>

<tr> <td>Your name:</td> <td>Your E-mail address</td> </tr>

<tr> <td><input type=text name="studname" size=30></td> <td><input type=text name="studemail" size=30></td> </tr> </table><p>

<FONT SIZE=+1>Type or paste in your text below.</FONT><BR>

<TEXTAREA NAME="message" WRAP=HARD ROWS=5 COLS=60>

</TEXTAREA> <INPUT TYPE = "submit" VALUE = "Submit your message"> <INPUT TYPE = "reset" VALUE = "Erase"></CENTER> </FORM>

</BODY> </HTML> 

In order to make this work, you need to enter ‘robbtest’ as the password. Try something else, or leave it blank to see the ‘Sorry!’ message

What is your instructor’s name? –>
Enter your password here–>
Your name: Your e-mail address

Type or paste in your text below.



The CGI

 #! /NF/local/Solaris2J/bin/perl

read(STDIN, $in, $ENV{'CONTENT_LENGTH'}); @in = split(/&/,$in);

foreach $i (0 .. $#in){ $in[$i] =~ s/\+/ /g; ($key,$val) = split(/=/,$in[$i],2); $val =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; $in{$key} = $val; } $studemail = $in{"studemail"}; $tchremail = $in{"tchremail"}; $studname = $in{"studname"}; $message =  $in{"message"}; $frompage = $ENV{'HTTP_REFERER'}; $psword  =  $in{"psword"};

#This statement checks that both the password and the referring page #  are correct. if (($psword eq "robbtest") && ($frompage eq "http://www.kyoto-su.ac.jp/people/t eacher/trobb/paperalt.html")) { # If both are correct then the following statements are processed.

# The statements below send a brief acknowledgement to the browser print "Content-type: text/html\n\n"; print <<"ending_print_tag"; <html><head><title>TEST</title></head><body>

<h1>Your e-mail has been sent!</h1> <h3>Click your BACK  button to return to your original page</h3> <br> </body></html>

ending_print_tag

# The statements below send mail to the teacher. # Note that this demo program is set up so that the "student's" address is placed #  on the 'TO' line.  For normal use, the 'tchremail' variable would be placed here. #  all of the other places (From, Reply-To, Sender and Return-Path) can contain #  the student's address variable "$studemail" or the address of the person who #  set up the CGI and HTML pages.

open (MAIL, "|/usr/lib/sendmail -t"); print MAIL "From trobb@cc.kyoto-su.ac.jp\n"; print MAIL "Reply-To: trobb@cc.kyoto-su.ac.jp\n"; print MAIL "Sender: trobb@cc.kyoto-su.ac.jp\n"; #print MAIL "Return-Path: <trobb@cc.kyoto-su.ac.jp>\n"; print MAIL "To: $studemail \n"; print MAIL "From: trobb@cc.kyoto-su.ac.jp\n"; print MAIL "Cc:\n"; print MAIL "Subject: Paperless Classroom E-mail Test \n"; print MAIL "This e-mail was generated by the demo which can be found at the\n"; print MAIL "following URL: \n\n"; print MAIL " http://www.kyoto-su.ac.jp/people/teacher/trobb/paperless.html \n"; print MAIL "If this is a valid message, the URL below should match the one above : \n"; print MAIL " $frompage \n"; print MAIL "-------------\n\n"; print MAIL "From: $studemail \n"; print MAIL "Name: $studname \n"; print MAIL "To:   $tchremail \n\n"; print MAIL "$message \n";

close(MAIL) }

# The statements below are invoked when either the password or the referring # address do not match. else { print "Content-type: text/html\n\n"; print <<"ending_print_tag"; <html><head><title>Sorry!</title></head><body> <h2>Sorry! You are not authorized to use this submission form!</h2>

</body></html> ending_print_tag } # End of program 

Back to The Paperless Classroom?