It is possible to poll the file directly and if the right values are passed the scripts will process. If the right values are not passed the script will return errors. This can result in high server loads in a DNS attack scenario.
To start with, we need to validate the proper $_GET values are returned.
That will kill any use of the file if those values are not valid. We can validate the URL by making sure it contains the domain name and fits a regular expression for a URL of some kind. If it doesn't then we die();. Type is even easier to validate. If it doesn't match one of the two valid "types" the script dies.
That should dramatically improve security on the file.
It is possible to poll the file directly and if the right values are passed the scripts will process. If the right values are not passed the script will return errors. This can result in high server loads in a DNS attack scenario.
To start with, we need to validate the proper $_GET values are returned.
That will kill any use of the file if those values are not valid. We can validate the URL by making sure it contains the domain name and fits a regular expression for a URL of some kind. If it doesn't then we die();. Type is even easier to validate. If it doesn't match one of the two valid "types" the script dies.
That should dramatically improve security on the file.