Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Fri Feb 17, 2006 11:46 am Reply with quote

Somehow my PoC is gone regarding a bug in this download module.
It has the download URL base64 encoded in the submit form.

Therefore someone could write an easy harvester to create hotlinking to your website.

In case of a special constructed form on the harvesters website he is able to bypass all security systems inside the module.

Solutions:

1. disable module

2. or remove the message that says that you have hotlink protection
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Feb 18, 2006 11:28 pm Reply with quote

Sting removed that thread because he felt it was a potential issue with kiddies. I have not read it yet. Do you see it that way?
 
View user's profile Send private message
djmaze
PostPosted: Sun Feb 19, 2006 9:23 am Reply with quote

It can't hack your server. It only allows kiddies to hotlink/mirror your complete download area.

Someone that can code (so not a kiddie) can write a script to do that. That's why i only provided a PoC with the smallest code to show how to convert the bug and not a full blown code Wink
 
Raven
PostPosted: Sun Feb 19, 2006 10:03 am Reply with quote

Okay, I think I will restore the thread. Thanks!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©