Enhanced Downloads Module (Astalavista-BD version)

Posted: Fri Feb 17, 2006 11:46 am

Somehow my PoC is gone regarding a bug in this download module.
It has the download URL base64 encoded in the submit form.

Therefore someone could write an easy harvester to create hotlinking to your website.

In case of a special constructed form on the harvesters website he is able to bypass all security systems inside the module.

Solutions:

1. disable module

2. or remove the message that says that you have hotlink protection

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Sting removed that thread because he felt it was a potential issue with kiddies. I have not read it yet. Do you see it that way?

Posted: Sun Feb 19, 2006 9:23 am

It can't hack your server. It only allows kiddies to hotlink/mirror your complete download area.

Someone that can code (so not a kiddie) can write a script to do that. That's why i only provided a PoC with the smallest code to show how to convert the bug and not a full blown code Wink

Posted: Sun Feb 19, 2006 10:03 am

Okay, I think I will restore the thread. Thanks!