GoFuckYourself.com - Adult Webmaster Forum - View Single Post - caribbean flavor cash shaving? looks like it

u-Bob · 09-17-2012, 04:09 PM

John,

A question similar to signupdamnit's. Can the parameters of an existing program be changed? If the parameters of a program can be changed, what is preventing a program owner from manually doing it in the database? Are the settings encrypted?

exploit scenario:
- Program owner advertises a 50% revshare program.
- An affiliate signs up and grabs the ref links.
- The program owner writes a script that changes the revshare percentage setting of that program in the NATS database. For example: it changes the settings to "don't pay on join" or it changes the settings to not pay on rebills.
- The program owner writes a second script that restores the revshare settings for that program back to the original settings. (let's call it restore.php)
- The owner modifies the template for the affiliate backend/dashboard to include <img src="/restore.php?id=$affiliateaccount"> so that the restore.php gets executed every time the affiliate logs in to his account. The restore.php script then restores the settings for that affiliate account.

The program owner can then shave (by changing the revshare settings for the program associated with the ref links the affiliate previously grabbed and is using) and when an affiliate logs in, everything is covered up.

ps: the question is not limited to NATS. Other affiliate software providers are encouraged to explain how their software prevents this kind of tampering.

09-17-2012, 04:09 PM
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	John, A question similar to signupdamnit's. Can the parameters of an existing program be changed? If the parameters of a program can be changed, what is preventing a program owner from manually doing it in the database? Are the settings encrypted? exploit scenario: - Program owner advertises a 50% revshare program. - An affiliate signs up and grabs the ref links. - The program owner writes a script that changes the revshare percentage setting of that program in the NATS database. For example: it changes the settings to "don't pay on join" or it changes the settings to not pay on rebills. - The program owner writes a second script that restores the revshare settings for that program back to the original settings. (let's call it restore.php) - The owner modifies the template for the affiliate backend/dashboard to include <img src="/restore.php?id=$affiliateaccount"> so that the restore.php gets executed every time the affiliate logs in to his account. The restore.php script then restores the settings for that affiliate account. The program owner can then shave (by changing the revshare settings for the program associated with the ref links the affiliate previously grabbed and is using) and when an affiliate logs in, everything is covered up. ps: the question is not limited to NATS. Other affiliate software providers are encouraged to explain how their software prevents this kind of tampering.