Kimmykim

www.spoofer.de

If you use .htacccess to protect your members area, you had better take a look at this.

You are basically wide open to people downloading the program and getting access.

12clicks

YES!
now I don't need my credit card anymore.

Kimmykim

You have a credit card?

ElvisManson

Thanks KK,

My techies are downlaoding now to test.

Sure 12Clicks has a credit card...how do you think he pays for his cape and boots?



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

Wizzo

He's talking about the ones that came with the "Tonka's Big Man Business Adventure Set"... He got for Christmas last year.

Kimmykim

I thought he used the five finger discount on those.

ElvisManson

He only does that for the Pink satin undies.



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

Osholio

Referrer spoofing? Good god that's utterly trivial to do. Hell I've written scripts to do it in perl to pull images off the ifriends site for my 'active banners'.

It's an inherent limitation of HTTP, using .htaccess files to prevent hotlinking based upon the http referrer header (or as it's used, 'referer') has always been vunerable to spoofing.

If you use this to protect your member's areas, then you're in trouble, and have always been in trouble. Basic realm protection should still be secure from this kind of spoofing, but the ultra paranoid should verify usernames and password via a secure (SSL) page and then setup a session cookie to allow access to the members content. That kind of setup will also protect the site from brute force crackers.

One day, I may use my powers for evil...

------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

Amputate Your Head

If you do, call me up... I'd like to submit a resume for the evil hunch-backed sidekick position.

Osholio

I'll keep you in mind.. Do you prefer to be called ee-gore or eye-gore?


------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

Amputate Your Head

"Lumpy" is fine...

Kimmykim

Osholio -- are you from Holio by any chance?

Osholio

Tonight, Lumpy, we take over the WORLD!


------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

erotictrance

This was mentioned on Netpond yesterday ...

Some people said they tested it, and it worked pretty well ...

------------------
erotictrance

Amputate Your Head

I need TP for my bunghole! BUUUUUNGHOLIO!! yea! yea...! nnngngngghhhaaAAAH!

Osholio

I have no idea where Holio is. My usual nickname is 'Os' but most sites think it's too short and tells me to fuck off when I try to register, so I expanded it after seeing an episode of Beavis and Butthead.

"I am Osholio! I need tcp/ip for my bunghole!"

Sorry, I shouldn't drink during the day.


[This message has been edited by Osholio (edited 11-01-2001).]

ElvisManson

I think Pinky and The Brain already have that line



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

Kimmykim

Unfortunately I agree.

rollin

password protecting all areas
is the best solution
content providers should password protect their content

awechen

1. use SSL
2. use cookies
3. use session ID's
4. use radom links.
5. use layer's
6. use javascrip
if u have all this and a cool scripting setup .. u dont have problems with fake accounts or fake referer ...

but i think the this porblems will fuck the contentprovider more then the payside owner ... (if they have plugin content )


------------------
"Shock your systemadministration! Read manual-pages!"

Osholio

As I said, if you're relying on anything that comes from the user's browser (like the referrer header) for authentication then you're going to be fucked like Gary's pets. Users tend to be sneakly buggers and will try all kinds of fun things to by-pass security, and now this tool has been written even the most clueless of plebs, erm, valued customers will try to screw you over.

In short, you won't be able to use the http-referer header as anything more as a line of text that the browser may send. Using it to protect your members areas will no longer work.

To be honest, anyone who used it that way will have been screwed over multiple times by now anyway, they'll just get screwed more often now

------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

shunga

Now's the point you tell us your techs are working on something..?

erotictrance

I totally agree Osholio ...

Since someone said they were testing ... I was just pointing out that the Netponders had also tested it and said it worked ...

Will the ripoffs ever end??? ... LOL

Keeping on top of all this security stuff is enough to drive me insane ... LOL ... but I'm always grateful for the information ...

P.S. Gotta love those "customers" who are always trying to rip us to no end ... LOL

rollin

i can confirm it works
tried it on one of my members areas, to a content providers plugin we use...and it worked

erotictrance

BTW ...

Is htaccess the only thing that content providers have to protect the stuff they're selling to other sites? I thought they had password protection, among other things ...

Just curious ...

[This message has been edited by erotictrance (edited 11-01-2001).]

danevans

I heared that Gary is setting up some Bouncer(tm) teams at ThugCash. Beta testing should be in progress..

rollin

nope, they just .htaccess
no password protection

btw KimmyKim,
Congrads. You are over 1000 post's!!

Kimmykim

Do I win something?

Gary

I'll give you a back rub when you get home tonight and i finish with your dog.

Kimmykim

Can't I go before the dog?

Gary

Hmmmmmm....NO!

Kimmykim

Fine then, you sleep in the lounge chair out back from now on.

rollin

gary can sleep with the dog

Kimmykim

um, no. The dog sleeps with me.

ElvisManson

Now that is a visual.....




------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

Kimmykim

Damn, I knew that was too good for some people to pass up

-=HUNGRYMAN=-

OK KK .... my question is this ...
I have a paysite, with the .htaccess installed as part of the CCBill install.
Will you guys be creating a new means of securing a website, and how soon will it be out ?

------------------

Airforce come and dey flatten your home !!!
The Black Sheep of the Boneprone Family
I like to rub HERTURN on my nipples

Phil21

this isn't a ".htaccess" problem, it's "checking for valid users by referrer" problem. CCbill should be okay, I would assume. They use HTTP auth to allow access (coincidently, this ALSO goes in the .htaccess file as well), to member areas. This means the browser must send a valid UID/password *each hit* or the item will not be served up.

I would assume most paysites would not be vulnerable to this, but then again I'm surprised *ANYONE* would be so downright stupid to protect a members area via referrer checking. So I could stand corrected.

-Phil

Amputate Your Head

Question for ya Phil21.... I have my stuff hard coded into my conf file versus using htaccess. Does that offer me any better resistance than using it in htaccess? (my guess is no, since it's virtually the same code.)

Phil21

Amp, nope. It's *exactly* the same as having a .htaccess file, it's just the htaccess file is dynamically loaded (and looked for whether or not it exists if AllowOverrides is turned on) and lets users control certain aspects of their apache config. Essentially it's just an extension of your conf file, but loaded for each hit, not all at one time.

Your way is actually better performance-wise, as long as you have AllowOverrides turned off. Apache doesn't have to make the I/O call to see if the file exists (and read it if it does) since it's all "hard coded".

peace,

-Phil

Amputate Your Head

Thought so.... thanks Phil.

XP

I have this mspoofer before from a friend (older versions).

But I don't need mspoofer, I can do it by Internet explorer too )
At Guard, Norton Internet Security allows you modify/block referer, user agent, cookies etc etc.!!

Anyway, its content providers problem. They must resolve that!

------------------
screw you guys, I'm going to home!