If you own a paysite, READ THIS NOW

[Kimmykim]

www.spoofer.de

If you use .htacccess to protect your members area, you had better take a look at this.

You are basically wide open to people downloading the program and getting access.

[12clicks]

YES!
now I don't need my credit card anymore.

[Kimmykim]

Quote:

Originally posted by 12clicks:
YES!
now I don't need my credit card anymore.

You have a credit card?

[ElvisManson]

Thanks KK,

My techies are downlaoding now to test.

Sure 12Clicks has a credit card...how do you think he pays for his cape and boots?



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

[Wizzo]

He's talking about the ones that came with the "Tonka's Big Man Business Adventure Set"... He got for Christmas last year.

[Kimmykim]

Quote:

Originally posted by ElvisManson:
Thanks KK,

My techies are downlaoding now to test.

Sure 12Clicks has a credit card...how do you think he pays for his cape and boots?

I thought he used the five finger discount on those.

[ElvisManson]

Quote:

Originally posted by Kimmykim:
I thought he used the five finger discount on those.

He only does that for the Pink satin undies.



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

[Osholio]

Referrer spoofing? Good god that's utterly trivial to do. Hell I've written scripts to do it in perl to pull images off the ifriends site for my 'active banners'.

It's an inherent limitation of HTTP, using .htaccess files to prevent hotlinking based upon the http referrer header (or as it's used, 'referer') has always been vunerable to spoofing.

If you use this to protect your member's areas, then you're in trouble, and have always been in trouble. Basic realm protection should still be secure from this kind of spoofing, but the ultra paranoid should verify usernames and password via a secure (SSL) page and then setup a session cookie to allow access to the members content. That kind of setup will also protect the site from brute force crackers.

One day, I may use my powers for evil...

------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

[Amputate Your Head]

Quote:

Originally posted by Osholio:
One day, I may use my powers for evil...

If you do, call me up... I'd like to submit a resume for the evil hunch-backed sidekick position.

[Osholio]

Quote:

Originally posted by Amputate Your Head:

Quote:

If you do, call me up... I'd like to submit a resume for the evil hunch-backed sidekick position.

I'll keep you in mind.. Do you prefer to be called ee-gore or eye-gore?


------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

[Amputate Your Head]

Quote:

Originally posted by Osholio:
Do you prefer to be called ee-gore or eye-gore?

"Lumpy" is fine...

[Kimmykim]

Osholio -- are you from Holio by any chance?

[Osholio]

Tonight, Lumpy, we take over the WORLD!


------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

[erotictrance]

This was mentioned on Netpond yesterday ...

Some people said they tested it, and it worked pretty well ...

------------------
erotictrance

[Amputate Your Head]

I need TP for my bunghole! BUUUUUNGHOLIO!! yea! yea...! nnngngngghhhaaAAAH!

[Osholio]

Quote:

Originally posted by Kimmykim:
Osholio -- are you from Holio by any chance?

I have no idea where Holio is. My usual nickname is 'Os' but most sites think it's too short and tells me to fuck off when I try to register, so I expanded it after seeing an episode of Beavis and Butthead.

"I am Osholio! I need tcp/ip for my bunghole!"

Sorry, I shouldn't drink during the day.


[This message has been edited by Osholio (edited 11-01-2001).]

[ElvisManson]

Quote:

Originally posted by Osholio:
Tonight, Lumpy, we take over the WORLD!

I think Pinky and The Brain already have that line



------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

[Kimmykim]

Quote:

Originally posted by erotictrance:
This was mentioned on Netpond yesterday ...

Some people said they tested it, and it worked pretty well ...

Unfortunately I agree.

[rollin]

password protecting all areas
is the best solution
content providers should password protect their content

[awechen]

1. use SSL
2. use cookies
3. use session ID's
4. use radom links.
5. use layer's
6. use javascrip
if u have all this and a cool scripting setup .. u dont have problems with fake accounts or fake referer ...

but i think the this porblems will fuck the contentprovider more then the payside owner ... (if they have plugin content )


------------------
"Shock your systemadministration! Read manual-pages!"

[Osholio]

Quote:

Originally posted by erotictrance:
This was mentioned on Netpond yesterday ...

Some people said they tested it, and it worked pretty well ...

As I said, if you're relying on anything that comes from the user's browser (like the referrer header) for authentication then you're going to be fucked like Gary's pets. Users tend to be sneakly buggers and will try all kinds of fun things to by-pass security, and now this tool has been written even the most clueless of plebs, erm, valued customers will try to screw you over.

In short, you won't be able to use the http-referer header as anything more as a line of text that the browser may send. Using it to protect your members areas will no longer work.

To be honest, anyone who used it that way will have been screwed over multiple times by now anyway, they'll just get screwed more often now

------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

[shunga]

Quote:

Originally posted by Kimmykim:
Unfortunately I agree.

Now's the point you tell us your techs are working on something..?

[erotictrance]

I totally agree Osholio ...

Since someone said they were testing ... I was just pointing out that the Netponders had also tested it and said it worked ...

Will the ripoffs ever end??? ... LOL

Keeping on top of all this security stuff is enough to drive me insane ... LOL ... but I'm always grateful for the information ...

P.S. Gotta love those "customers" who are always trying to rip us to no end ... LOL

[rollin]

i can confirm it works
tried it on one of my members areas, to a content providers plugin we use...and it worked

[erotictrance]

BTW ...

Is htaccess the only thing that content providers have to protect the stuff they're selling to other sites? I thought they had password protection, among other things ...

Just curious ...

[This message has been edited by erotictrance (edited 11-01-2001).]

[danevans]

I heared that Gary is setting up some Bouncer(tm) teams at ThugCash. Beta testing should be in progress..

[rollin]

nope, they just .htaccess
no password protection

btw KimmyKim,
Congrads. You are over 1000 post's!!

[Kimmykim]

Quote:

Originally posted by rollin:
nope, they just .htaccess
no password protection

btw KimmyKim,
Congrads. You are over 1000 post's!!

Do I win something?

[Gary]

Quote:

Originally posted by Kimmykim:
Do I win something?

I'll give you a back rub when you get home tonight and i finish with your dog.

[Kimmykim]

Quote:

Originally posted by Gary:
I'll give you a back rub when you get home tonight and i finish with your dog.

Can't I go before the dog?

[Gary]

Quote:

Originally posted by Kimmykim:
Can't I go before the dog?

Hmmmmmm....NO!

[Kimmykim]

Quote:

Originally posted by Gary:
Hmmmmmm....NO!

Fine then, you sleep in the lounge chair out back from now on.

[rollin]

gary can sleep with the dog

[Kimmykim]

Quote:

Originally posted by rollin:
gary can sleep with the dog

um, no. The dog sleeps with me.

[ElvisManson]

Quote:

Originally posted by Kimmykim:
um, no. The dog sleeps with me.

Now that is a visual.....




------------------
The All NEW www.PythonVideo.com Portal Page
Python
Dollar Machine
Naughty Mail Pay by click
Awesome Content

[Kimmykim]

Damn, I knew that was too good for some people to pass up

[-=HUNGRYMAN=-]

OK KK .... my question is this ...
I have a paysite, with the .htaccess installed as part of the CCBill install.
Will you guys be creating a new means of securing a website, and how soon will it be out ?

------------------

Airforce come and dey flatten your home !!!
The Black Sheep of the Boneprone Family
I like to rub HERTURN on my nipples

[Phil21]

this isn't a ".htaccess" problem, it's "checking for valid users by referrer" problem. CCbill should be okay, I would assume. They use HTTP auth to allow access (coincidently, this ALSO goes in the .htaccess file as well), to member areas. This means the browser must send a valid UID/password *each hit* or the item will not be served up.

I would assume most paysites would not be vulnerable to this, but then again I'm surprised *ANYONE* would be so downright stupid to protect a members area via referrer checking. So I could stand corrected.

-Phil

[Amputate Your Head]

Question for ya Phil21.... I have my stuff hard coded into my conf file versus using htaccess. Does that offer me any better resistance than using it in htaccess? (my guess is no, since it's virtually the same code.)

[Phil21]

Amp, nope. It's *exactly* the same as having a .htaccess file, it's just the htaccess file is dynamically loaded (and looked for whether or not it exists if AllowOverrides is turned on) and lets users control certain aspects of their apache config. Essentially it's just an extension of your conf file, but loaded for each hit, not all at one time.

Your way is actually better performance-wise, as long as you have AllowOverrides turned off. Apache doesn't have to make the I/O call to see if the file exists (and read it if it does) since it's all "hard coded".

peace,

-Phil

[Amputate Your Head]

Thought so.... thanks Phil.

[XP]

I have this mspoofer before from a friend (older versions).

But I don't need mspoofer, I can do it by Internet explorer too )
At Guard, Norton Internet Security allows you modify/block referer, user agent, cookies etc etc.!!

Anyway, its content providers problem. They must resolve that!

------------------
screw you guys, I'm going to home!