|
If you own a paysite, READ THIS NOW
www.spoofer.de
If you use .htacccess to protect your members area, you had better take a look at this. You are basically wide open to people downloading the program and getting access. |
YES!
now I don't need my credit card anymore. |
Quote:
|
Thanks KK,
My techies are downlaoding now to test. Sure 12Clicks has a credit card...how do you think he pays for his cape and boots? http://bbs.gofuckyourself.net/board/wink.gif ------------------ The All NEW www.PythonVideo.com Portal Page Python Dollar Machine Naughty Mail Pay by click Awesome Content |
He's talking about the ones that came with the "Tonka's Big Man Business Adventure Set"... He got for Christmas last year.
|
Quote:
|
Quote:
------------------ The All NEW www.PythonVideo.com Portal Page Python Dollar Machine Naughty Mail Pay by click Awesome Content |
Referrer spoofing? Good god that's utterly trivial to do. Hell I've written scripts to do it in perl to pull images off the ifriends site for my 'active banners'.
It's an inherent limitation of HTTP, using .htaccess files to prevent hotlinking based upon the http referrer header (or as it's used, 'referer') has always been vunerable to spoofing. If you use this to protect your member's areas, then you're in trouble, and have always been in trouble. Basic realm protection should still be secure from this kind of spoofing, but the ultra paranoid should verify usernames and password via a secure (SSL) page and then setup a session cookie to allow access to the members content. That kind of setup will also protect the site from brute force crackers. One day, I may use my powers for evil... ------------------ ClickCash - Better than 1:99 and $50 for signing up Lightspeed Cash - Converts like crazy |
Quote:
|
Quote:
------------------ ClickCash - Better than 1:99 and $50 for signing up Lightspeed Cash - Converts like crazy |
Quote:
|
Osholio -- are you from Holio by any chance?
|
Tonight, Lumpy, we take over the WORLD!
------------------ ClickCash - Better than 1:99 and $50 for signing up Lightspeed Cash - Converts like crazy |
This was mentioned on Netpond yesterday ...
Some people said they tested it, and it worked pretty well ... ------------------ erotictrance |
I need TP for my bunghole! BUUUUUNGHOLIO!! yea! yea...! nnngngngghhhaaAAAH!
|
Quote:
"I am Osholio! I need tcp/ip for my bunghole!" Sorry, I shouldn't drink during the day. [This message has been edited by Osholio (edited 11-01-2001).] |
Quote:
------------------ The All NEW www.PythonVideo.com Portal Page Python Dollar Machine Naughty Mail Pay by click Awesome Content |
Quote:
|
1. use SSL
2. use cookies 3. use session ID's 4. use radom links. 5. use layer's 6. use javascrip if u have all this and a cool scripting setup .. u dont have problems with fake accounts or fake referer ... but i think the this porblems will fuck the contentprovider more then the payside owner ... (if they have plugin content ) ------------------ "Shock your systemadministration! Read manual-pages!" |
Quote:
In short, you won't be able to use the http-referer header as anything more as a line of text that the browser may send. Using it to protect your members areas will no longer work. To be honest, anyone who used it that way will have been screwed over multiple times by now anyway, they'll just get screwed more often now http://bbs.gofuckyourself.net/board/smile.gif ------------------ ClickCash - Better than 1:99 and $50 for signing up Lightspeed Cash - Converts like crazy |
password protecting all areas
is the best solution content providers should password protect their content |
Quote:
|
I totally agree Osholio ...
Since someone said they were testing ... I was just pointing out that the Netponders had also tested it and said it worked ... Will the ripoffs ever end??? ... LOL Keeping on top of all this security stuff is enough to drive me insane ... LOL ... but I'm always grateful for the information ... P.S. Gotta love those "customers" who are always trying to rip us to no end ... LOL |
i can confirm it works
tried it on one of my members areas, to a content providers plugin we use...and it worked http://bbs.gofuckyourself.net/board/frown.gif |
BTW ...
Is htaccess the only thing that content providers have to protect the stuff they're selling to other sites? I thought they had password protection, among other things ... Just curious ... [This message has been edited by erotictrance (edited 11-01-2001).] |
I heared that Gary is setting up some Bouncer(tm) teams at ThugCash. Beta testing should be in progress..
|
nope, they just .htaccess
no password protection http://bbs.gofuckyourself.net/board/frown.gif btw KimmyKim, Congrads. You are over 1000 post's!! |
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
gary can sleep with the dog http://bbs.gofuckyourself.net/board/smile.gif
|
Quote:
|
Quote:
Now that is a visual..... http://bbs.gofuckyourself.net/board/wink.gif ------------------ The All NEW www.PythonVideo.com Portal Page Python Dollar Machine Naughty Mail Pay by click Awesome Content |
Damn, I knew that was too good for some people to pass up http://bbs.gofuckyourself.net/board/wink.gif
|
OK KK .... my question is this ...
I have a paysite, with the .htaccess installed as part of the CCBill install. Will you guys be creating a new means of securing a website, and how soon will it be out ? ------------------ http://www.sexwatcher.com/plane.gif Airforce come and dey flatten your home !!! The Black Sheep of the Boneprone Family I like to rub HERTURN on my nipples http://www.rentpornos.com/devilfinger.gif |
this isn't a ".htaccess" problem, it's "checking for valid users by referrer" problem. CCbill should be okay, I would assume. They use HTTP auth to allow access (coincidently, this ALSO goes in the .htaccess file as well), to member areas. This means the browser must send a valid UID/password *each hit* or the item will not be served up.
I would assume most paysites would not be vulnerable to this, but then again I'm surprised *ANYONE* would be so downright stupid to protect a members area via referrer checking. So I could stand corrected. http://bbs.gofuckyourself.net/board/wink.gif -Phil |
Question for ya Phil21.... I have my stuff hard coded into my conf file versus using htaccess. Does that offer me any better resistance than using it in htaccess? (my guess is no, since it's virtually the same code.)
|
Amp, nope. It's *exactly* the same as having a .htaccess file, it's just the htaccess file is dynamically loaded (and looked for whether or not it exists if AllowOverrides is turned on) and lets users control certain aspects of their apache config. Essentially it's just an extension of your conf file, but loaded for each hit, not all at one time.
Your way is actually better performance-wise, as long as you have AllowOverrides turned off. Apache doesn't have to make the I/O call to see if the file exists (and read it if it does) since it's all "hard coded". peace, -Phil |
Thought so.... thanks Phil.
|
I have this mspoofer before from a friend (older versions).
But I don't need mspoofer, I can do it by Internet explorer too http://bbs.gofuckyourself.net/board/smile.gif) At Guard, Norton Internet Security allows you modify/block referer, user agent, cookies etc etc.!! Anyway, its content providers problem. They must resolve that! ------------------ screw you guys, I'm going to home! |
| All times are GMT -7. The time now is 07:12 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123