Social Engineering

Our support will answer all your general questions here.

Moderator: Rock

texpert
Site Admin
Posts: 719
Joined: Sat Mar 14, 2009 5:54 pm

Re: Social Engineering

Post by texpert »

Hello,

if i'm right the problem is that all other can use your u= and redirect from other sites users? What if you rename u to anything else? And Base64 encode URL?

The only thing i can add is that out check if the referrer is coming from your site, if not you will land on your index page? Or which suggestions do you have?

Best regards,
Alex
svobada
Posts: 9
Joined: Wed Jun 10, 2009 9:37 pm

Re: Social Engineering

Post by svobada »

That would be a good solution! Can you update here, when this is changed?
texpert
Site Admin
Posts: 719
Joined: Sat Mar 14, 2009 5:54 pm

Re: Social Engineering

Post by texpert »

Hello, i will add it and i will let you know.


Best regards,
Alex
svobada
Posts: 9
Joined: Wed Jun 10, 2009 9:37 pm

Re: Social Engineering

Post by svobada »

any news about this?
TA2
Posts: 46
Joined: Sat Mar 15, 2014 5:14 pm
Location: Web

Re: Social Engineering

Post by TA2 »

texpert wrote: Sat Feb 06, 2021 1:13 pm Hello,

if i'm right the problem is that all other can use your u= and redirect from other sites users? What if you rename u to anything else? And Base64 encode URL?

The only thing i can add is that out check if the referrer is coming from your site, if not you will land on your index page? Or which suggestions do you have?

Best regards,
Alex
Anyone can also add any url after purl, or plug, as well. Otherwise known as a parasite. This is a big problem. The only solution I know is to rename your out.php. But even then it does not prevent them from using the new out path. Unless TE can provide an update that checks if any domain being used after u or purl, or plug can be 'validated' against a separate whitelist of domains within the script. Since sometimes we want to plug urls that are not trades, and also check from active trade list. If it does not pass it goes to redirect block path or to a specified page like 404. It's quite annoying as it is now with link like:

Code: Select all

TE3/out.php?purl=https://boardstrike.ru/MvAaypY.htm
getting crawled by google.
Post Reply