Page 2 of 2
Re: Social Engineering
Posted: Sat Feb 06, 2021 1:13 pm
by texpert
Hello,
if i'm right the problem is that all other can use your u= and redirect from other sites users? What if you rename u to anything else? And Base64 encode URL?
The only thing i can add is that out check if the referrer is coming from your site, if not you will land on your index page? Or which suggestions do you have?
Best regards,
Alex
Re: Social Engineering
Posted: Tue May 25, 2021 8:31 am
by svobada
That would be a good solution! Can you update here, when this is changed?
Re: Social Engineering
Posted: Wed May 26, 2021 7:13 am
by texpert
Hello, i will add it and i will let you know.
Best regards,
Alex
Re: Social Engineering
Posted: Mon Jun 21, 2021 8:19 am
by svobada
any news about this?
Re: Social Engineering
Posted: Sat Feb 17, 2024 3:33 pm
by TA2
texpert wrote: ↑Sat Feb 06, 2021 1:13 pm
Hello,
if i'm right the problem is that all other can use your u= and redirect from other sites users? What if you rename u to anything else? And Base64 encode URL?
The only thing i can add is that out check if the referrer is coming from your site, if not you will land on your index page? Or which suggestions do you have?
Best regards,
Alex
Anyone can also add any url after purl, or plug, as well. Otherwise known as a parasite. This is a big problem. The only solution I know is to rename your out.php. But even then it does not prevent them from using the new out path. Unless TE can provide an update that checks if any domain being used after u or purl, or plug can be 'validated' against a separate whitelist of domains within the script. Since sometimes we want to plug urls that are not trades, and also check from active trade list. If it does not pass it goes to redirect block path or to a specified page like 404. It's quite annoying as it is now with link like:
Code: Select all
TE3/out.php?purl=https://boardstrike.ru/MvAaypY.htm
getting crawled by google.