Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
08-26-2007, 07:58 AM | #1 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Simple linkex exploit. BEWARE.
Find someone using linkex, note down his url.
Make a simple webpage, containing just one link to his url. Open his linkex, enter the url of the webpage you made, and for an anchor, try Code:
<?php echo 'hi'; ?> You can take it from there, I guess, I'm not going to publish working exploits. The linkex people need to fix their script, I would have provided a fix but not for such bullshit code without indentation. Right now, running linkex = running a rootkit. Beware. |
08-26-2007, 08:00 AM | #2 |
Programming King Pin
Industry Role:
Join Date: Oct 2003
Location: Montreal
Posts: 27,360
|
Why posting it in public? Dumpass.. Email the owner!
__________________
UUGallery Builder - automated photo/video gallery plugin for Wordpress! Stop looking! Checkout Naked Hosting, online since 1999 ! |
08-26-2007, 08:03 AM | #3 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
I would have, had he had the courtesy of releasing his source in some sort of readable format.
|
08-26-2007, 08:06 AM | #4 |
Confirmed User
Join Date: Jun 2007
Location: Quebec City, Quebec
Posts: 133
|
Are you kidding me, why would you post this here where there are so many known spammers/scammers around?
I hope a mod removes this...
__________________
chesterbanksphp [.at.] gmail.com
icq: 350 656 495 |
08-26-2007, 08:59 AM | #5 |
Confirmed User
Industry Role:
Join Date: Dec 2001
Posts: 7,952
|
why not post the fix?
It isn't the people who run the scripts fault for the exploit. jeez |
08-26-2007, 09:03 AM | #6 |
l337 h4x0r!#%
Industry Role:
Join Date: Feb 2005
Location: OKC, OK, USA
Posts: 8,363
|
Why oh why does GFY always attract the biggest morons?
__________________
hacker 4 hire. |
08-26-2007, 09:04 AM | #7 |
Confirmed User
Join Date: Jun 2005
Location: ▓NY▓
Posts: 2,080
|
it's hax0ring time!
__________________
Each persons' level of stupidity makes us different. |
08-26-2007, 09:11 AM | #8 |
Confirmed User
Join Date: Jan 2006
Location: Gringo in Puerto Rico
Posts: 4,197
|
The normal order of events is that you inform the developer. Give them at least a month to fix it, and if they don't then you can post the a notice bout the exploit. Public disclosure gets the developers off their ass and makes everyone away to either secure their shit or remove it.
If you're running linkex right now just log in and go to settings and disable the public form for now.
__________________
OV Tube - Tube Script Software |
08-26-2007, 09:24 AM | #9 | |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Quote:
|
|
08-26-2007, 09:27 AM | #10 |
Confirmed User
Join Date: Jan 2006
Location: Gringo in Puerto Rico
Posts: 4,197
|
lol after reading my post i realized that I needed a coffee.
__________________
OV Tube - Tube Script Software |
08-26-2007, 09:28 AM | #11 |
Confirmed User
Industry Role:
Join Date: Jan 2004
Location: Wisconsin
Posts: 4,518
|
I notified the developer and sent him a link to this thread (he is not online at the moment).
I did not try what you posted, but I'll take your word on it. For now, everyone should just set their permissions on /linkex/index.php to 0. |
08-26-2007, 09:36 AM | #12 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
You can easily try it on your own site. echo 'hi'; as posted is obviously safe.
|
08-26-2007, 11:29 AM | #13 |
Confirmed User
Industry Role:
Join Date: Nov 2005
Location: 20 00'24.00" N, 75 09'00.00 W
Posts: 6,882
|
wtf? I am not impressed with your programming expertise. You could have emailed the owner instead of posting details here. If you still wanted to show how cool you are at catching exploits, just tell that you found a bug and want the owner to contact you for details.
__________________
Affordable Quality Web Hosting |
08-26-2007, 11:31 AM | #14 |
Confirmed User
Join Date: Jan 2006
Location: Gringo in Puerto Rico
Posts: 4,197
|
someone could just easily do a php header redirect, if their url was short enough. Definitely a problem that needs to be fixed.
__________________
OV Tube - Tube Script Software |
08-26-2007, 11:43 AM | #15 |
►SouthOfHeaven
Join Date: Jun 2004
Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer
Posts: 28,609
|
thanks for the heads up..
i'm on the fence about people reporting exploits this way .. i do believe its nice to inform the script owners first but i have to disagree with others about not reporting it on gfy.. gfy is often the quickest way to solve these kinds of problems.. exploits such as this are often slow to be fixed ( or ignored ) by the owners if left entirely up to them, a push is helpfull.
__________________
hatisblack at yahoo.com |
08-26-2007, 11:48 AM | #16 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Again. I would have emailed the guy a fix. EXCEPT, have you looked at his code ? There is not a single line feed or tab in there. I mean, okay, so he doesn't comment his code as he should on anything publicly released. Fine. But take out the line feeds ? That in my book is douchebaggery.
|
08-26-2007, 11:54 AM | #17 |
Confirmed User
Industry Role:
Join Date: Apr 2005
Location: Vegas
Posts: 4,499
|
I just did that for all my sites. Does that mean they should be safe now or do I need to do something else?
__________________
бабки, шлюхи, сила |
08-26-2007, 11:59 AM | #18 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
If you've disabled the public form (ie people can't type in anchors that you include anymore) you should be safe.
May be worth your time to go through the 1001 or whatever the file you include is called and make sure there's nothing but url's and plain text in there. anything between <? and ?> is evil. anything reading "text/javascript" is also evil. |
08-26-2007, 12:16 PM | #19 |
in a van by the river
Industry Role:
Join Date: May 2003
Posts: 74,678
|
Why do most people publish the exploits they find? Why because it allows users to know it there and also forces the authors to fix their shit.
Making exploits public knowledge is a common practice..
__________________
"If Israelis don't want to be accused of being like the Nazis, they simply need to stop behaving like Nazis." - Norman Finkelstein |
08-26-2007, 01:00 PM | #20 |
Confirmed User
Join Date: Mar 2007
Posts: 249
|
so kind of you to post this as there are 18,700 sites using it ....
it's common to go public with exploits, AFTER you have notified the company and given them time to fix it. |
08-26-2007, 01:10 PM | #21 |
Confirmed User
Join Date: Jul 2004
Location: The Beach
Posts: 4,626
|
Narcissistic jerk
glad no one is giving you credit
__________________
ICQ# 143561781 |
08-26-2007, 01:13 PM | #22 | |
sex dwarf
Join Date: May 2002
Posts: 17,860
|
Quote:
On one side, GFY is quicker than emailing them, plus it probably reaches more users than an upgrade of their script would (hell, I'm pretty sure that months from now, most users will still use the exploitable version). On the other side, this ensures that within a week, hundreds if not thousands of sites will be exploited. Then, on yet another side... anyone who uses that crappy script kinda deserves whatever happens. Linkex is a complete piece of shit, and always has been.
__________________
/(bb|[^b]{2})/ |
|
08-26-2007, 01:26 PM | #23 |
Confirmed User
Join Date: Jul 2007
Posts: 113
|
I am a newbie and I am not a programmer. So could you please explian to me in simple english what does the exploite do...how does it harm/hurt my site?
__________________
Care to exchange hard links? email me: webmaster at teensweek dot com |
08-26-2007, 01:29 PM | #24 |
Confirmed User
Join Date: Jul 2004
Location: The Beach
Posts: 4,626
|
It is good to know that there is a exploit but you write down how to use it..... it's really not nice here on gfy.
__________________
ICQ# 143561781 |
08-26-2007, 01:33 PM | #25 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Listen blockhead. You need to comprehend a few points.
1. I don't owe you, or any dude running some script, or any dude putting up scripts for download, jack shit. The day you, or those other dudes have me on their payroll, you can raise this point again. Till then, chuck it. 1.1. I might, might mind you, out of the kindness of my heart, and because I'm such a nice fellow, given the author of the shoddy script a fix, provided he wasn't the sort of douchebag that deliberately makes his "code" hard to read. Call this a lesson in the theory of "karma's a bitch", maybe next time he releases code, he follows standards. 2. Responsibility for computer code at all times remains with the USER of such code. If you install and run some script you haven't completely read and understood, heck. Your bubblings to the contrary are really akin to the idiots wanting me to keep their children off the "dangerous internet". The internet is for grown-ups. Grown-ups are those people who understand where responsibility lies. Letting children, and you, run amok on the internet is fine, as far as I'm concerned, but their safety is not my problem. 3. Information belongs out in the open. That Bush, Cheney, and you think it's best to try and restrict the flow of information is exactly your problem, much like the belief in a flat earth and an omnipotent benevolent god is the believer's problem. If some women get butchered in China or if some shitty script has a hole in it, the public has a right to know, and you don't have a right to have an oppinon on the matter. Bloody hell. |
08-26-2007, 01:33 PM | #26 |
<&(©¿©)&>
Industry Role:
Join Date: Jul 2002
Location: Chicago
Posts: 47,883
|
sucks to be running linkex now, heh... I bet ya at least few blackhatters from here are exploiting it hard now...
__________________
Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager |
08-26-2007, 01:44 PM | #27 | |
Confirmed User
Join Date: Jul 2007
Posts: 113
|
Quote:
__________________
Care to exchange hard links? email me: webmaster at teensweek dot com |
|
08-26-2007, 01:57 PM | #28 |
Confirmed User
Industry Role:
Join Date: May 2007
Posts: 1,644
|
deamn. How low can you be to steal traffic like that?
|
08-26-2007, 04:01 PM | #29 |
Confirmed User
Industry Role:
Join Date: Apr 2005
Location: Vegas
Posts: 4,499
|
So the result of the exploit is that someone could redirect your links to their own sites..... or is it something worse than that?
__________________
бабки, шлюхи, сила |
08-26-2007, 04:17 PM | #30 |
there's no $$$ in porn
Industry Role:
Join Date: Jul 2005
Location: icq: 195./568.-230 (btw: not getting offline msgs)
Posts: 33,063
|
|
08-26-2007, 04:49 PM | #31 |
Confirmed User
Join Date: Mar 2007
Posts: 913
|
Whoever does that in my blogs will not gonna work...
because i check links manually in their sites every now and then hahahahahahah |
08-26-2007, 05:35 PM | #32 | |
Confirmed User
Join Date: May 2004
Location: 4 8 15 16 23 42
Posts: 4,444
|
Quote:
As for making exploits public: It's often the only way to get things fixed fast, a little public pressure works wonders. It may not be nice, but it's effective. |
|
08-26-2007, 06:21 PM | #33 |
Confirmed User
Join Date: Jul 2006
Location: Philadelphia
Posts: 1,282
|
This is dumb. You should have first given the author the chance to warn people and send out a patch. This isn't about teh script author, you fucked over the webmaster. Nice
|
08-27-2007, 01:37 AM | #34 |
Confirmed User
Industry Role:
Join Date: Sep 2006
Posts: 43
|
Hi guys,
I have just released a fix for this exploit. linkex.dk/forums/t1244-exploit-in-linkex-please-be-aware.html - v0id |
08-27-2007, 01:57 AM | #35 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Nice.
Did you stick the spacing back in too ? |
08-27-2007, 03:39 AM | #36 |
Confirmed User
Industry Role:
Join Date: Apr 2005
Location: Vegas
Posts: 4,499
|
Thanks for fixing that so quickly.
__________________
бабки, шлюхи, сила |
08-27-2007, 03:50 AM | #37 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
neeevermind.
|
08-27-2007, 03:55 AM | #38 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Actually. The "fix" doesn't fix the problem, from what I can see. Feel free to give it a try yourself, as explained in the original post.
|
08-27-2007, 03:56 AM | #39 |
. . .
Industry Role:
Join Date: Apr 2007
Location: NY
Posts: 13,724
|
most interesting
__________________
__________________ Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs Check out the #1 WordPress SEO Plugin: CyberSEO Suite |
08-27-2007, 04:00 AM | #40 |
Confirmed User
Join Date: Jul 2007
Posts: 7,687
|
thanks for the warning
|
08-27-2007, 04:15 AM | #41 |
Confirmed User
Industry Role:
Join Date: Sep 2006
Posts: 43
|
|
08-27-2007, 04:17 AM | #42 |
Confirmed User
Industry Role:
Join Date: Sep 2006
Posts: 43
|
|
08-27-2007, 04:25 AM | #43 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Code:
<!-- Output generated by LinkEX (+http://linkex.dk/) --> <a href="http://lolcunts.org" title="<?php echo'hi'; ?>"><?php echo'hi'; ?></a><br><br><a href="http://www.teensexvidz.com/" title="Teen Sex Videos">Teen Sex Videos</a><br><br> |
08-27-2007, 04:32 AM | #44 |
Confirmed User
Industry Role:
Join Date: Apr 2005
Location: Vegas
Posts: 4,499
|
So has this issue been solved or not.....
__________________
бабки, шлюхи, сила |
08-27-2007, 04:48 AM | #45 | |
Confirmed User
Industry Role:
Join Date: Oct 2006
Posts: 617
|
Quote:
So that code you just posted cannot be harmful because < is replaced with <. You might know this and I might have missed the point of your post but I told this just in case.
__________________
* Selling my adult sites. Email: furaldbullon48aol9com - Replace 48 with @ and 9 with . |
|
08-27-2007, 05:14 AM | #46 | |
Confirmed User
Industry Role:
Join Date: Dec 2004
Location: Denver
Posts: 6,559
|
Quote:
__________________
|
|
08-27-2007, 05:24 AM | #47 |
So Fucking Banned
Join Date: May 2006
Posts: 2,187
|
Doh. I was including the wrong file.
So yes, linkex.20070827.tar.gz fixes the hole. |
08-27-2007, 06:25 AM | #48 |
Confirmed User
Industry Role:
Join Date: Sep 2006
Posts: 43
|
so, now everyone have to update their linex!!
|
08-27-2007, 06:53 AM | #49 |
Confirmed User
Join Date: Jan 2006
Location: Canada
Posts: 4,994
|
No apologies for shitty code?
__________________
|
08-27-2007, 07:00 AM | #50 |
Confirmed User
Join Date: Jan 2006
Location: Gringo in Puerto Rico
Posts: 4,197
|
__________________
OV Tube - Tube Script Software |