Simple linkex exploit. BEWARE.

[fluffygrrl]

Find someone using linkex, note down his url.

Make a simple webpage, containing just one link to his url.

Open his linkex, enter the url of the webpage you made, and for an anchor, try

Code:

<?php echo 'hi'; ?>

Check out his links, especially if he auto-adds stuff.

You can take it from there, I guess, I'm not going to publish working exploits. The linkex people need to fix their script, I would have provided a fix but not for such bullshit code without indentation.

Right now, running linkex = running a rootkit. Beware.

[Basic_man]

Why posting it in public? Dumpass.. Email the owner!

[fluffygrrl]

I would have, had he had the courtesy of releasing his source in some sort of readable format.

[Intricate]

Are you kidding me, why would you post this here where there are so many known spammers/scammers around?

I hope a mod removes this...

[4Pics]

why not post the fix?

It isn't the people who run the scripts fault for the exploit.

jeez

[geeknik]

Why oh why does GFY always attract the biggest morons?

[ridikuloz]

it's hax0ring time!

[teg0]

The normal order of events is that you inform the developer. Give them at least a month to fix it, and if they don't then you can post the a notice bout the exploit. Public disclosure gets the developers off their ass and makes everyone away to either secure their shit or remove it.

If you're running linkex right now just log in and go to settings and disable the public form for now.

[fluffygrrl]

Quote:

Originally Posted by teg0

The normal order of events is that you inform the developer. Give them at least a month to fix it, and if they don't then you can post the a notice bout the exploit. Public disclosure gets the developers off their ass and makes everyone away to either secure their shit or remove it.

If you're running linkex right now just log in and go to settings and disable the public form for now.

What he said. Get snapping.

[teg0]

lol after reading my post i realized that I needed a coffee.

[Lycanthrope]

I notified the developer and sent him a link to this thread (he is not online at the moment).

I did not try what you posted, but I'll take your word on it. For now, everyone should just set their permissions on /linkex/index.php to 0.

[fluffygrrl]

You can easily try it on your own site. echo 'hi'; as posted is obviously safe.

[Vick!]

wtf? I am not impressed with your programming expertise. You could have emailed the owner instead of posting details here. If you still wanted to show how cool you are at catching exploits, just tell that you found a bug and want the owner to contact you for details.

[teg0]

someone could just easily do a php header redirect, if their url was short enough. Definitely a problem that needs to be fixed.

[SmokeyTheBear]

thanks for the heads up..

i'm on the fence about people reporting exploits this way ..

i do believe its nice to inform the script owners first but i have to disagree with others about not reporting it on gfy..


gfy is often the quickest way to solve these kinds of problems..


exploits such as this are often slow to be fixed ( or ignored ) by the owners if left entirely up to them, a push is helpfull.

[fluffygrrl]

Again. I would have emailed the guy a fix. EXCEPT, have you looked at his code ? There is not a single line feed or tab in there. I mean, okay, so he doesn't comment his code as he should on anything publicly released. Fine. But take out the line feeds ? That in my book is douchebaggery.

[cykoe6]

Quote:

Originally Posted by teg0

If you're running linkex right now just log in and go to settings and disable the public form for now.

I just did that for all my sites. Does that mean they should be safe now or do I need to do something else?

[fluffygrrl]

If you've disabled the public form (ie people can't type in anchors that you include anymore) you should be safe.

May be worth your time to go through the 1001 or whatever the file you include is called and make sure there's nothing but url's and plain text in there. anything between <? and ?> is evil. anything reading "text/javascript" is also evil.

[crockett]

Quote:

Originally Posted by Basic_man

Why posting it in public? Dumpass.. Email the owner!

Why do most people publish the exploits they find? Why because it allows users to know it there and also forces the authors to fix their shit.

Making exploits public knowledge is a common practice..

[hungry hungry hippy]

so kind of you to post this as there are 18,700 sites using it ....

it's common to go public with exploits, AFTER you have notified the company and given them time to fix it.

[polle54]

Narcissistic jerk

glad no one is giving you credit

[Libertine]

Quote:

Originally Posted by SmokeyTheBear

thanks for the heads up..

i'm on the fence about people reporting exploits this way ..

i do believe its nice to inform the script owners first but i have to disagree with others about not reporting it on gfy..


gfy is often the quickest way to solve these kinds of problems..


exploits such as this are often slow to be fixed ( or ignored ) by the owners if left entirely up to them, a push is helpfull.

I'm on the fence, too.

On one side, GFY is quicker than emailing them, plus it probably reaches more users than an upgrade of their script would (hell, I'm pretty sure that months from now, most users will still use the exploitable version).

On the other side, this ensures that within a week, hundreds if not thousands of sites will be exploited.

Then, on yet another side... anyone who uses that crappy script kinda deserves whatever happens. Linkex is a complete piece of shit, and always has been.

[ZCurve]

I am a newbie and I am not a programmer. So could you please explian to me in simple english what does the exploite do...how does it harm/hurt my site?

[polle54]

Quote:

Originally Posted by polle54

Narcissistic jerk

glad no one is giving you credit

It is good to know that there is a exploit but you write down how to use it..... it's really not nice here on gfy.

[fluffygrrl]

Quote:

Originally Posted by polle54

Narcissistic jerk

glad no one is giving you credit

Listen blockhead. You need to comprehend a few points.

1. I don't owe you, or any dude running some script, or any dude putting up scripts for download, jack shit. The day you, or those other dudes have me on their payroll, you can raise this point again. Till then, chuck it.

1.1. I might, might mind you, out of the kindness of my heart, and because I'm such a nice fellow, given the author of the shoddy script a fix, provided he wasn't the sort of douchebag that deliberately makes his "code" hard to read. Call this a lesson in the theory of "karma's a bitch", maybe next time he releases code, he follows standards.

2. Responsibility for computer code at all times remains with the USER of such code. If you install and run some script you haven't completely read and understood, heck. Your bubblings to the contrary are really akin to the idiots wanting me to keep their children off the "dangerous internet". The internet is for grown-ups. Grown-ups are those people who understand where responsibility lies. Letting children, and you, run amok on the internet is fine, as far as I'm concerned, but their safety is not my problem.

3. Information belongs out in the open. That Bush, Cheney, and you think it's best to try and restrict the flow of information is exactly your problem, much like the belief in a flat earth and an omnipotent benevolent god is the believer's problem. If some women get butchered in China or if some shitty script has a hole in it, the public has a right to know, and you don't have a right to have an oppinon on the matter.

Bloody hell.

[woj]

sucks to be running linkex now, heh... I bet ya at least few blackhatters from here are exploiting it hard now...

[ZCurve]

Quote:

Originally Posted by fluffygrrl

Listen blockhead. You need to comprehend a few points.

3. Information belongs out in the open. That Bush, Cheney, and you think it's best to try and restrict the flow of information is exactly your problem, much like the belief in a flat earth and an omnipotent benevolent god is the believer's problem. If some women get butchered in China or if some shitty script has a hole in it, the public has a right to know, and you don't have a right to have an oppinon on the matter.

Bloody hell.

I like fluffygrrl

[greg80]

deamn. How low can you be to steal traffic like that?

[cykoe6]

So the result of the exploit is that someone could redirect your links to their own sites..... or is it something worse than that?

[u-Bob]

Quote:

Originally Posted by cykoe6

So the result of the exploit is that someone could redirect your links to their own sites..... or is it something worse than that?

yep... running arbitrary code on your box

[Cum&Spam]

Whoever does that in my blogs will not gonna work...
because i check links manually in their sites every now and then hahahahahahah

[StarkReality]

Quote:

Originally Posted by ZCurve

I am a newbie and I am not a programmer. So could you please explian to me in simple english what does the exploite do...how does it harm/hurt my site?

It simply means that any code/script can be inserted via the exploit with as many characters in total as the anchor text field allows, and inserting a redirect is certainly one of the less evil things I could imagine.

As for making exploits public: It's often the only way to get things fixed fast, a little public pressure works wonders. It may not be nice, but it's effective.

[bl4h]

This is dumb. You should have first given the author the chance to warn people and send out a patch. This isn't about teh script author, you fucked over the webmaster. Nice

[v0id]

Hi guys,
I have just released a fix for this exploit.

linkex.dk/forums/t1244-exploit-in-linkex-please-be-aware.html

- v0id

[fluffygrrl]

Nice.

Did you stick the spacing back in too ?

[cykoe6]

Quote:

Originally Posted by LinkEX

Hi guys,
I have just released a fix for this exploit.

linkex.dk/forums/t1244-exploit-in-linkex-please-be-aware.html

- v0id

Thanks for fixing that so quickly.

[fluffygrrl]

neeevermind.

[fluffygrrl]

Actually. The "fix" doesn't fix the problem, from what I can see. Feel free to give it a try yourself, as explained in the original post.

[d-null]

most interesting

[raven1083]

thanks for the warning

[v0id]

Quote:

Originally Posted by fluffygrrl

Actually. The "fix" doesn't fix the problem, from what I can see. Feel free to give it a try yourself, as explained in the original post.

Not sure what you mean. Can you elaborate?

- v0id

[v0id]

Quote:

Originally Posted by fluffygrrl

Actually. The "fix" doesn't fix the problem, from what I can see. Feel free to give it a try yourself, as explained in the original post.

Not sure what you mean. Can you elaborate?
demo.linkex.dk/linkex/data/output/1001

- v0id

[fluffygrrl]

Code:

<!-- Output generated by LinkEX (+http://linkex.dk/) -->
<a href="http://lolcunts.org" title="&lt;?php echo'hi'; ?&gt;">&lt;?php echo'hi'; ?&gt;</a><br><br><a href="http://www.teensexvidz.com/" title="Teen Sex Videos">Teen Sex Videos</a><br><br>

does that help ?

[cykoe6]

So has this issue been solved or not.....

[GirlsOnYou]

Quote:

Originally Posted by fluffygrrl

Code:

<!-- Output generated by LinkEX (+http://linkex.dk/) -->
<a href="http://lolcunts.org" title="&lt;?php echo'hi'; ?&gt;">&lt;?php echo'hi'; ?&gt;</a><br><br><a href="http://www.teensexvidz.com/" title="Teen Sex Videos">Teen Sex Videos</a><br><br>

does that help ?

You do realize that &lt;?php does nothing whereas <?php does, right?
So that code you just posted cannot be harmful because < is replaced with &lt;.

You might know this and I might have missed the point of your post but I told this just in case.

[potter]

Quote:

Originally Posted by fluffygrrl

Listen blockhead. You need to comprehend a few points.

1. I don't owe you, or any dude running some script, or any dude putting up scripts for download, jack shit. The day you, or those other dudes have me on their payroll, you can raise this point again. Till then, chuck it.

1.1. I might, might mind you, out of the kindness of my heart, and because I'm such a nice fellow, given the author of the shoddy script a fix, provided he wasn't the sort of douchebag that deliberately makes his "code" hard to read. Call this a lesson in the theory of "karma's a bitch", maybe next time he releases code, he follows standards.

2. Responsibility for computer code at all times remains with the USER of such code. If you install and run some script you haven't completely read and understood, heck. Your bubblings to the contrary are really akin to the idiots wanting me to keep their children off the "dangerous internet". The internet is for grown-ups. Grown-ups are those people who understand where responsibility lies. Letting children, and you, run amok on the internet is fine, as far as I'm concerned, but their safety is not my problem.

3. Information belongs out in the open. That Bush, Cheney, and you think it's best to try and restrict the flow of information is exactly your problem, much like the belief in a flat earth and an omnipotent benevolent god is the believer's problem. If some women get butchered in China or if some shitty script has a hole in it, the public has a right to know, and you don't have a right to have an oppinon on the matter.

Bloody hell.

That was awesome...

[fluffygrrl]

Doh. I was including the wrong file.

So yes, linkex.20070827.tar.gz fixes the hole.

[v0id]

so, now everyone have to update their linex!!

[KrisKross]

Quote:

Originally Posted by LinkEX

so, now everyone have to update their linex!!

No apologies for shitty code?

[teg0]

Quote:

Originally Posted by KrisKross

No apologies for shitty code?

Windows = shitty code