Backdoor into Paysites!

[deserv]

I found a place where they explain how to access paysites for free!

It works when they got a URL from the membersection and copy paste into their browser, when the passwordbox pops up, you just click ok and you get access, they posted a list and I tried some and it's in fact possible to do so. Just wanted to bring this under your attention so you can check your sites for this backdoor.

[Agent 488]

useless without the list.

[deserv]

http://www.webcamsexgirlz.com/scammers/list.txt


here's the list

[Agent 488]

some work yeah.

[FrozenJag]

wow, not good. Just tested a few sites and was able to download full movies so its not creative marketing for sure. :\

In fact very well could rip alot of content thats getting sold currently here at gfy.

Somebody is getting fired. lol

[SilentKnight]

Welcome to the interwebs.

[Mutt]

i don't understand how a blank username/password combo are letting people in some of those sites' members areas. anybody have an idea why that happens?

[notime]

Some work indeed. Most don't.
Platinum feeds is wide open in one link to 14 sites. Bryan better take a look at this.

[PowerCum]

Quote:

Originally Posted by FrozenJag

wow, not good. Just tested a few sites and was able to download full movies so its not creative marketing for sure. :\

In fact very well could rip alot of content thats getting sold currently here at gfy.

Somebody is getting fired. lol

How could be this a real problem? I just took a look at some of these sites and they have much less content that I have licensed for my tube. Not to mention that the quality is almost 1995
Some don't even have videos at all.
On some the "High Quality" videos were 480x360 ... that's not even 640x480

No wonder surfers are going to tubes. My tube sites content repository has 1500 full scenes licensed, and thats more that all these sites together, not to mention that they are not 320x240 size.

At least I know what sponsors not to promote

[notime]

Some work indeed. Most don't.
Did you find that on exbii.com?

Platinum feeds is wide open in one link to 14 sites without a user/pass.
Bryan better take a look at this.

[sarettah]

Every one that I tried worked.

[MaDalton]

Quote:

Originally Posted by PowerCum

How could be this a real problem? I just took a look at some of these sites and they have much less content that I have licensed for my tube. Not to mention that the quality is almost 1995
Some don't even have videos at all.
On some the "High Quality" videos were 480x360 ... that's not even 640x480

No wonder surfers are going to tubes. My tube sites content repository has 1500 full scenes licensed, and thats more that all these sites together, not to mention that they are not 320x240 size.

At least I know what sponsors not to promote

yeah, i was thinking the same - shitty content, low quality, slow servers...

and if i had to download 10 small clips to see one video i would cancel right away. very eye opening...

[seeandsee]

more free porn

[notime]

Quote:

Originally Posted by MaDalton

yeah, i was thinking the same - shitty content, low quality, slow servers...

and if i had to download 10 small clips to see one video i would cancel right away. very eye opening...

Actually I never saw a member area before except a few with feeds.
Some are really 1998 style and some take 9 seconds to load a video or more. CDN..use a CDN guys. Talk to your hosting companies.
I googled some urls in the above .txt file and found the source.
This guy posts free urls and user/passes on an Indian board just to get " reward points" for that board...
Amazingly 70% still works of what he posts.
Other posts on that board could have up to 10k(!) in replies and 4M(!) views. Since bandwith is expensive maybe all programs should double check their security stuff and double IP No.s on the same user/pass...

I am now surfing ten.com's member area and platinumfeeds (I send Bryan a PM btw about this. People could lose LOTS of money if surfers can enter free and use up bandwith).

[Davy]

What's the reason that you get into some of those sites by pressing okay?
Even if ccbill closed their sites, the htaccess should still be intact.

[GrouchyAdmin]

Quote:

Originally Posted by Mutt

i don't understand how a blank username/password combo are letting people in some of those sites' members areas. anybody have an idea why that happens?

This happens when you have a really dumb MySQL clause like:

select count(*) from users where username='$username' and password='$password';

Then the pseudocode for the login/admin:

.. if (count(result) > 0) ...

If absolutely nothing/empty is passed, there's often an 'empty' account in there from testing or otherwise, and when it returns a valid result, they get access.

[Agent 488]

guess anyone can start a solo site with a couple non-exclusive pics and a couple videos huh?

[trevesty]

A couple of our sites that we're "phasing out" are in there. :/

Good thing we're switching up a lot of things in the next few weeks.

[deserv]

Quote:

Originally Posted by notime

Actually I never saw a member area before except a few with feeds.
Some are really 1998 style and some take 9 seconds to load a video or more. CDN..use a CDN guys. Talk to your hosting companies.
I googled some urls in the above .txt file and found the source.
This guy posts free urls and user/passes on an Indian board just to get " reward points" for that board...
Amazingly 70% still works of what he posts.
Other posts on that board could have up to 10k(!) in replies and 4M(!) views. Since bandwith is expensive maybe all programs should double check their security stuff and double IP No.s on the same user/pass...

I am now surfing ten.com's member area and platinumfeeds (I send Bryan a PM btw about this. People could lose LOTS of money if surfers can enter free and use up bandwith).

Agreed! And that's not all they do, They post daily cracked passes to paysites too.. The faster they are deactivated, the more people get frustrated and pay to get access

[Elixir]

DAMN wtf is this

I try few sites and it WOKS

[minddust]

blank entries in members data?

[notime]

Quote:

Originally Posted by Davy

What's the reason that you get into some of those sites by pressing okay?
Even if ccbill closed their sites, the htaccess should still be intact.

try this one (I already send a PM to platinumfeeds about this btw)
members.sexindia.com/extras.html

[Davy]

Quote:

Originally Posted by notime

try this one (I already send a PM to platinumfeeds about this btw)
members.sexindia.com/extras.html

That stuff is worthless. Surfers don't even care to pull their dick out for content like that.

And what must be even more frustrating for them is that they can't fastforward through the movie and have to watch the whole load of crap.

[ProG]

This is usually caused by a blank entry in the database or extra (empty) line in htaccess. Your security is complete shit if this happens on your site.

[Joe King]

Wow, some really pathetic members areas. No wonder sales suck.

[Rangermoore]

Been going on for years...

[st0ned]

Quote:

Originally Posted by iheartbucks Trev

A couple of our sites that we're "phasing out" are in there. :/

Good thing we're switching up a lot of things in the next few weeks.

You guys are dropping those sites all together or what?

[tiger]

Wow, some great security.

[Corona]

I checked about 5 sites and if I paid to see that crap I would never join another paysite ever again.

[SGS]

And people wonder why conversions are getting harder and harder? Actually giving the customer what he wants and getting him to stick around is harder than raping the fuck out of his card with cross sales when he joins I guess.

[VeriSexy]

Quote:

Originally Posted by Corona

I checked about 5 sites and if I paid to see that crap I would never join another paysite ever again.

Was thinking the same

[raymor]

We see this pretty often. Just recently, I had someone from a major program
hang up on me when I explained that his organization of files would cause this
type of effect. He's rather be wide open than be told he's wrong, I guess.

[XD2]

I haven't checked if this works as the paysites I built don't require it, but this code should check for valid username and password and reject anyone without it:

Code:

<?php
if(!$_SERVER[PHP_AUTH_USER] || !$_SERVER[PHP_AUTH_PW]) {
	//url to redirect to
	$url = "http://www.yourdomain.com";
	header("Location: $url");
}
?>

Just place it in your members area above everything else and it will redirect if no username or password is found. This only works for sites using htaccess as an auth method.

If anyone can verify this does help let other people know

[OY]

It's not a backdoor neither a CMS bug, just a problem in the .htaccess. Too bad the owners have not checked this. None of the ones mentioned are clients of ours.

Some are managed through ccbill, some are epoch's, so not sure if it is their overlooking or the sysadmins but clearly the owners should be notified in order to take action.

I also agree with Raymors comment that often owners are told but dont do anything because they do not like being told they have done something wrong.

[halfpint]

Holy shit some of those sites were last updated in 2007. Most of them worked for me

[V_RocKs]

If you are on that list you were hacked at some point. The hack could have been remote server access like when you are SSH'ed into the server or a simpler one where you had an old ccbill, ibill, globill, etc script where someone can add a combo to the file without any kind of authentication.

On that last one, you might have a php script and an htaccess file that checks user/pass to the "admin script"... the check has:
<limit get post>

Which means you are only limited the get and post requests to the script... PHP doesn't care how it is called so I can craft a header with a method of V_RocKs and PHP will run it just the same... which renders your htaccess/htpasswd files useless...

[CurrentlySober]

I blame Poppy Morgan..

[ascii]

You see a problem ... I see opportunity.

Redirect those blank fields to a page that makes them think they're in. Give them a tube site with previews and put "UPGRADE FOR ONLY $2.99" and sell a trial or something.

[raymor]

Quote:

Originally Posted by XD2

I haven't checked if this works as the paysites I built don't require it, but this code should check for valid username and password and reject anyone without it:

Code:

<?php
if(!$_SERVER[PHP_AUTH_USER] || !$_SERVER[PHP_AUTH_PW]) {
	//url to redirect to
	$url = "http://www.yourdomain.com";
	header("Location: $url");
}
?>

Just place it in your members area above everything else and it will redirect if no username or password is found. This only works for sites using htaccess as an auth method.

If you just check the standard variable, $_SERVER['REMOTE_USER'], rather than
the nonstandard $_SERVER[PHP_AUTH_USER], it'll work for any standard authentication
method, past, present, or future. Plus it'll actually work. What's set in
PHP_AUTH_USER is not necessarily a valid user name. REMOTE_USER
is their authenticated user name.

Also as XD2 mentioned, PHP_AUTH_USER is populated only for basic
authentication, a system designed to be weak, and PHP weakens it further in the
process of setting PHP_AUTH_PW. Not that a recommend jacking around with
authentication at all within your content, that's the wrong place for it, but if you feel
you must, use REMOTE_USER. 99% of the time if someone references PHP_AUTH_USER
it's wrong and what they really want is REMOTE_USER. They may well be set differently.
REMOTE_USER is their actual user name, authenticated by mod_auth, mod_auth_digest,
Strongbox, ir whatever authentication you're using. PHP_AUTH_USER is whatever
they set to be sent to the weakest possible authentication you could use - even if
in fact you're using something much better.