Author Topic: "Exploit" on the download page of the website  (Read 2308 times)

0 Members and 1 Guest are viewing this topic.


  • Entrant
  • Posts: 1
"Exploit" on the download page of the website
« on: March 05, 2014, 07:08:33 PM »
First, thank you for chameleon, it's an awesome project.

So I was downloding the latest release on the download page and I noticed that the file path is in a php arg. So I tried to modifiy it with an url and when clicking on the download link the page redirect the user to that url.

This can be a problem when others forums provide the link to your download page, if modified it can redirect the user to an infected website.

(click the download link and watch the magic happend)

Gringo Vermelho

  • Forum Moderator
  • Posts: 611
  • The gray monster energy hat
Re: "Exploit" on the download page of the website
« Reply #1 on: April 07, 2014, 03:53:09 AM »
All those downloads are obsolete anyway. And I don't know who is supposed to maintain that page.

I try to keep a recent version in my guide, see link in my signature.
10.9.5 - ASUS P8Z77-V Pro - i5 3570K - GTX 660 - Chameleon 2.3 svn-r2xxx
How to...
Install Chameleon:,649
Make your own Chameleon boot CD:,484.msg2131.html#msg2131


  • Entrant
  • Posts: 1
Re: "Exploit" on the download page of the website
« Reply #2 on: October 17, 2014, 05:23:55 PM »
Try this for example, click on my link then click download. Instead of taking you to a hard defined link it takes you to whatever link is in the ref tag in the URL. This means that, using a link shortener or some other link obfuscation, I can trick a new user into believing that Chameleon/this site for Chameleon is distributing viruses.

Interestingly, the line at the bottom "alternatively you can download..." with the bad link actually disappears without the tag, so maybe it's a good idea to just remove that line entirely.