Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email
?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Caps lock is activated.
News:
Chameleon 2.1 Released
Home
Help
Search
Login
Register
Voodooprojects
»
Chameleon
»
General Discussion
»
"Exploit" on the download page of the website
« previous
next »
Print
Pages: [
1
]
Author
Topic: "Exploit" on the download page of the website (Read 8519 times)
0 Members and 1 Guest are viewing this topic.
Kronos
Entrant
Posts: 1
"Exploit" on the download page of the website
«
on:
March 05, 2014, 07:08:33 PM »
First, thank you for chameleon, it's an awesome project.
So I was downloding the latest release on the download page and I noticed that the file path is in a php arg. So I tried to modifiy it with an url and when clicking on the download link the page redirect the user to that url.
This can be a problem when others forums provide the link to your download page, if modified it can redirect the user to an infected website.
Exemple:
http://chameleon.osx86.hu/static/some-words-about-donation?ref=/www.google.com
(click the download link and watch the magic happend)
Logged
Gringo Vermelho
Forum Moderator
Posts: 611
The gray monster energy hat
Re: "Exploit" on the download page of the website
«
Reply #1 on:
April 07, 2014, 03:53:09 AM »
All those downloads are obsolete anyway. And I don't know who is supposed to maintain that page.
I try to keep a recent version in my guide, see link in my signature.
Logged
10.9.5 - ASUS P8Z77-V Pro - i5 3570K - GTX 660 - Chameleon 2.3 svn-r2xxx
How to...
Install Chameleon:
http://forum.voodooprojects.org/index.php/topic,649
Make your own Chameleon boot CD:
http://forum.voodooprojects.org/index.php/topic,484.msg2131.html#msg2131
Gen0
Entrant
Posts: 1
Re: "Exploit" on the download page of the website
«
Reply #2 on:
October 17, 2014, 05:23:55 PM »
Try this for example, click on my link then click download. Instead of taking you to a hard defined link it takes you to whatever link is in the ref tag in the URL. This means that, using a link shortener or some other link obfuscation, I can trick a new user into believing that Chameleon/this site for Chameleon is distributing viruses.
http://chameleon.osx86.hu/static/some-words-about-donation?ref=/bit.ly/1bfrsf7
Interestingly, the line at the bottom "alternatively you can download..." with the bad link actually disappears without the tag, so maybe it's a good idea to just remove that line entirely.
Logged
Print
Pages: [
1
]
« previous
next »
Voodooprojects
»
Chameleon
»
General Discussion
»
"Exploit" on the download page of the website