Chameleon > General Discussion

"Exploit" on the download page of the website


First, thank you for chameleon, it's an awesome project.

So I was downloding the latest release on the download page and I noticed that the file path is in a php arg. So I tried to modifiy it with an url and when clicking on the download link the page redirect the user to that url.

This can be a problem when others forums provide the link to your download page, if modified it can redirect the user to an infected website.

(click the download link and watch the magic happend)

Gringo Vermelho:
All those downloads are obsolete anyway. And I don't know who is supposed to maintain that page.

I try to keep a recent version in my guide, see link in my signature.

Try this for example, click on my link then click download. Instead of taking you to a hard defined link it takes you to whatever link is in the ref tag in the URL. This means that, using a link shortener or some other link obfuscation, I can trick a new user into believing that Chameleon/this site for Chameleon is distributing viruses.

Interestingly, the line at the bottom "alternatively you can download..." with the bad link actually disappears without the tag, so maybe it's a good idea to just remove that line entirely.


[0] Message Index

Go to full version