Zubrag.com
August 25, 2019, 11:18:54 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: stop webthumb hijackers - possible?  (Read 10155 times)
mugwumpr
Newbie
*
Posts: 16


« on: April 13, 2007, 10:52:23 PM »

Hi!  I've been using the webthumb script for a few months now and I LOVE it!  Sadly, when I was checking up on one of the thumbnails in my "thumbs" folder, I discovered about 5-6 that had quite clearly come from ** sites.  Since I only run the service for myself, and I don't have any reason to link to ** sites, I have a hijacker using my bandwidth.  And, as we all know, hijackers are like vermin, where there's one, there will soon be thousands.

 Angry

Is there some way to limit accepted thumbnail requests to certain IP addresses or websites?

Logged
imanuk
Newbie
*
Posts: 3


« Reply #1 on: April 14, 2007, 03:34:34 PM »

a really fast fix if you only run it on one URL could be:

replace:   
Code:
$website_url = $_REQUEST['url'];
with somthing like: 
Code:
$website_url = 'http://www.yourURLhere.com/' . $_REQUEST['url'];

then when you load the page simpley replace: webthumb.php?url=http://www.yourURLhere.com/mypage.htm&x=150&y=150
with: webthumb.php?url=mypage.htm&x=150&y=150

other than that you could:
Before:
Code:
if ($image_type == 1) $output_format = 'gif';
Add:
Code:
$url = parse_url($website_url);
if ($url[host] = 'www.yourURLhere.com')
{
//run script
}
else
{
//get ur own!
}
The above needs tome extra thought but I expect you get the drift.
Let me know how you get on, imanuk
Logged
mugwumpr
Newbie
*
Posts: 16


« Reply #2 on: April 14, 2007, 11:23:49 PM »

Hi imanuk,

Thanx for the quick reply!  I actually run multiple websites on 2 servers each with their own IP, so it would need to be something that accepts multiple options, whether URL or IP.  I definitely see where you're going with that, tho.

Looks like this should have been in the "requests" section, eh?  oops.

 Roll Eyes
Logged
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« Reply #3 on: April 18, 2007, 02:29:43 AM »

Here what we came up with.

The code will check the site invoking website snapshot creator, and will only proceed if site is listed.
For example your site is thumbnails.com. You want to limit snapshot generator usage to only that site. Replace first.com with thumbnails.com below.

for one allowed site

if (!isset($_SERVER['HTTP_REFERER'])
or !strpos($_SERVER['HTTP_REFERER'],'first.com')
) die('Permissions denied');

for two allowed sites

if (!isset($_SERVER['HTTP_REFERER'])
or !(strpos($_SERVER['HTTP_REFERER'],'first.com') or strpos($_SERVER['HTTP_REFERER'],'second.com'))
) die('Permissions denied');

Note: this is not 100% hacker safe. Hackers can spoof referring url to make website snapshot generator believe it is running on legal site.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC