On Tue, 2015-02-17 at 22:25 -0600, Brad Cable wrote:
> The /genLink URL will generate the expiretime for you, which requires 
> the Referer header being set.  No User-Agent detection is used from what 
> I can tell.  This is then dumped directly to stdout and wrapped by 
> another wget.  Works for me on multiple OSes at different physical 
> locations.
> 
> wget "`wget --header="Referer: http://www.fosshub.com/FreeFileSync.html" 
> "http://www.fosshub.com/genLink/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe" 
> -O /dev/stdout`"
> 
> Fun fact:
> 
> badurl=aHR0cDovL3d3dy5mb3NzaHViLmNvbS9GcmVlRmlsZVN5bmMuaHRtbA==/41affbb904a577f14aeace96bc39786f8840601489dcb8f9e12de18037e1c481
> 
> Is just a base64 encoded string of 
> "http://www.fosshub.com/FreeFileSync.html".  XSS exploit here, they 
> should fix that (could use a fosshub.com link to direct someone to a bad 
> URL, then the system redirects them to the attacker's phishing site).
> 
> For instance, this link redirects to Google:
> 
> http://files.fosshub.com/Protected/expiretime=9424210916;badurl=aHR0cDovL2dvb2dsZS5jb20=/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe
> 
> -Brad
> 

Hi,

This method does indeed work.

Malicious redirect is not a good thing and something fosshub should look
at rather quickly.

Many projects that did use fosshub for download hosting have now switch
because of the new download expiry not being helpful for scripts i.e.
install or upgrade. Many projects have switched to using the space
provided where they host code. Maybe this should also be suggested to
the FreeFileSync people who host their code on SourceForge.

Regards

Phil

-- 
Twitter: @philwyett
Jabber (xmpp): [log in to unmask]