Swobodin v Brně

Please note, this post is only for informational purpose and therefore doesn’t aim to encourage you to use illegal ways in order to increase your rating in “Top Tunisie Blogs“, but to inform the administrator about vulnerabilities and how to fix them. I have never used any of the methods below, and if you try to, your blog might get banned, so use it at your own risk!

How does the system work?

I don’t have access to the source code, but I could notice the following:
Once subscribed, you can include an image URL into your blog, this picture is your counter, each time the picture is requested by the browser, a new entry is appended to the database. However, not all the entries are considered, as an IP address can not be counted more than once per day. Nothing special till now, almost all the counters use this method.

How to cheat on the system?

1)
A simple way consists of spreading your tn-blogs banner to as many web sites as you can, thus each hit will increase the counter. This is possibly if you have other sites aside from your registered blog, or if you have partners with whom you exchange banners, or by registering your blog to a similar portal with the tn-blogs picture as a banner.
2)
I have noticed that there are more than 1500 hits coming from Top Tunisie Blogs main page, so if you register as banner your given tn-blogs picture instead of your logo, traffic will be considerably increasing as long as people click the page, of course, not to talk about your “own” traffic.
3)
This is more “diabolic” and requires some programming skills.
Let’s say that your banner is logo.png, you have access to your host via ftp or ssh. You can make a PHP script called “logo.png” that includes your original logo picture, sends header to be viewed as a PNG, but mainly, pings the tn-blogs picture via fsockopen PHP function, using randomly one of the thousands proxies available on the net, so each time you refresh Top Tunisie Blogs main page where your logo appears, a new entry is added and displayed! You can combine this hint with the first one for an astronomical number.

How to fight against the tricks above?

For the moments, there are no many registered blogs, so if the administrator doubts about a blog’s rating, they can analyze the entries and investigate, if the user did illegal ways, the admin may ban them.
However, this is only a temporary solution, and while registered blogs number is not very important, the admin can write a script that filters entries, and only accepts referrers coming from the registered blog, in order to prevent any abuse.
Just remember, no system is totally secure!
Hope this helps

This entry was posted on Friday, October 13th, 2006 at 11:12 am and is filed under General, PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.