Track exits allows any kind of URL, making phishing attacks easy

Found a bug? Tell us!!
Post Reply
ads
Regular
Posts: 93
Joined: Sun Oct 29, 2006 11:39 am

Track exits allows any kind of URL, making phishing attacks easy

Post by ads »

The "Track exits" Markup plugin has a couple different options how to track the URL. One of them is "Serendipity Exit-Tracking Routing". When this option is activated, the variable $open_redir in exit.php is true, which in turn will redirect the user to any URL specified as ?url= parameter.

There is a comment in exit.php about spamming attacks (around line 27) when the ?url parameter is used, but still any URL is accepted in this part of the code.

If the "Track exits" option is enabled, anyone can use this to make it appear like a link is on the targeted website, example (not working, because tracking is off):

Code: Select all

https://blog.s9y.org/exit.php?url=aHR0cHM6Ly9nb29nbGUuY29t
This is typically (ab)used by spammers/scammers to make users believe that a link is more trustworthy.

Serendipity should be using $url_id and $entry_id everywhere, no need to use $url at all.
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by onli »

Hi
Isn't the ability to wrap a random url kind of the core of the plugin? But in general it sounds reasonable to closely look at that functionality. The plugin hasn't seen maintenance in a long while now. It could use a maintainer :)
ads
Regular
Posts: 93
Joined: Sun Oct 29, 2006 11:39 am

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by ads »

All tracked URLs in my Blog(s) have an ID, and are not specified as $url parameter. However I see a couple spammers trying to abuse this functionality (however I have no idea why the blog suddenly is trustworthy to anyone). They are probably just trying to hide some nasty URLs.

And no, I don't think wrapping any kind of URL is a core functionality, if the URLs from blog postings are tracked by ID.
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by onli »

I think we are missing something there. Okay, for internal links the url paramter seems unnecessary. But I think the url parameter is for external link. And as far as I understand the code that's called at https://github.com/s9y/additional_plugi ... #L148-L152 the plugin is not limiting its link replacement to internal links.
Bla
Regular
Posts: 25
Joined: Sat Feb 03, 2007 7:42 pm
Location: Germany
Contact:

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by Bla »

My hoster complained because of high serverload in my hosting. There were many calls on

Code: Select all

domain.tld/exit.php?url=abc123…
. serendipity_event_trackexits was yet disabled, so I removed it from backend and deleted the folder via FTP. But

Code: Select all

exit.php
is still reachable. Can the file be deleted (even that it is part of the core) or what can I do?
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by onli »

Looking at the code, I think the file can be deleted. I see nothing that relies on it in the core.

There is some code though in there that aims to make the file less dangerous, basically inert if the trackexit plugin does not exist.
erAck
Regular
Posts: 236
Joined: Mon Feb 16, 2015 1:20 am

Re: Track exits allows any kind of URL, making phishing attacks easy

Post by erAck »

You can also tell them to go straight away with a 403 forbidden code (which doesn't even need a page generation) by adding to .htaccess

Code: Select all

RewriteCond %{REQUEST_URI} =/exit.php [NC,NV]
RewriteRule .* - [F,L]
If your blog is not on the (sub)domain's document root then adjust =/exit.php to =/path/exit.php

If Track Exits was actually to be used then an additional condition

RewriteCond %{QUERY_STRING} ^url= [NC,NV]

would only kick out all /exit.php?url=... queries, or other matches on specific query string content could be used.
Post Reply