MN Forum

Full Version: Disallow direct access to process.php
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello,

I found and exploit in the system by using the surf module. The exploit was quite simple. I found this exploit on my live site, then made a temp fix.

Basically I made a small program that has 10 threads which navigate to

Code:
Hidden content for guests

2 times a second. I found this because it's hardcoded in to the website template (you can find it with a scraper), and it gives you the coins for viewing that site. However they're not actually viewing the site and it will show as having been viewed 300 times a minute.

The easiest fix would just be to disallow direct access to this file so users can't visit those urls.
Hello,

What script version you have? Also, do you have any custom changes on this script?

Doesn't matter if user directly access this URL, there are 2 steps at the same file, first is "start surf time" and second is "complete surf process". Without first call, is useless to access this URL. Also, with first step, you have to wait at least "surf time - 2 seconds", for the visit to be valid and coins to be added. What you posted here is just second step, if you haven't changed anything in that file and if you have latest version of script, nobody can't cheat the system using this link.

Also, I can't disable direct access to that file, because that file is accessed by JS, with direct access disabled, doesn't works.

P.S: If you have an older version than 1.7.0, update your script to latest version. Also, everytime when new version is released, is recommended to update your script. Always are important improvements or bugs fixed.