• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Spam and DMCA issues on internal redirected links

Rodolfo

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
Recently I've been stumbled with some reports pointing out that there are some spammy/warning redirects in Chevereto. Links that look like this:

Code: 
https://photoland.io/redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v
https://ultraimg.com/redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v
https://allthepics.net/redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v
https://lightpics.net/redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v
https://portfoliodog.com/redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v

Steam (and others) does a similar redirect/info stuff, for example:
Code: 
https://steamcommunity.com/linkfilter/?url=https://www.coolairusa.com/
(notice how you can put any URL there, difference here is that in Chevereto I base64 encode the actual URL so the target URL is never shown).

Remember that people can provide their personal URL and whatnot? Turns out that some people or bots will try to use your website to spam, to get some juice out of your website, to distribute illegal stuff, whatever. A thing that happens to any website with user-provided data (sad but true).

To avoid spam abuse, Chevereto uses internal 302 redirects so no juice is passed and no final link is exposed. You can know about this here: https://moz.com/blog/301-redirection-rules-for-seo (this works for spammy links that just want your SEO juice). Links containing some malware, virus, etc. will get identified by your web browser (every modern web browser does this) so you don't need to worry about these either.

Unfortunately, it is impossible to determine if a given URL is violating the DMCA because that must be reported by the affected party (copyright owner). If you get a DMCA for these redirects, simply search your DB for the resulting URL (the real URL, not the encrypted URL) and just remove these links and ban the associated IP.

Keep in mind that ANY user-powered website needs to be monitored and that you must perform action when needed (like remove where these links are appearing).

Hope it helps,
Rodolfo.
 
How do we go about searching the database? phpmyadmin?

I have the localhost.sql file and opened, but cannot see the url after performing a search?
 
HenrysCat said:
How do we go about searching the database? phpmyadmin?
Click to expand...

I'm starting to think that you are considering that every interaction that you have with me falls into the "support" category as you are asking me how to use a third-party tool. This is not the case, I'm not helping you here because of support.

Using any DB client you should be able to find a "search" function.

1535220883708.png

1535220911313.png

The match is user_id 591.
 
Last edited:
Does not change the fact Vultr will cancel my VPS within 24 hours unless the redirect is removed.

Have tried adding /redirect/aHR0cHM6Ly93d3cuY29vbGFpcnVzYS5jb20v after your domain?
 
Oakley said:
If such links were on external websites then surely you'd have no control over it.
Click to expand...
Just like you can't control people linking https://steamcommunity.com/linkfilter/?url=https://www.coolairusa.com/ right here. The difference here is that they don't redirect, they show a warning message. We should detect the http referral and only process the redirect if comes from your own website (if not, display a continue message).

By doing that, hanging a link elsewhere won't issue a redirect. We should also have some sort of blacklist to just ban once and forget about the thing.
 
Sorry Rodolfo, not trying to be a pain but this is very odd, I have followed your screenshots above, deleted the line, but the redirect still works?
 
HenrysCat said:
Sorry Rodolfo, not trying to be a pain but this is very odd, I have followed your screenshots above, deleted the line, but the redirect still works?
Click to expand...

For now, you should simply delete routes/route.redirect.php
 
I think that I've an idea.

Taking in consideration that these links should be used only inside your website, the URL encoding should include a private salt which will tell us that the link was generated by your website (and not just someone doing base64 encode and hanging your links all over the web).

If we add a time constraint (let's say 6 hours) we will have links that will automatically expire and throw 404 if someone wants to use them for abuse. Even if the attacker spends the whole day creating links, these links will expire after some time so key here is to use short periods of time to avoid falling into DMCA target.

An HTTP referer check will also allow us to disavow any detected external access to these links. HTTP referer is not 100% safe, but in combination with everything else I think that will do the trick.
 
You must log in or register to reply here.
Back
Top