Vulnerability API.

[Amato]

I noticed that the API is very vulnerable. With it you can create a heavy load on the server and the HDD.
Example:http://www.domain.com/api?&format=txt&upload=http://link.com/xxx.jpg

Thus, you can open a browser, paste this link to go there, and constantly update the page. Do not be a programmer, that would automate this process.

Example: Opera => Open over 100+ tab => Paste link's => Updated page once per second.

 

[Danny.Domb]

Example: Opera => Open over 100+ tab => Paste link's => Updated page once per second.

That is why their is an API Key. You should not let your API be public...

 

[Amato]

No, Danny.

Look: Example: Opera => Open over 100+ tab => Paste link's** => Updated page once per second.

**Link: http://www.domain.com/api?&key=Owad3F6e3&format=txt&upload=http://www.link.com/xxx.jpg

Learn the key is very simple, plugin for Firefox&Chrome help in this.

 

[kyle789]

No, Danny.

Look: Example: Opera => Open over 100+ tab => Paste link's** => Updated page once per second.

**Link: http://www.domain.com/api?&key=Owad3F6e3&format=txt&upload=http://www.link.com/xxx.jpg

Learn the key is very simple, plugin for Firefox&Chrome help in this.

Yes I was just about to point that out!

But really, if someone does do this to you just change the API. You will then have to update the browser extensions after doing that though.

 

[Amato]

kyle789, this will bring discomfort to customers.

 

[kyle789]

kyle789, this will bring discomfort to customers.

Too bad for them 🙂

 

[Amato]

Wait Rodolfo, maybe he can come up with something.

 

[Rodolfo]

There is any difference in that you flood any other website? Nope.. This is something that PHP can't handle because there is no way of leting PHP doing someone else job. PHP is triggered once the request is accepted by the webserver and is stupid to handle the flood in php because it doesn't have all the machine to do it.

This things (although have been taken into account for 2.1) is mostly a server issue because is the webserver who handles the request and the webserver CAN handle this flooding attempts. For instance, a cheap way to avoid this is use cloudflare and the best that you can do is set a daemon that shutdown every flood attempt.

If you point out this, what is the difference in making flood to this forum? php has to call mysql, mysql server is loaded, bla bla bla. Is a thing that the request handler must avoid, not php

And if you have 10K calls to your api (human calls, not flood attempts) who must satisfy those calls? The server. If your server is cheap yo shouldn't dream about that huge usage... Simple as that.

 

[Amato]

Will clog your disk quota. Need 24/7 to be in the network, and remove those images.

 

[Rodolfo]

I can do a php filter but I assure you that is not the definitive solution. A flood prevention will be applied on 2.1

 

[Mcmar]

I can do a php filter but I assure you that is not the definitive solution. A flood prevention will be applied on 2.1

Ouch! That API one can be used badly, people can make spam bots like it refreshes the site each 1 sec.. and you'll end up with a milion images lol

 

[kyle789]

you'll end up with a milion images lol

That will never happen!

 

[Rodolfo]

I can do a php filter but I assure you that is not the definitive solution. A flood prevention will be applied on 2.1

Ouch! That API one can be used badly, people can make spam bots like it refreshes the site each 1 sec.. and you'll end up with a milion images lol

read my previous response