|
|
Posted by Anze on 01/21/08 14:41
> link:http://www.nedkellypub.it/concerti/dati/olukev/orawo/Now I can't see
> how this benefits them, am I missing something? Have I created some
> possible way to hackers to achieve something? Is the displayed code just a
> cover for some actual php going on behind the scenes?
You are helping them to hide where the visitor came from.
My guess: at the moment someone is just testing to see if you are alert -
later on, if you do nothing, the real traffic will start to come. For
instance, your site could be used to hide the referer when doing black hat
affiliate marketing. Since the redirect comes from your page and not from
theirs nobody can track them without contacting you.
I wouldn't provide them with the service - as always, check the input and
only allow valid values. In your case this should do the trick:
header("Location: http://www.mydomain.com".
preg_replace('/[^a-z0-9_-.]/i','',$_GET['page']));
(not tested, just wrote it - you get the idea)
Best,
Anze
Navigation:
[Reply to this message]
|