EvilZone
Other => Found it on the Webs => : d4rkcat December 20, 2014, 05:44:47 PM
-
It looks like isohunt has really taken the baton and ran with it.
First the pirate bay clone and now this, the full source code for TPB.
Ying and Yang, the universe seems to respond to censorship.
https://github.com/isohuntto/openbay
http://torrentfreak.com/open-bay-now-everyone-can-run-pirate-bay-copy-141219/
-
I like the commit about 'fixed potential security issues' >> 22 hours ago. Why am I not surprised?
-
I like the commit about 'fixed potential security issues' >> 22 hours ago. Why am I not surprised?
This is the beauty of Open Source!
The people who wrote this code referred to it as 'shitty' (http://torrentfreak.com/pirate-bay-crew-responds-to-the-raid-copies-and-the-future-141215/), so I'm not really surprised either.
Copycats are to be seen as a higher form of the proxies. If [Pirate Bay’s] code wouldn’t be so shitty we would make it public for everyone to use, so that everyone could start their own bay.
Then again it's just some XSS, not too bad (so far).
Hopefully with more eyes we will find and patch the RCE! ;)
Just a note this is not exactly the source code for TPB it has alot more torrents in the database as it includes torrents from KickassTorrents and Isohunt.to.
It looks like it is the source of oldpiratebay.org
Also uploading and commenting are not enabled.
But seeing as it's on git and it's already been forked 141 times, I'm sure we will see those features soon enough.
-
Yeah, Im a bit concerned with some of the current configuration stuff they got going on. Ill fully admit that web stuff is not my forte, so without playing around in a live environment itd take me 5 times as long to spot a real issue. I just get antsy whenever I see important bits of code with no built in checks and rely on external configurations and what not to get it right for them. ie dont put all your security inside a .htaccess file.
oh btw, if you get the error404 page, an img is pulled from isohunt. Thought that was strange and unnecessary. Probably benign, but id remove that if I was setting up a piratebay clone.
-
oh btw, if you get the error404 page, an img is pulled from isohunt. Thought that was strange and unnecessary. Probably benign, but id remove that if I was setting up a piratebay clone.
Open Source to the rescue:
https://github.com/isohuntto/openbay/pull/23
-
I would also note that the xss fixes are all by using CHtml::encode, which apparently is just an alias for htmlspecialchars. I know that there are some bypasses involved with that, so someone who knows more about xss might be able to spot how to still inject some evil xss stuff.