How I downloaded free porn from pornstar.com (video)
 

http://www.screencast.com/t/EWv8ETTXSd

:(

No comment

erm, hello fristopher :banana

so how you got that members url link? there are some numbers i havent seen anywhere else in the video ... you are something like magician? :)

i didn't see in your screencast how you got the path in /members to the WMV file.

and the purpose of copying the URL of the jpeg?

Shouldn't you be telling the site, rather than promoting it here?

There is '2048' which isn't in the jpg filename, however I think thats the bitrate of the video.

There is the studio name and the video id which is needed.


But how he got the url structure to the members area remains a question :)

Never the less, the point is the site isn't password protected.... :P

or anything like that since u can directly access the movies and download them :P

He'll have got it from a chan or forum. The real question is why he's promoting theft of content (particularly given how often he complains about copyright 'theft') in a widely read forum before first giving the site a chance to plug the hole.

In 'hacker' circles, when a security hole is discovered, it's good practice to inform the site or software vendor with the hole before announcing it publicly.

if you are in hacker circle and you publish anything you will be kicked out, publishing hole that is used to stream informations and thats the main purpose of hacking is ill :winkwink:

Why would you make a screencast like that?

one of the easiest sites to get in imho, downloading some tanner mayes movie right now. and yes i used an username and password, was easy to guess em...

i don't get it - the /members directory is password protected but when you link to a file directly within that directory you can play or download it without getting a password prompt box.

this shit does work, just tried it.. they should look into their server protection I guess

Big site like that and they don't obfuscate the file location.

Porn. Where the amateur coder is king.

Looks to be patched here. Keep getting a login popup.

Agreed 100 percent. Nothing but amateur coders pretending to be huge personalities ...

LOL I can't belie this shit... :Oh crap



If they hired me to make a CMS for them or have consulted me on security issues - this would NEVER be possible. :winkwink:

If you are SELLING something - you need to PROTECT IT!!!

There are only 2 ways to do it right:
1. put .htaccess password on members folder (+brute force protection)
2. putting your content outside public_html/www folder and reaching it using php (or whatever you use)

http://www.awmzone.com/services

Guys, come on.. this is really easy stuff.. almost all elevated x site you can do this.. with

I just checked.. and it works on pornstar and like 10 other sites..

then that's a major fail on elevated-x's part.

Agreed. There really is no way to really protect it (content).

Anyone know any good tools to protect content?

-max

wooohoo....more free porn.,

well it is not all elevated x sites.. but a lot of them use the members content to link to the tour..


I found out about this because one of my sites ( not even open yet.. ) was getting hammered.. but it was just one video..


my site

http://notnormaltoys.com/tour/1/?nat...cuMC4wLjAuMC4w

from my server logs ( most popular files in order)

/tour/1/category.php
/tour/1/
/_assets/data/options/font/bebasneue-webfont.woff

/content/upload/(**********)/(***).wmv

/content/upload/(**********)/(******).wmv

well the last 3 are protected by the members area.. unless you know the direct link.. you can download the content.. I have tested this on like 20 different elevated x sites.. and if you know some basic information you can get pretty much anything.. Some sites are harder than others..



----

Ric,
I know it wasn't your intention but you inferred that Elevated X is somehow flawed and allows free downloading of content (the title of this thread). As a long time customer you know this is not the case.

For the record - Elevated X DOES NOT power pornstar.com

You may be surprised to learn that Elevated X DID have obfuscation in the early days. It was later removed because there wasn't as much benefit to overcome some of the problems it created such as on the fly, random naming and cache invalidation that wreaked havoc on high traffic sites.

--------------------------------------------------------------------------------------
Some content protection facts for sites without obfuscation:
--------------------------------------------------------------------------------------

1) Content that resides behind htaccess or another protection method can't be linked to unless you're already logged into the site. In this case, nobody is getting free porn, the person accessing it is already a paying customer.

2) A user needs to know the folder name of the update and the filename of the content itself in order to get to it. This means they already need to be on a page of the site to get the content. They're not going to magically guess where the content is and get it all for free.

3) Nearly all Elevated X customers (and any smart pay site owner) uses site protection scripts along with their CMS and billing/auth process.

4) Unless you've symlinked your content folder or done something to remove authentication/protection from your site there's no way for tour surfer or any non-member to get to your content.

5) The only area this poses any concern whatsoever for an Elevated X customer might be inside a trial area where someone has a membership and could start looking at source code and hitting 1 link at a time. We've yet to see this be a cause of concern.

Keep in mind all of us are professionals and are web savvy. Yes, a very select few will do it but the average guy who buys a membership isn't going to start viewing source code and copying a path fragment and then manually type in a video filename and view or download them 1 by 1. A video collector type of guy might but the typical consumer won't go to the trouble.

6) The real problem is as much about how people name their video files e.g. 1, 2, 3 for every update and not appending any prefix or suffix to them. Makes it too easy for people to just add 1, 2, 3 to the end of a URL and watch video after video.

--------------------------------------------------------------------------------------
NOTE TO ELEVATED X CMS CUSTOMERS:
--------------------------------------------------------------------------------------

In 5 years of running Elevated X, less than 10 customers have ever mentioned this being an issue or said they wanted obfuscation.

This leads me to believe it's not really posing much of a problem to most people. If it is, by all means, submit a support ticket and suggest it and if enough people really need this we'll look to add it to the software and make it happen.

AJ

Just an update -
As a result of this thread we've just posted a knowledge base help file for Elevated X customers who are using a free or limited trial area and want to make it impossible for anyone to get to your non-trial content.

Trial members can no longer get to the non-trial content if they try to download it by hitting the URL directly. :thumbsup

AJ