Geekly Articles each Day
📜 ⬆️ ⬇️

Private, financial and other non-public information of Fl.ru users is still in free access.

Despite the publication “Critical vulnerability in security on fl.ru” , this service continues to distribute information to everyone who should be protected from public access.

You can easily get access to passport data, registration address, postal address, E-mail, telephone and other information about Fl.ru users, including financial information! And not only about freelancers, but also about customers. You do not need to use any hacking techniques and hack the site Fl.ru, simply follow the links indexed by Yandex with the corresponding referrer in the request header.

The first option is to use the wget utility as recommended by ValdikSS in its comments :
  wget --referer 'https://st.fl.ru' http://st.fl.ru/about/documents/document_name.pdf

The second option is to install an add-on in the browser to specify a specific referrer for a specific site. For example, for firefox, you can use this add-on: addons.mozilla.org/ru/firefox/addon/refcontrol . After installation, you must go to the RefControl settings and add the site st.fl.ru, then select “Other” and enter in this field
  https://st.fl.ru
After clicking “Ok” the settings window should look like this:


')
Everything, now you can follow the links Appendix to OFFER FOR CONCLUSION OF THE CONTRACT
or according to technical assignments , as well as on any other search options for Yandex or Google on the domain Fl.ru and get access to information that should be closed to public access!

I think that specifying a specific referrer in an http request is not a wrongful act. I am sure that Fl.ru should take more serious actions than checking the referrer - in order to prevent such critical information from public access. For example, show these documents only to authorized users.

UPD Friday Mar 27 2015 14:09
At the moment, this hole Fl.ru finally closed!
Thanks to everyone who participated in the discussion, repost information, etc. - we still made Fl.ru pay attention to this and take action!

Source: https://habr.com/ru/post/254141/

More articles:


All Articles