Worst Idea Ever
I’m not sure I can add anything to this link because it pretty much does all the talking for itself. Check this out. “Just upload one of your files and see what you get!” Wow, just… wow. Every once in a while you just see something that makes you want to smack someone around. This is one of those times. Who came up with this?
June 1st, 2007 at 12:42 pm
To answer your question, from the faq:
Responsible for contents of this site is:
Markus Renschler
Schwarzwaldstr 3
71131 Jettingen
Germany
http://markus.renschler.net/
June 1st, 2007 at 12:52 pm
Yet another easy way to upload tons of malware! It doesn’t even require some form of proof you are not a bot (like CAPTCHA). I wouldn’t download even a single JPG file from that place!
Also, I tried uploading the same file twice and it wouldn’t let me so there must be some hash indexing on the server.
Another interesting fact, it did not allow me to upload a .html file (”Forbidden Extension Error”) but was totally fine when I tried a .js file. Haha!
It would be extra interesting if we could find out more about the “randomness” of the swapping and predict which file we would get next.
Finally, I noticed that you get a static link for the file you are about to download so I am wondering, could I host a file of my own containing some code and then link to it?
June 1st, 2007 at 12:57 pm
You can download XSS
http://www.file-swap.com/view/%3Cscript%3Ealert(’XSS’)%3C/script%3E
June 1st, 2007 at 1:16 pm
So, can they do a little more analysis on the file contents and make it more granular - like, swap one keylogger for another. Swap a bot for another.
June 1st, 2007 at 2:15 pm
Woohoo! I got a bike in return for uploading a Microsoft Icon:
http://www.file-swap.com/view/img_5626-md.jpg
June 1st, 2007 at 2:49 pm
You shouldn’t even have written about that RSnake. That will only give him traffic, which is what the site was built for.
Poor man, trying to get some money through those Google Ads on the sidebar.
June 1st, 2007 at 2:51 pm
Btw. we could try to pretend a click fraud. Maybe Google blocks him then
June 1st, 2007 at 4:18 pm
“File virus.bat already exists. Please try swapping a different file.”
June 1st, 2007 at 6:04 pm
Is it just me or is he fixing these problems as they appear here? I can’t upload a .JS file and the XSS example above doesn’t work either. (hello Markus).
I think the error message for anything that isn’t allowed to be uploaded is filename.ext “already exists. Please try swapping a different file.”
But you’re right, bad idea. Who wants other people’s random crap anyway?
June 1st, 2007 at 6:28 pm
“Just what I always wanted - a default Windows startup wav file.”
June 1st, 2007 at 7:20 pm
Swap the quotes out of the URL with normal ones and it will…
Plus you can also replace view with get and it will work too…
June 1st, 2007 at 9:51 pm
Damn, I guess I need bifocals. Thanks. Still can’t get a .js file to upload.
June 1st, 2007 at 10:10 pm
Perfect XSS example
hxxp://www.file-swap.com/get/%3Cimg%20src=”%20onerror=alert(’c=b;b=a;a=c’)%3E
June 2nd, 2007 at 12:37 am
1. Go to mozilla.org
2. Print a copy of the DOM
3. Put it in a big binder
4. Smack this guy over the head repeatedly.
5. If necessary, add more binders full of various RFCs and put them in a pillowcase
June 2nd, 2007 at 4:16 am
you cant upload a file named “root.php”, but you can upload “root.php.” Awesome!
I cant find it again though
June 2nd, 2007 at 6:31 am
Nice! I gave a Kalashnikov ak47 image and received a nice ferrari gif.
What about using this service to lure some guys into ruuning xss’s.
example: I send a txt with a list of xssed sites and telling that they are very good ,blah…. the guy then copy the xssed url and browses it. XSS:)
June 2nd, 2007 at 7:54 am
Markus is a friend & ex-colleague of mine and a great sysop & programmer, AFAIK he monitors all incoming files before they can be swapped. Added to that his site was inspiration for Dominik and mine http://www.sketchswap.com — arguably, it’s easier to filter a sketch for a virus than a binary (though people try to submit lots of smut to our site, and we have 10,000s of images in the approval pipeline)!
June 2nd, 2007 at 9:55 am
I think it’s cool to run one my own from a hackers standpoint. Free stuff, maybe I gonna steal the idea.
June 2nd, 2007 at 9:57 am
@Philipp
Well, there isn’t much anyone can do if you stream it of the server instead of execute it. Simple Apache configuration can prevent any such malicious use.
June 3rd, 2007 at 1:12 am
Yeah, it may protect the server, but there’s loads that the submitter can do to the receiver, through xss and plain old executable viruses. If the guy really hand-filters it, maybe not, but I doubt he can really check files in depth- I doubt he has time to really verify every file in the first place. Just a matter of time before something slips through.
I can’t think of any actual use for such a service, besides someting to do when bored, and in that case, I’d rather get my virii from other sources.
June 5th, 2007 at 12:05 am
To all what has been said this site at the end of the day is POINTLESS. If I want random pictures and sounds i’ll use a search engine.
June 8th, 2007 at 9:47 am
I actually think this is a cool idea, though it isn’t designed too well… As far as vulnerabilities go, you have bigger problems if just having a file on your computer can infect it…