Cenzic 232 Patent
Paid Advertising
web application security lab

Worst Idea Ever

I’m not sure I can add anything to this link because it pretty much does all the talking for itself. Check this out. “Just upload one of your files and see what you get!” Wow, just… wow. Every once in a while you just see something that makes you want to smack someone around. This is one of those times. Who came up with this?

22 Responses to “Worst Idea Ever”

  1. Spider Says:

    To answer your question, from the faq:

    Responsible for contents of this site is:

    Markus Renschler
    Schwarzwaldstr 3
    71131 Jettingen
    Germany

    http://markus.renschler.net/

  2. Legionnaire Says:

    Yet another easy way to upload tons of malware! It doesn’t even require some form of proof you are not a bot (like CAPTCHA). I wouldn’t download even a single JPG file from that place!

    Also, I tried uploading the same file twice and it wouldn’t let me so there must be some hash indexing on the server.

    Another interesting fact, it did not allow me to upload a .html file (”Forbidden Extension Error”) but was totally fine when I tried a .js file. Haha!

    It would be extra interesting if we could find out more about the “randomness” of the swapping and predict which file we would get next.

    Finally, I noticed that you get a static link for the file you are about to download so I am wondering, could I host a file of my own containing some code and then link to it?

  3. SethF Says:

    You can download XSS :)

    http://www.file-swap.com/view/%3Cscript%3Ealert(’XSS’)%3C/script%3E

  4. Sylvan von Stuppe Says:

    So, can they do a little more analysis on the file contents and make it more granular - like, swap one keylogger for another. Swap a bot for another.

  5. Ronald van den Heetkamp Says:

    :)

    Woohoo! I got a bike in return for uploading a Microsoft Icon:
    http://www.file-swap.com/view/img_5626-md.jpg

  6. christ1an Says:

    You shouldn’t even have written about that RSnake. That will only give him traffic, which is what the site was built for.

    Poor man, trying to get some money through those Google Ads on the sidebar.

  7. christ1an Says:

    Btw. we could try to pretend a click fraud. Maybe Google blocks him then :D

  8. stgben Says:

    “File virus.bat already exists. Please try swapping a different file.”

  9. John @ NIST.org Says:

    Is it just me or is he fixing these problems as they appear here? I can’t upload a .JS file and the XSS example above doesn’t work either. (hello Markus).

    I think the error message for anything that isn’t allowed to be uploaded is filename.ext “already exists. Please try swapping a different file.

    But you’re right, bad idea. Who wants other people’s random crap anyway?

  10. RSnake Says:

    “Just what I always wanted - a default Windows startup wav file.”

  11. fogez Says:

    Swap the quotes out of the URL with normal ones and it will…

    Plus you can also replace view with get and it will work too…

  12. John @ NIST.org Says:

    Damn, I guess I need bifocals. Thanks. Still can’t get a .js file to upload.

  13. Kishor Says:

    Perfect XSS example

    hxxp://www.file-swap.com/get/%3Cimg%20src=”%20onerror=alert(’c=b;b=a;a=c’)%3E

  14. Mockturtle Says:

    1. Go to mozilla.org
    2. Print a copy of the DOM
    3. Put it in a big binder
    4. Smack this guy over the head repeatedly.
    5. If necessary, add more binders full of various RFCs and put them in a pillowcase

  15. STFU Says:

    you cant upload a file named “root.php”, but you can upload “root.php.” Awesome!

    I cant find it again though :(

  16. FR3DC3RV Says:

    Nice! I gave a Kalashnikov ak47 image and received a nice ferrari gif.

    What about using this service to lure some guys into ruuning xss’s.
    example: I send a txt with a list of xssed sites and telling that they are very good ,blah…. the guy then copy the xssed url and browses it. XSS:)

  17. Philipp Lenssen Says:

    Markus is a friend & ex-colleague of mine and a great sysop & programmer, AFAIK he monitors all incoming files before they can be swapped. Added to that his site was inspiration for Dominik and mine http://www.sketchswap.com — arguably, it’s easier to filter a sketch for a virus than a binary (though people try to submit lots of smut to our site, and we have 10,000s of images in the approval pipeline)!

  18. Ronald van den Heetkamp Says:

    I think it’s cool to run one my own from a hackers standpoint. Free stuff, maybe I gonna steal the idea.

  19. Ronald van den Heetkamp Says:

    @Philipp

    Well, there isn’t much anyone can do if you stream it of the server instead of execute it. Simple Apache configuration can prevent any such malicious use.

  20. Mockturtle Says:

    Yeah, it may protect the server, but there’s loads that the submitter can do to the receiver, through xss and plain old executable viruses. If the guy really hand-filters it, maybe not, but I doubt he can really check files in depth- I doubt he has time to really verify every file in the first place. Just a matter of time before something slips through.

    I can’t think of any actual use for such a service, besides someting to do when bored, and in that case, I’d rather get my virii from other sources.

  21. missenlinx Says:

    To all what has been said this site at the end of the day is POINTLESS. If I want random pictures and sounds i’ll use a search engine.

  22. Anonymous Says:

    I actually think this is a cool idea, though it isn’t designed too well… As far as vulnerabilities go, you have bigger problems if just having a file on your computer can infect it…