Closed baccccccc closed 1 day ago
This is a potential issue with pretty much all domains because of how we match URLs :/
We just match the portion of the hostname (e.g. coomer, simpcity, bunkr), so that's why it detected xxxbunker as xbunker. I do plan on fixing it at some point because I see it as a potential security vulnerability. Somebody could mimic another site and could upload malicious zips or other files that get downloaded because CDL mistook the website for another.
Somebody could mimic another site and could upload malicious zips or other files that get downloaded because CDL mistook the website for another.
why would they not upload the same malicious zip to a legit supported site such as bunkr?
I think the only scenario when this becomes a security issue if someone manages to trick CDL into executing malicious code. Say, there's a way to manipulate the web page source in a very special way that exploits some wicked vulnerability in CDL parser. So that when CDL parses the page, it triggers some execution logic. You probably cannot do that on the "real" bunkr but it might work if you set up a "fake" bunkr. That would be very bad indeed, but the likelihood is extremely low IMO.
Yeah I don't think there's any big issues like code execution. Someone could definitely upload a malicious file to the real website, but the real websites have moderation and people who report bad content.
Someone could also upload illegal content or just spam content.
The likelihood of someone doing any of this is extremely low but it is also just a flaw with how we check website hosts. The issue with fixing it is that a lot of these websites need new domains fairly often, so we would need to stay up to date on all the active hostnames and TLDs. I do have some ideas that I want to look into at some point but it's not a very high priority because there's not a large vulnerability here.
this is probably the dumbest bug title ever, but nevertheless it's a thing.
here's example URL that I encountered when scraping some forum. (NSFW.)
this site is probably unsupported by CDL and hence this URL should be logged to
Unsupported_URLs.txt
.however, it looks like CDL mistakes this domain for
xbunker.nu
and tries to applyxbunker_crawler.py
there. Which, understandably, fails.