News:

Stay Home...
and use this forum!

Main Menu

Potential vulnerability in porcore's system.

Started by jdoe5956, April 27, 2023, 05:04:35 AM

Previous topic - Next topic

jdoe5956

Porcore uses sequential numbering for its videos. This, put simply, is a bad idea As I make this post, the latest video is "Piper & The Stallion Part 2 ", video number 1504. It can be accessed through https://porcore.com/video/1504. However, users can access the, for example 1505th video through https://porcore.com/video/1505, titled "Black Widow - Casting". In my testing, some (seemingly random) numbers are 404 not founds, some say to check back later, and some have full video, although they do not have a description. As far as I tested, the last video was titled "Tsukushi - Molested", number 1563. https://porcore.com/video/1563. While this doesn't pose any threat per se, it does allow people to view content that wasn't meant to be viewed at that point.
I speculate that each of these videos are scheduled to show up some time in the future (Eg, search results, home page, etc)

As for solutions, I'd suggest assigning each video a GUID that is public facing, then store a internal list of sequential id's. The public uses the GUIDs in the urls, while you keep track of the videos with the sequential ids. Also, you could set up redirects for old videos to maintain links.

Gamcore Official

Thanks for the advice, we will think about how to improve porcore.