Free access is still private, financial and other confidential information of users Fl.ru

Despite the release of "a Critical vulnerability in security fl.ru", this service continues to give to everyone the information which ought to close from public access.

You can easily access the passport data, registration address, mailing address, E-mail, phone and other information about users Fl.ru, including financial! And not only about freelancers but also about customers. You do not need to use hacking techniques to hack the site Fl.ru simply follow the links indexed by Yandex with the appropriate referrer in the request header.

The first option is to use a utility like wget recommends ValdikSS your comments:
the 
wget --referer 'https://st.fl.ru' http://st.fl.ru/about/documents/имя_документа.pdf

The second option is to install the add — on to the browser to specify a specific referer for a specific site. For example, for firefox you can use this add-on: addons.mozilla.org/ru/firefox/addon/refcontrol. After installation, go to settings and RefControl add site st.fl.ru then choose "Other" and enter 
https://st.fl.ru
After clicking "Ok" the settings window should look like this:



All, now you can follow the links Annex to the OFFER FOR conclusion of a CONTRACT
 or technical specifications, as well as any other search options Yandex or Google domain Fl.ru and to access the information that needs to be closed to public access!

I think that the specific referrer in the http request is not an illegal act. Sure Fl.ru should take more serious action than checking the referrer in order to close off from public access such critical information. For example, to show these documents to authorized users only.

UPD on Friday, 27-Mar-2015 14:09
At the moment this hole Fl.ru finally closed!
Thank you to everyone who took part in the discussion, repost information, etc. — we still made Fl.ru to pay attention to it and take action!
Article based on information from habrahabr.ru

Популярные сообщения из этого блога

Approval of WSUS updates: import, export, copy

Изображение
the Backstory Until recently, I worked as edikasyon a major Russian company that has many offices throughout the country. In my jurisdiction there were eleven sites, located in different cities of the Far East (this is important). In each of these offices had its own, not connected with other network infrastructure — your domain AD own subnet, etc. Once the leadership gave me the task to organize the automatic updating of the OS and programs from MS and allowed to expand on accountable sites WSUS . Problem After WSUS was deployed, binding policy, computers to WSUS groups are configured, the directory synchronization content server MS held, etc., the question arose: who and how will approve the update? Imagine 11 cities that are so "fast" and "stable", that rare moment when latency of ICMP replies are only 800 MS, are perceived as unheard of luck. And in each you test all updates before deploying. The access to the servers at the sites was only v...
Далее...

Kaspersky Security Center — the fight for automation

oddly enough, I found habré only one article on the subject — the sandbox much unfinished actually contains a piece of the slightly redesigned the product help. Yes, and Google query klakaut silent. I'm not going to tell you how to administer the hierarchy of Kaspersky Security Center (hereinafter KSC) from the command line — I do not yet need never. Just want to share some thoughts about automation tools to those who need it and disassemble one case with which I had to face. If you, %habrauser%, this topic will be interesting — welcome under kat. Historically, the anti-virus protection on the job, I prefer products of Kaspersky Lab (hereafter LK). Causes and other Holy war of personal opinions, I'll leave behind the scenes. Naturally, I would like to centrally deploy, protect, to protect and to enforce the law to draw beautiful graphics to integrate into existing monitoring systems and to do other work shifting the blame to a healthy server. And if you deplo...
Далее...

The Hilbert curve vs. Z-order

Изображение
Repeatedly heard the opinion that of all swept curves . it the Hilbert curve the most promising for spatial indexing. The explanation given is that it does not contain discontinuities and therefore in some sense “well-arranged”. Whether so it actually and what is the spatial indexing, we will understand under the cut. The concluding article of the series: the the Why doesn't the straightforward approach to spatial indexing swept curves the Presentation the 3D and obvious optimization the 8D and perspectives OLAP the 3D field as it looks the 3D field benchmarks the How about indexing non-point objects? The Hilbert curve has the remarkable property — the distance between two successive points is always equal to one (step current of detail, to be precise). Therefore, data is not much different Hilbert curve values are close to each other (the inverse, incidentally, is wrong — adjacent points may be very different in meaning). For this property it is us...
Далее...