icase / phurl Goto Github PK

Redirect Loop from other shorteners.
Like: 

blabla -> blaba2 
blabla -> blabla.
...


Tmp recommend HTTP referrer check.

What steps will reproduce the problem?
1.  Install and configure script...everything else works
2.  navigate to whatever.com/admin

What is the expected output? What do you see instead?
results from database search.  I see nothing.

What version of the product are you using? On what operating system?
2.0.0-beta.  Linux/Apache -- shared server

Please provide any additional information below.
As a workaround, in index.php, I commented out lines 2, 11, 12, 13, 14 and 
replaced login.php with this script

<?php

# Simple password protection
#
# (c) http://www.phpbuddy.com
# Author: Ranjit Kumar
# Feel free to use this script but keep this message intact!
# 
# To protect a page include this file in your PHP pages!

session_start();

$admin_user_name = "admin";
$admin_password = "pass";
//you can change the username and password by changing the above two 
strings 

if (!isset($HTTP_SESSION_VARS['user'])) {

    if(isset($HTTP_POST_VARS['u_name'])) 
        $u_name = $HTTP_POST_VARS['u_name'];

    if(isset($HTTP_POST_VARS['u_password'])) 
        $u_password = $HTTP_POST_VARS['u_password'];

    if(!isset($u_name)) {
        ?>
        <HTML>
        <HEAD>
        <TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : 
Authentication Required</TITLE>
        </HEAD>
        <BODY bgcolor=#ffffff>
        <table border=0 cellspacing=0 cellpadding=0 width=100%>
             <TR><TD>
             <font face=verdana size=2><B>(Access Restricted 
to Authorized Personnel)</b> </font></td>
             </tr></table>
        <P></P>
        <font face=verdana size=2>
        <center>
        <?php
        $form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]
$HTTP_SERVER_VARS[PHP_SELF]";

        if(isset($HTTP_SERVER_VARS["QUERY_STRING"]))
        $form_to = $form_to ."?". $HTTP_SERVER_VARS
["QUERY_STRING"];

        ?>
        <form method=post action=<?php echo $form_to; ?>>
        <table border=0 width=350>
        <TR>
        <TD><font face=verdana size=2><B>User Name</B></font></TD>
        <TD><font face=verdana size=2><input type=text name=u_name 
size=20></font></TD></TR>
        <TR>
        <TD><font face=verdana size=2><B>Password</B></font></TD>
        <TD><font face=verdana size=2><input type=password 
name=u_password size=20></font></TD>
        </TR>
        </table>
        <input type=submit value=Login></form>
        </center>
        </font>
        </BODY>
        </HTML>

        <?php
        exit;
    }
    else {

        function login_error($host,$php_self) {
            echo "<HTML><HEAD>
            <TITLE>$host :  Administration</TITLE>
            </HEAD><BODY bgcolor=#ffffff>
            <table border=0 cellspacing=0 cellpadding=0 
width=100%>
                 <TR><TD align=left>
                 <font face=verdana size=2><B> &nbsp;You 
Need to log on to access this part of the site! </b> </font></td>
                 </tr></table>
            <P></P>
            <font face=verdana size=2>
            <center>";

            echo "Error: You are not authorized to access this 
part of the site!
            <B><a href=$php_self>Click here</a></b> to login 
again.<P>
            </center>
            </font>
            </BODY>
            </HTML>";
            session_unregister("adb_password");
            session_unregister("user");
            exit;
        }

        $user_checked_passed = false;


        if(isset($HTTP_SESSION_VARS['adb_password'])) {

            $adb_session_password = $HTTP_SESSION_VARS
['adb_password'];

            if($admin_password != $adb_session_password) 
                login_error($HTTP_SERVER_VARS
['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
            else {
                $user_checked_passed = true;
            }
        }


        if($user_checked_passed == false) {

            if(strlen($u_name)< 2) 
                login_error($HTTP_SERVER_VARS
['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);

            if($admin_user_name != $u_name) //if username not 
correct
                login_error($HTTP_SERVER_VARS
['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);       

            if(isset($admin_password)) {

                if($admin_password == $u_password) {

                    session_register("adb_password");
                    session_register("user");

                    $adb_password = $admin_password;
                    $user = $u_name;
                }
                else { //password in-correct
                    login_error($HTTP_SERVER_VARS
['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
                }
            }
            else {
                login_error($HTTP_SERVER_VARS
['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
            }

            $page_location = $HTTP_SERVER_VARS['PHP_SELF'];
            if(isset($HTTP_SERVER_VARS["QUERY_STRING"]))
            $page_location = $page_location ."?". 
$HTTP_SERVER_VARS["QUERY_STRING"];

            header ("Location: ". $page_location);
        }
    }
}
?>

I have beta version 2.0.0 installed, but am having trouble shortening URLs

The first few times I tried, it was successful, but now whenever I shorten
a URL without entering a custom alias, it returns the following error:

File: /my/directory/functions.php
Line: 66
Message: Duplicate entry '' for key 3

Could you please fix this?

Thanks,
Henry

<br />

not good

Better is <p></p>

file: ./html/index_form.php

Need:

/*  -moz-outline: 0;*/

or?

What steps will reproduce the problem?
1.  wget http://phurl.googlecode.com/files/phurl-2.0.0-beta.tar.gz
2.  tar -xzf phurl-2.0.0-beta.tar.gz

What is the expected output? What do you see instead?
anything.  500 server misconfiguration error

What version of the product are you using? On what operating system?
2.0.0-beta .. linux/apache on shared server

Please provide any additional information below.
comment out first two lines in .htaccess to rememdy problem.

[deleted issue]

What steps will reproduce the problem?
1. Enter the URL to shorten, containing a ' (example
http://veekun.com/dex/pokemon/farfetch'd)
2. Shorten

What is the expected output? What do you see instead?
The expected output would be the URL I entered. Instead, the shortened
version links to http://veekun.com/dex/pokemon/farfetch\\\'d, which doesn't
work.

What version of the product are you using? On what operating system?
Phurl 2.0.0 BETA 2 (it worked with the non-beta version I had before, but I
don't remember the version number). Mac OS X.

1) You have to enter mailto://[email protected] otherwise it will put an 
http:// in front of it. This will cause problems as many people use just 
mailto:[email protected].

2) When shortening mailto links, it adds a slash to the end, so the email 
client ends up trying to send the email to [email protected]/

You need to get working on this script again.
It has been quietly forgotten about which is a shame, as if you kept up the
work it would be amazing.

Get some work done on the new features, especially an upgrade feature so I
dont lose all my urls when upgrading to a new version of the script.

Keep going!

Henry

What steps will reproduce the problem?
1. Install
2. Navigate to http://url/admin

What is the expected output? What do you see instead?

Expected: Redirect to login.php
Happened: Warning: Cannot modify header information - headers already sent by 
(output started 
at /home/go/public_html/admin/header.php:6) in 
/home/go/public_html/admin/index.php  on 
line 11

What version of the product are you using? On what operating system?

Beta V2, CentOS

Please provide any additional information below.

Looks like header.php is causing the issue. How about wrapping the html in a 
function so it can 
be called when needed. (Happens when going to index.php while logged out and 
while logging 
in)

No matter what I do I continue to get:
    * The URL you have entered is not allowed.

I just installed it with the latest version. How can I fix this?

Several vulnerabilities have been found in this script:
-------------------------------------------------------

Cross Site Scripting in URI 
Vulnerability description 
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that
allows an attacker to send malicious code (usually in the form of
Javascript) to another user. Because a browser cannot know if the script
should be trusted or not, it will execute the script in the user context
allowing the attacker to access any cookies or session tokens retained by
the browser. 

This XSS variant usually appears when a PHP script is using one of
following variables without filtering them: 
PHP_SELF 
REQUEST_URI 
SCRIPT_URL 
SCRIPT_URI 

Those variables are set either by Apache or the PHP engine. Apache is
automatically ignoring anything in the URI after the .php extension for
mapping script filename, but these variables are containing the full URI.

Affected items 
/index.php 
The impact of this vulnerability 
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash
into a vulnerable application to fool a user in order to gather data from
them. An attacker can steal the session cookie and take over the account,
impersonating the user. It is also possible to modify the content of the
page presented to the user. 

How to fix this vulnerability 
Your script should filter metacharacters from user input.

-------

Vulnerability description 
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that
allows an attacker to send malicious code (usually in the form of
Javascript) to another user. Because a browser cannot know if the script
should be trusted or not, it will execute the script in the user context
allowing the attacker to access any cookies or session tokens retained by
the browser. 

This vulnerability affects /index.php. 

The impact of this vulnerability:
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash
into a vulnerable application to fool a user in order to gather data from
them. An attacker can steal the session cookie and take over the account,
impersonating the user. It is also possible to modify the content of the
page presented to the user. 

Attack details 
The GET variable url has been set to
1<ScRiPt%20%0d%0a>alert(401200742904)%3B</ScRiPt>.

What steps will reproduce the problem?
1. Install phurl

What is the expected output? What do you see instead?

N/A

What version of the product are you using? On what operating system?

Beta 2, Cent OS w/ cPanel

Please provide any additional information below.

admin/functions.php only includes one function (is_admin_login), and all the 
admin/ files 
include the ../includes.php. 

Since all files call the 'root' functions.php anyways (db connectivity, etc) 
why not merge the one 
function to the root functions.php and remove admin/functions.php

Using the newest Beta, other URLs work, can't add an Amazon URL like
http://www.amazon.com/exec/obidos/ASIN/B001M4N956/itquotes162-20

What being used only for private purposes (see issue 37), allow to shorten
urls on the same domain.

I think it would be good if you added support for the mailto protocol, so
people can shorten their email address links, and prevent spam.

Also, there needs to be some way to stop people shortening URLs of that
site. e.g. on lopurl.us, prevent people shortening other URLs on lopurl.us.

Web based installation script. It should dynamically create .htaccess and
config.php file.

Version 1.4 and 1.5: URL generation and duplicate URL checking methods are
broken. They need to be re-written.

Hi,

I'm looking for and urlshortener. I found 4 script:
-phurl: don't have enough fonctionnality no api, no ifram, stat, etc. But works
-Kissabe: The most futur powerfull. But, Impossible to understand how to
install it. + api
-UrlShort: with Tag. Simple to install and use. No cpanel + api
-phpZlink. About 10$. But little cpanel, and iframe.

So, I want to take the best and the easiest to install and use.
The only one who works without probleme is "UrlShort".
So, if phurl become one day a really good url shortner that would be great
to have an import/export fonction or tutorial.

That was just an idea.
Good web

Hello -

My guess would be its a quick mod.. 

How would one add case sensitivity to a shortened URL? that is, making
xx5yy6 go somewhere different than Xx5yY6.

Thoughts?

Please use mysql_real_escape_string()

See:
http://php.net/manual/en/function.mysql-real-escape-string.php

You should implement a check on the backend before shortening the URL that
will run the submitted URL through spam filters such as...

http://code.google.com/apis/safebrowsing/

and

http://www.surbl.org/


This would certainly raise the click-thru rate due to the security risks of
clicking on a link that is cryptic. Many people want the security of
knowing that what they're clicking on isn't malware or spam...

[deleted issue]

Need DOCTYPE!
for browsers ;)

Are you planning on allowing users to sign up to a URL shortening service,
create user/pass so they can login and view stats etc...

Have you considered allowing collaborative authoring on this project?
Perhaps split up the workload so that you would still have creative control, 
but allow some others to hurry things along.
Some jobs might include: css, authentication, migration, install script, 
etc...

I think it would be good if you had a section in the admin panel for
adding/removing domain names. Then people could add multiple domain names,
and then on the front page there could be the option to choose a domain to
shorten with.

It would be good if redirection URLS checked against the Google Safe
Browsing API to see if they are phishing or malware sites.

I've only just put my redirector online and have already had one redirect
to a Facebook phishing site.

The API can be found at http://code.google.com/apis/safebrowsing/ and I
hope to get working on it soon. Example PHP functions are available at
http://www.madirish.net/?article=245

What steps will reproduce the problem?
1. Enter an URL to shorten containing special characters (for example
http://fr.wikibooks.org/wiki/Catégorie:Recettes)
2. Shorten (well, try to, actually)

What is the expected output? What do you see instead?
The software should allow this URL to be shortened. Instead, the output is:
“The URL you have entered is not allowed.”

What version of the product are you using? On what operating system?
Phurl 2.0.0 BETA 2 (it worked with non-beta versions). Mac OS X.

Link Tracking - the ability to see how many clicks a shortened URL received.

The admin button isn't in the screen. Also How I can use the short URL
after conversion?

Thanks!

What steps will reproduce the problem?
1.simple step by step for with a couple of examples for setup
2.
3.

What is the expected output? What do you see instead?
A user will know how to use this program

What version of the product are you using? On what operating system?
latest downloaded a couple of hours ago, tried on several different systems

Please provide any additional information below.

Please include a simple txt file with some basic instructions geared toward 
the beginning user. perhaps with links to examples and other resources and 
perhaps if time allows some install instructions to be found at 
http://code.google.com/p/phurl/
Thanks this would be very helpful and I would be very grateful.

Why can't I link to a PDF?

What steps will reproduce the problem?
1. I enter a URL in web address field
2. I enter longer custom alias like: blog_domains_vs_websites_long
3. As a result, the script does give me the "short" yet lengthy URL with no
problem.
4. When I try to use it, it goes to the main page of phurl instead of going
to the destination site.
5. When I go to /admin I notice that the "short" url was actually trimmed
at the end and didn't *really* become that large "short" url I wanted (ie.
http://shortu.rl/blog_domains_vs_websites_long) and instead became
something like a 20 char short url.

What is the expected output? What do you see instead?
I expected to see the "short" yet long url I had created.

What version of the product are you using? On what operating system?


Please provide any additional information below.

Phurl version 1.x to 2.x database converter.

Just a minor thing Hideo, but on the main form the statement "May contain 
letters, numbers, 
dashes and underlines" should actually state "May contain letters, numbers, 
dashes and 
underscores"
Regards,
Phil

Accessing the /admin/ URL fails with the message

     Warning: Cannot modify header information - headers already sent [...]

unless PHP output buffering is enabled. It is disabled by default on many 
installations.

This happens because the HTML code in the file /admin/header.php is included by 
./admin/index.php (also ./admin/login.php) BEFORE the command

    header ("Location: [...]

is issued, which is illegal in PHP unless output buffering is enabled.

A quick fix is to include the command

    ob_start ();

in ./config.php

This could also be causing Issue 8.

Best,
Chris Ferebee

How can I password project the past for posting new URL but still keep it
open to that people I give the shortened URLs to can work with them?

Will be good if there's API for this system, so we can integrate this
system with another system.

This url shortening service should not be allowed from the address bar 
because of possible exploits that could/may be found and used against the 
person running the script. one way of checking is to use a referral check 
to make sure that the "GET" came from the domain that the person is 
attempting to use..

IE http://demourl.com/index.php?url=http://exploit.address.com/fail/&alias=

There is a $true instead of true.

Suppressing the $ makes the redirection works again.

301Works.org is an independent service for archiving URL mappings. The goal
of the service is to provide protection for every day users of short URL
services by providing transparency and permanence of their mappings.

The basic idea behind it is that periodically, the owners of URL shortening
services send a CSV file to archive.org with all short URL -> log URL mappings.

It would be good for somebody to create a script to extract this
information, and possibly a simple uploading cron script to upload it to
archive.org.

I'm going to get started on this soon, so contact me at [email protected] if
you want to help out, or have any further suggestions.

The license on the Google code website says this is licensed as GPL v3 but
the LICENSE.txt has its own text, not that of GPL v3. Please can this be
cleared up?

Support for multiple url shortening please, i think its really great if
phurl have this feature :D

What steps will reproduce the problem?
1. Setup Phurl as per instructions
2. Get a TON of shortened URLs
3. Wait



What version of the product are you using? On what operating system?

Using Phurl 2 beta2 on a Linux server.



Please provide any additional information below.

I'm using Phurl on http://b2l.me and everything was working splendidly
until I started using it as the primary URL shortener for my SexyBookmarks
WordPress plugin... That created a HUGE flux in the amount of URLs being
shortened. I now have nearly 2,000,000 shortened URLs, and recently
received an email from my hosting company saying that they nearly disabled
the database due to how inefficient it was running.

Here's a snippet of the email they sent me explaining what they did to fix it:

I'm writing you about your database "b2l_shrinker".  I almost had to
disable this database due to it causing high mysql server load, using
100% CPU on 8 cores of the server, and being very inefficient.  I was
able to add the following index to drop the rows examined from 1.85
million records examined to 4.  Please make sure to properly index your
queries to avoid having databases disabled.  If you have further
questions let us know.

mysql> desc SELECT id, code, alias FROM phurl_urls WHERE url LIKE
'http://canadianfreestuff.com/best-buy-canada-coupons';
+----+-------------+------------+------+---------------+------+---------+------+
---------+-------------+
| id | select_type | table  | type | possible_keys | key  | key_len |
ref  | rows    | Extra       |
+----+-------------+------------+------+---------------+------+---------+------+
---------+-------------+
|  1 | SIMPLE      | phurl_urls | ALL  | NULL          | NULL | NULL    |
NULL | 1853739 | Using where | 
+----+-------------+------------+------+---------------+------+---------+------+
---------+-------------+
1 row in set (0.00 sec)

mysql> 
mysql> alter table phurl_urls add index url (`url` (40));
Query OK, 1853741 rows affected (1 min 50.45 sec)
Records: 1853741  Duplicates: 0  Warnings: 0

mysql> desc SELECT id, code, alias FROM phurl_urls WHERE url LIKE
'http://canadianfreestuff.com/best-buy-canada-coupons';
+----+-------------+------------+-------+---------------+------+---------+------
+------+-------------+
| id | select_type | table  | type  | possible_keys | key  | key_len
| ref  | rows | Extra       |
+----+-------------+------------+-------+---------------+------+---------+------
+------+-------------+
|  1 | SIMPLE      | phurl_urls | range | url       | url  | 122    
| NULL |    4 | Using where | 
+----+-------------+------------+-------+---------------+------+---------+------
+------+-------------+
1 row in set (0.01 sec)

Thanks!
Justin K

What steps will reproduce the problem?
1. Use this script to create a new shortened URL
2. Enter the shortened URL on http://blog.latortuefacile.fr/redirection/
3. This website shows the header is “HTTP/1.1 302 Moved Temporarily”.

What is the expected output? What do you see instead?
The header should be “HTTP/1.1 301 Moved Permanently”. “302 Moved
Temporarily” is very bad for SEO (Search Engine Optimization).

'preg_match("/\.([^\/]+)/", $hostname, $domain);', in line 93 of
function.php, takes 'com' as domain when SITE_URL is defined as 'xxx.com'.

and it makes all urls containg 'com' invalid.

Without any other method to contact you, this is the only way I can use to
contact you.

I'm just wondering why you have split the tables up into smaller tables. 
The research I have been doing suggests that with appropriate indexing,
using just one table is just as efficient performance wise.

What steps will reproduce the problem?
1. Try to load Admin index page @ http://domain.com/admin or login at
http://domain.com/admin/login.php


What is the expected output? What do you see instead?
 Instead of the Admin or a successful login, you get a "headers already
sent" error

What version of the product are you using? On what operating system?
 Phurl 2.0.0 BETA 2

Please provide any additional information below.
 The header.php file is being included before the header("Location:
index.php", true, 301) causing the error.

Should be able to fix it by moving the header require_once() to AFTER any
potential redirects.