I was bored, and i was doing some leeching attacks on my own community website, i wanted to test out the new java script and htaccess that i put in place so the divx player could not be embedded on another site and for the videos to be leeched.  Everything worked out well, even with attacks against tamper data.

But in the process i found a dangerous exploit in the community website 

by using tamper data when loading any of the songs on bebo, it should up the sub domain in which the mp3's are loading from, and just be removing a few characters from the end of the absolute url, i was able to get the mp3. I informed  (owner of) but I got no response. 

What other steps would be advisable to take?

Maybe  doesn't believe me or maybe he is just worried now that his "Music" side to has been completely compromised.

Firstly, it would have been nice to point me in the direction of an IT law that explains it. Instead of giving a lecture. I'm not a hacker black/white in any means, i'm just an I.T student who likes web security. This site is based upon ethics, isn't it not?


about a month now.

The audio is controlled by a flash object which in turns streams the mp3 from a directory within a sub domain. this call is controlled by a java script. And from what i can tell there seems to be no fault. It does what it is suppose to do. I'm not prepared to enter the script here or anywhere. I have no right to.

  If it was a misconfiguration, then the flash mp3 player wouldn't be able to be embedded on another website, but it. And from research it always was.

I was going to tell him to write the following .htaccess  But as im not to fimilar with Resin server and from what you just said. Im staying away from the topic.


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?websiteaddresshere(.com(/)?.*$ [NC]
RewriteRule .*\.(mp3|MP3)$ [F,NC]