Back in May I wrote about the DreamHost Site of The Month Contest (DHSOTM), which lets DreamHost users submit their websites to be rated. Its a seldom used feature of DreamHost, and I decided to try and win it, which I did for May! But my site was all of a sudden disqualified even though it won by a huge margin with overwhelmingly positive votes. The reason AskApache.com was DQ'd is totally bogus, and this post is an attempt to set the record straight and also to show how a person could cheat DHSOTM. In order to prevent that from happening I have alerted several DreamHost staff who are always helpful, polite, kind, and good-looking!
Here are the stats for the rankings of AskApache.com (To achieve my goal of winning the contest I created a button for DreamHost users to click on to make it easier and more attractive to vote.)
Submitted AskApache.com (on 2007-05-30 13:38:01).# Votes: 31 Total Points: 223 Average Vote: 7.19
As you can see, even though my site wasn't even submitted till the 30th, my Vote button really worked great and I was able to win the contest in a single day! But do you see any smarmy DHOSTM champion gifs anywhere? no.
As is incredibly obvious by this screenshot, my vote link DID NOT automatically enter a vote or comments for my site, all it does is properly send the user to the correct page to vote for my site IF THEY SO CHOOSE.
So in order to get votes I would need to focus my promotion on DreamHost users like myself, because those users would likely be logged into the DreamHost Web Panel thus enabling them to vote for my site IF THEY SO CHOOSE. Besides, I think its widely known that DreamHost customers are the coolest on the net! So anyway I posted the same link that you see above into 2 different forum posts on the DreamHost discussion forum, but mostly I linked to my blog article. I also added the link and the button to my DreamHost wiki userpage.
I actually thought (and I still do) that it was a really clever idea to come up with creating a VOTE button and then going out and winning the contest in a day.. But hey some people are blind to what the rest of us see.
Since I was disqualified and accused of cheating, which is absolutely ridiculous, I decided to go ahead and figure out if what they were accusing me of doing was possible. That's right, I'm going to show YOU how I COULD have rigged the DHSOTM contest to hopefully make the statement that I absolutely did not cheat in any way and I have been unfairly mistreated. (and I'm still waiting for my smarmy gif!)
This is some sweet code, but its definately very wild so DO NOT even think about experimenting with this code or method under any circumstances with DreamHost, try it on your own server far far away from any DreamHost block. You could modify this code to work with any number of other online forms like gmail, youtube, weather.com, discussion forums, etc.
One of the oldest and most commonly used hacking techniques on the web is hacking forms. So the really simple way to rig the DHSOTM contest is to automate the form submission for your site, in this proof of exploit case I will set it up to automatically rank askapache.com a 10, with a comment of "Awesome".
Instead of using the vote link that I used, which I think is without a doubt legal, ethical, and creatively cool, a malicious contest cheater could instead just direct users to a php file.
This actually works so DO NOT use this! Who knows, a knee-jerk reaction could lead to the deletion and closing of your entire account! Because doing anything even close to this (sending any data that is for the user to decide not u) is not a cool thing to do and there will most certainly be consequences! It is however very cool code, I absolutely love CURL (php and command-line) and that is why AskApache is an official mirror of CURL at curl.askapache.com.
<?php $pv = 'tab=home&subtab=dhsotm&command=AddVote&uservote=10&comment=Awesome¤t_step=Site&next_step=Site&url=http://www.askapache.com/'; $ch = curl_init('https://panel.dreamhost.com/index.cgi?'); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_POSTFIELDS, $pv); curl_setopt($ch, CURLOPT_FOLLOWLOCATION ,0); curl_exec ($ch); curl_close ($ch); header('Location:https://panel.dreamhost.com/index.cgi?'.$pv); ?>
AskApache.com won the contest fair and square according to the rules, TOS, etc., everything.. I want what was taken given back! lol
Who wrote this? Help me out DH
DreamHost: "Rock the Vote!"
July 3rd, 2007