Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
Pages: 1
I've done a brief audit of the FluxBB source code, and I'd be willing to help you patch up some XSRF issues that the site has, which you undoubtedly noticed when you fell for them.
Last edited by Kaslai (Jan 7 2014 4:17:25 pm)
Who fell for them? And what happened? I haven't noticed anything (undoubtedly or otherwise) happening around here, has anyone else?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
Before I left for Disney, Meredith fell for an XSRF attack that made him/her/it post something without their consent. It was really obvious though, and they deleted it immediately. There are many more things that can be done in less obvious ways, though.
With vanilla FluxBB, I can do many things through a malicious link, such as forcing a user to post or edit something without their knowledge. Literally the second they click it, something can happen without their knowledge on the forum if they're logged in.
I am aware of the techniques used to XSRF, The only thinks you can really do are with posts, pms and probably rep. These will be fixed if they are not already.
If there is anything that can harm the forum just pm me or Atilla.
I patched the posting XSS soon afterword.
*u stinky*
Offline
I found about ten different instances of XSRF vulnerabilities in the code. I'll give you all of them if you promise to not act like a bag of ****.
Is the bag necessary?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
According to the server logs, my VPS was DoS attacked while I was on vacation. While I won't point fingers, the timing was too coincidental to be anyone other than certain people with orange names on these forums. I consider that acting like a bag of ****. Though, this forum is only meant for expressing facts, and any subjective matters are not allowed, so I guess I shouldn't be talking like this...
Actually it was a ddos from what I hear.
How much D was in this DDoS and what did anybody gain by doing it? It seems like it was a huge waste of energy that nobody gained anything from. If it even had a point, I think it would be to get petty revenge for messing with the site a little. Messing with the site is bad, and dos-ing is bad. If nobody does anything then there's no bags of anything, no xss, and then everybody goes home. Sound good?
Last edited by Different55 (Jan 8 2014 12:20:24 pm)
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
Sounds great to me.
A DDoS is a DoS, but a DoS isn't always a DDoS. Saying DoS is more inclusive, so that's why I phrased it as I did.
Anyways, check out this link to see the fixes you should make. It would also be nice if I didn't have to TOR in to get past my 1-day IP ban that was placed on me last week.
EDIT: Are you really that scared of my links that you have to silently edit them out? There was absolutely nothing wrong with the link. 15 people clicked it and nothing bad happened.
Last edited by Kaslai (Jan 10 2014 8:56:35 am)
Removed the ban.
I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
Gee, sounds like fun.
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
That's too bad then, because I updated the code by myself manually.
So, in that case, nice try but not good enough.
*u stinky*
Offline
Are... are you a psychic?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
Kaslai wrote:I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
That's too bad then, because I updated the code by myself manually.
So, in that case, nice try but not good enough.
Kaslai's bluff was not very effective...
Kaslai uses abandon forums!
Pages: 1
[ Started around 1733173626.0111 - Generated in 0.119 seconds, 12 queries executed - Memory usage: 1.5 MiB (Peak: 1.66 MiB) ]