Official Everybody Edits Forums
Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Before February 2015
- Kaslai
- Guest
XSS Vulnerabilities
I've done a brief audit of the FluxBB source code, and I'd be willing to help you patch up some XSRF issues that the site has, which you undoubtedly noticed when you fell for them.
Last edited by Kaslai (Jan 7 2014 4:17:25 pm)
#2 Before February 2015
- Different55
- Forum Admin
- Joined: 2015-02-07
- Posts: 16,575
Re: XSS Vulnerabilities
Who fell for them? And what happened? I haven't noticed anything (undoubtedly or otherwise) happening around here, has anyone else?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
#3 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
Before I left for Disney, Meredith fell for an XSRF attack that made him/her/it post something without their consent. It was really obvious though, and they deleted it immediately. There are many more things that can be done in less obvious ways, though.
With vanilla FluxBB, I can do many things through a malicious link, such as forcing a user to post or edit something without their knowledge. Literally the second they click it, something can happen without their knowledge on the forum if they're logged in.
#4 Before February 2015
- Cyclone or Meredith
- Guest
Re: XSS Vulnerabilities
I am aware of the techniques used to XSRF, The only thinks you can really do are with posts, pms and probably rep. These will be fixed if they are not already.
If there is anything that can harm the forum just pm me or Atilla.
#5 Before February 2015
- XxAtillaxX
- Member
- Joined: 2015-11-28
- Posts: 4,202
Re: XSS Vulnerabilities
I patched the posting XSS soon afterword.
*u stinky*
Offline
#6 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
I found about ten different instances of XSRF vulnerabilities in the code. I'll give you all of them if you promise to not act like a bag of ****.
#7 Before February 2015
- Different55
- Forum Admin
- Joined: 2015-02-07
- Posts: 16,575
Re: XSS Vulnerabilities
Is the bag necessary?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
#8 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
According to the server logs, my VPS was DoS attacked while I was on vacation. While I won't point fingers, the timing was too coincidental to be anyone other than certain people with orange names on these forums. I consider that acting like a bag of ****. Though, this forum is only meant for expressing facts, and any subjective matters are not allowed, so I guess I shouldn't be talking like this...
#9 Before February 2015
- Cyclone or Meredith
- Guest
Re: XSS Vulnerabilities
Actually it was a ddos from what I hear.
#10 Before February 2015
- Different55
- Forum Admin
- Joined: 2015-02-07
- Posts: 16,575
Re: XSS Vulnerabilities
How much D was in this DDoS and what did anybody gain by doing it? It seems like it was a huge waste of energy that nobody gained anything from. If it even had a point, I think it would be to get petty revenge for messing with the site a little. Messing with the site is bad, and dos-ing is bad. If nobody does anything then there's no bags of anything, no xss, and then everybody goes home. Sound good?
Last edited by Different55 (Jan 8 2014 12:20:24 pm)
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
#11 Before February 2015
- Cyclone or Meredith
- Guest
Re: XSS Vulnerabilities
Sounds great to me.
#12 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
A DDoS is a DoS, but a DoS isn't always a DDoS. Saying DoS is more inclusive, so that's why I phrased it as I did.
Anyways, check out this link to see the fixes you should make. It would also be nice if I didn't have to TOR in to get past my 1-day IP ban that was placed on me last week.
EDIT: Are you really that scared of my links that you have to silently edit them out? There was absolutely nothing wrong with the link. 15 people clicked it and nothing bad happened.
Last edited by Kaslai (Jan 10 2014 8:56:35 am)
#13 Before February 2015
- Cyclone or Meredith
- Guest
Re: XSS Vulnerabilities
Removed the ban.
#14 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
#15 Before February 2015
- Different55
- Forum Admin
- Joined: 2015-02-07
- Posts: 16,575
Re: XSS Vulnerabilities
Gee, sounds like fun.
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
#16 Before February 2015
- XxAtillaxX
- Member
- Joined: 2015-11-28
- Posts: 4,202
Re: XSS Vulnerabilities
I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
That's too bad then, because I updated the code by myself manually.
So, in that case, nice try but not good enough.
*u stinky*
Offline
#17 Before February 2015
- Different55
- Forum Admin
- Joined: 2015-02-07
- Posts: 16,575
Re: XSS Vulnerabilities
Are... are you a psychic?
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
#18 Before February 2015
- Kaslai
- Guest
Re: XSS Vulnerabilities
Kaslai wrote:I poked Atilla to update FluxBB to 1.5.6. If he actually did it, there's now an 0-day in the code that will let me nuke the server on a whim :3
That's too bad then, because I updated the code by myself manually.
So, in that case, nice try but not good enough.
Kaslai's bluff was not very effective...
Kaslai uses abandon forums!
Pages: 1
[ Started around 1733171977.7126 - Generated in 0.066 seconds, 14 queries executed - Memory usage: 1.5 MiB (Peak: 1.66 MiB) ]