User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » TWW hacked? Page [1]  
moron
All American
34144 Posts
user info
edit post

I don't know if this is OLD or not, but http://www.thewolfweb.com/message_topic.aspx?topic=449590 is using a javascript to hijack the session ID and post as other users. In its current form I don't think he's abusing it, but it has huge potential for abuse.

It would be nice if the website could do additional checking to protect against this.

3/9/2007 2:40:39 AM

joe_schmoe
All American
18758 Posts
user info
edit post

snitches get stitches

3/9/2007 4:37:53 AM

joe17669
All American
22728 Posts
user info
edit post

i think he's smart enough to know not to abuse it.

3/9/2007 7:01:08 AM

qntmfred
retired
40726 Posts
user info
edit post

the thread is 3 months old, i don't think anybody is that disturbed by it.

Quote :
"i think he's smart enough to know not to abuse it."

3/9/2007 8:30:10 AM

ImYoPusha
All American
6249 Posts
user info
edit post

moron is being a fucking moron again

3/9/2007 9:58:25 AM

gunzz
IS NÚMERO UNO
68205 Posts
user info
edit post

no, he has posted under other users names but he and i have spoke about and he will only use his powers for good

3/9/2007 10:37:40 AM

pwrstrkdf250
Suspended
60006 Posts
user info
edit post

lol

3/9/2007 10:46:09 AM

moron
All American
34144 Posts
user info
edit post

^^ I understand that, but it's a pretty easy trick to pull off, what's to stop other people from abusing it?

3/9/2007 11:36:21 AM

sober46an3
All American
47925 Posts
user info
edit post

jesus

3/9/2007 12:02:46 PM

qntmfred
retired
40726 Posts
user info
edit post

H4X!!1






j/k

3/9/2007 12:05:33 PM

joe17669
All American
22728 Posts
user info
edit post

i see you

3/9/2007 12:20:56 PM

moron
All American
34144 Posts
user info
edit post

Quote :
" the thread is 3 months old, i don't think anybody is that disturbed by it.
"


It's only recently you've added in the cookie stealing part, AFAIK.

3/9/2007 12:41:48 PM

qntmfred
retired
40726 Posts
user info
edit post

no, it's been the whole time (which just goes to show that i'm not in it for the evil or i would have campusblendered the place by now)

and stealing is such a harsh word

i consider it more like making a backup for people

3/9/2007 12:57:09 PM

moron
All American
34144 Posts
user info
edit post

I stated in my original post I don't think you were abusing it.

And logging out and logging back in changes the IDs too.

But anyone with HTML capability can sneak the script in anywhere they want

[Edited on March 9, 2007 at 1:03 PM. Reason : ]

3/9/2007 1:01:20 PM

qntmfred
retired
40726 Posts
user info
edit post

yeah, but the vulnerabilities have been there forever. in the few cases where it has been abused, it was dealt with pretty well and things got back to normal within a week or so. and they can't copy/paste my code like with the username change code people used to do

i hear what you're saying, but obviously they're not gonna tighten up the code without completely disabling html and that'll just cause another uproar with premies so...

3/9/2007 1:12:01 PM

moron
All American
34144 Posts
user info
edit post

Couldn't they just check the POST requests IP address to see if it matches up with the log in IP address?

3/9/2007 1:14:33 PM

qntmfred
retired
40726 Posts
user info
edit post

not sure that would help

3/9/2007 1:17:19 PM

moron
All American
34144 Posts
user info
edit post

There's a couple of ways to get at your script.

I see what you mean though, originally, I thought you were harvesting the session IDs then from another server, making the posts. But you're just using the javascript to make a post.

3/9/2007 1:21:15 PM

qntmfred
retired
40726 Posts
user info
edit post

i know there are. but anybody who can figure out how to get to it can probably do what i did in the first place anyways

3/9/2007 1:22:24 PM

moron
All American
34144 Posts
user info
edit post

Not really.

I know jacksquat about javascript, but I know enough java to decipher it, and I know enough about how the internet works to figure out how the bits works, but without having an example to look at, I wouldn't have been able to figure out how to do it too easily.

Just out of curiosity though, have your logs been getting flooded?

[Edited on March 9, 2007 at 1:25 PM. Reason : ]

3/9/2007 1:24:45 PM

qntmfred
retired
40726 Posts
user info
edit post

no, i have filters to prevent overflowing the db. but i did see the requests

3/9/2007 1:26:19 PM

amac884
All American
25609 Posts
user info
edit post

ijustclickedyourprofilename10times

3/9/2007 10:16:40 PM

qntmfred
retired
40726 Posts
user info
edit post

no, you didn't

3/9/2007 10:20:13 PM

Bakunin
Suspended
8558 Posts
user info
edit post

Quote :
"I've reinstated it, but have put some mechanisms in place to keep a close eye on it's use. Anyone found stealing security information from others will be prosecuted.

5/16/2006 1:51:51 PM"


[Edited on March 10, 2007 at 12:30 AM. Reason : "]

3/10/2007 12:30:34 AM

Str8BacardiL
************
41754 Posts
user info
edit post

^

3/10/2007 6:25:52 PM

jackleg
All American
170957 Posts
user info
edit post

yeah this has been a known vulnerability since forever ago, remember when jake took away HTML? it was cause someone wrote an exploit. but qntmfred wasnt the first and im sure he wont be the last

it just goes to show that theres no way to link any post to any person without reasonable doubt...

3/10/2007 7:09:57 PM

Beardawg61
Trauma Specialist
15492 Posts
user info
edit post

I killed Kennedy.

3/10/2007 7:53:38 PM

 Message Boards » Feedback Forum » TWW hacked? Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.