I don't know if this is OLD or not, but http://www.thewolfweb.com/message_topic.aspx?topic=449590 is using a javascript to hijack the session ID and post as other users. In its current form I don't think he's abusing it, but it has huge potential for abuse.

It would be nice if the website could do additional checking to protect against this.

3/9/2007 2:40:39 AM

snitches get stitches

3/9/2007 4:37:53 AM

i think he's smart enough to know not to abuse it.

3/9/2007 7:01:08 AM

the thread is 3 months old, i don't think anybody is that disturbed by it.

Quote :

"i think he's smart enough to know not to abuse it."

3/9/2007 8:30:10 AM

moron is being a fucking moron again

3/9/2007 9:58:25 AM

no, he has posted under other users names but he and i have spoke about and he will only use his powers for good

3/9/2007 10:37:40 AM

lol

3/9/2007 10:46:09 AM

^^ I understand that, but it's a pretty easy trick to pull off, what's to stop other people from abusing it?

3/9/2007 11:36:21 AM

jesus

3/9/2007 12:02:46 PM

H4X!!1






j/k

3/9/2007 12:05:33 PM

i see you

3/9/2007 12:20:56 PM

Quote :

" the thread is 3 months old, i don't think anybody is that disturbed by it. "

It's only recently you've added in the cookie stealing part, AFAIK.

3/9/2007 12:41:48 PM

no, it's been the whole time (which just goes to show that i'm not in it for the evil or i would have campusblendered the place by now)

and stealing is such a harsh word

i consider it more like making a backup for people

3/9/2007 12:57:09 PM

I stated in my original post I don't think you were abusing it.

And logging out and logging back in changes the IDs too.

But anyone with HTML capability can sneak the script in anywhere they want

[Edited on March 9, 2007 at 1:03 PM. Reason : ]

3/9/2007 1:01:20 PM

yeah, but the vulnerabilities have been there forever. in the few cases where it has been abused, it was dealt with pretty well and things got back to normal within a week or so. and they can't copy/paste my code like with the username change code people used to do

i hear what you're saying, but obviously they're not gonna tighten up the code without completely disabling html and that'll just cause another uproar with premies so...

3/9/2007 1:12:01 PM

Couldn't they just check the POST requests IP address to see if it matches up with the log in IP address?

3/9/2007 1:14:33 PM

not sure that would help

3/9/2007 1:17:19 PM

There's a couple of ways to get at your script.

I see what you mean though, originally, I thought you were harvesting the session IDs then from another server, making the posts. But you're just using the javascript to make a post.

3/9/2007 1:21:15 PM

i know there are. but anybody who can figure out how to get to it can probably do what i did in the first place anyways

3/9/2007 1:22:24 PM

Not really.

I know jacksquat about javascript, but I know enough java to decipher it, and I know enough about how the internet works to figure out how the bits works, but without having an example to look at, I wouldn't have been able to figure out how to do it too easily.

Just out of curiosity though, have your logs been getting flooded?

[Edited on March 9, 2007 at 1:25 PM. Reason : ]

3/9/2007 1:24:45 PM

no, i have filters to prevent overflowing the db. but i did see the requests

3/9/2007 1:26:19 PM

ijustclickedyourprofilename10times

3/9/2007 10:16:40 PM

no, you didn't

3/9/2007 10:20:13 PM

Quote :

"I've reinstated it, but have put some mechanisms in place to keep a close eye on it's use. Anyone found stealing security information from others will be prosecuted. 5/16/2006 1:51:51 PM"

[Edited on March 10, 2007 at 12:30 AM. Reason : "]

3/10/2007 12:30:34 AM

^

3/10/2007 6:25:52 PM

yeah this has been a known vulnerability since forever ago, remember when jake took away HTML? it was cause someone wrote an exploit. but qntmfred wasnt the first and im sure he wont be the last

it just goes to show that theres no way to link any post to any person without reasonable doubt...

3/10/2007 7:09:57 PM

I killed Kennedy.

3/10/2007 7:53:38 PM