Filter these

nvrspk4 · 15-08-2008, 04:54 AM

Congrats while it lasted, quite ingenious honestly. We will be implementing a simple patch, hopefully tomorrow morning. (Credit to Pyroka)

Jxhn · 15-08-2008, 07:35 AM

Originally Posted by nvrspk4

Congrats while it lasted, quite ingenious honestly. We will be implementing a simple patch, hopefully tomorrow morning. (Credit to Pyroka)

Yes, very ingenious. I wonder who started it off.

I'm pretty sure things like these are impossible to patch without adding a security token to each form.

Look up CSRF/XSRF.

nvrspk4 · 15-08-2008, 08:18 AM

Originally Posted by Unhappyness

Yes, very ingenious. I wonder who started it off.

I'm pretty sure things like these are impossible to patch without adding a security token to each form.

Look up CSRF/XSRF.

I would show you the simple patch however I feel like someone would find a workaround so we'll let them discover it without our help.

Decode · 15-08-2008, 08:46 AM

Originally Posted by nvrspk4

I would show you the simple patch however I feel like someone would find a workaround so we'll let them discover it without our help.

Im sure people will find a way arround it anyway

Originally Posted by Unhappyness

Yes, very ingenious. I wonder who started it off.

I'm pretty sure things like these are impossible to patch without adding a security token to each form.

Look up CSRF/XSRF.

You could simply change the change style form at the bottom of the page to use $_POST then it cannot be changed unless someone submits it.

Jxhn · 15-08-2008, 09:55 AM

Originally Posted by Tom743

You could simply change the change style form at the bottom of the page to use $_POST then it cannot be changed unless someone submits it.

It is still possible, just harder. I won't explain how.

Jxhn · 15-08-2008, 10:33 AM

Originally Posted by Unhappyness

It is still possible, just harder. I won't explain how.

EDIT: It's also possible to do this with Habbox's radio request system (I won't say how). I'm sure 300 of the same request from different people would piss off the DJs, although it might convince them to play some death metal.

EDIT: I pressed quote instead of edit by accident.

EDIT: I was past the edit limit anyway.

Favourtism · 15-08-2008, 10:42 AM

Originally Posted by Swaydo

yes i know smart pants, i was just agreeing

dont give me that

I didnt mean the '-.-' at you, it was directed at the noobs who are doing it.

Originally Posted by Unhappyness

EDIT: It's also possible to do this with Habbox's radio request system (I won't say how). I'm sure 300 of the same request from different people would piss off the DJs, although it might convince them to play some death metal.

EDIT: I pressed quote instead of edit by accident.

EDIT: I was past the edit limit anyway.

Yup. Me and Mecto were testingo n our forum and you can do that. its also is/was(?) possible to log users out and redirect them.

Glad to see that is has/is being patched

J0SH · 15-08-2008, 10:45 AM

Can't you just filter the styleid= or something?

~~Pyroka~~ · 15-08-2008, 10:59 AM

That's just filtering out one problem, there's many things they could do with the [IMG] tag. It's not limited to just changing styles on a forum so they needed something more generic. Either way, it's done now.

Decode · 15-08-2008, 11:05 AM

Originally Posted by Pyroka

That's just filtering out one problem, there's many things they could do with the [IMG] tag. It's not limited to just changing styles on a forum so they needed something more generic. Either way, it's done now.

What changes have been made, I can still use image tags.

Thread: Filter these

Thread Tools

Posting Permissions