ghost
commented
7 years ago i agree
Closed LandonPowell closed 7 years ago
ghost
commented
7 years ago i agree
bui
commented
7 years ago are you a terrorist
LandonPowell
commented
7 years ago @bui I only terrorize cute twinks. ;^))))))
ctrlcctrlv
commented
7 years ago cc: @czaks
Hello,
8chan is no longer an open source project in the sense that it was up to April 2016 when I retired. I made a board to see what you are talking about and it is using a route that I don't recognize, edit_board_rules. If I had to make a conservative estimate, I would guess that 8ch.net is over one hundred commits ahead of this repository, perhaps more. Very few commits have been ported from the 8ch.net closed source version to this repository, the only ones are in the public-site branch.
When I made the static pages feature, I imported the rules page as a static page and then disabled the edit rules route. ?/edit_board_rules is not my code, and I don't know what it does, but based on the link you shared it just uses simple concatenation...
This commit enabled "Edit pages": https://github.com/ctrlcctrlv/infinity/commit/12fa8ec3efa8bf93caee1a5a593ab867be5a502c#diff-4eb9dfb2a18c93c1c47d74c033513d64L668
In pre March 2015 versions of the source code, new rules could be POST'd directly to ?/settings/board.
So, no repositories based on the open source code are affected, and I am closing this bug.
ctrlcctrlv
commented
7 years ago @Getindor Sorry, there's literally nothing I can do, but at least the open source code is not vulnerable.
LandonPowell
commented
7 years ago @ctrlcctrlv Man, that sucks. Do you have contact info for the guys currently in charge of infinitesimal-chan's codebase? Feel free to email it to me so the nutjobs on github don't use it to troll: landonjamespowell@gmail.com
CantStumpTheTrump
commented
7 years ago @ctrlcctrlv It's all your fault, cuck.
ctrlcctrlv
commented
7 years ago @LandonPowell I showed them this bug report and they seem to have disabled the ?/edit_board_rules mod.php route, but they didn't clean up the XSS you wrote out to /islamicstate/rules.html for some reason. I also did ask why they made the route in the first place and did not get a response.
So, at least this specific issue seems fixed, but how many other bugs there might be in the closed source code is anyone else's guess given how naive the implementation of this rules page was...
CantStumpTheTrump
commented
7 years ago @ctrlcctrlv U fucked everything up
https://8ch.net/islamicstate/rules.html
I was messing around with the rules on one of the boards that I acquired, and figured out I can pretty easily XSS inject.
I'm too lazy to read your source so I don't know what you fucked up to make it possible, but you guys fucked up pretty hard.
If you guys aren't good at security, trying using a Content-Security-Policy to make the risks not so damn bad when they're discovered.
I can't find any contact for you all other than your issues form. The front page only gives a contact for DMCA requests reporting.
Maybe your greedy overlord should use some of the ad revenue to set up a bug bounty.