[QUOTE=Willox;47619342]I'm notifying you of an abusable page that could cripple your website. What if an attacker uses this to change a user's paypal ID so that they receive money instead of the user? What if an attacker steals an administrator's cookies and bans people?
You're clueless. I'm hardly a staff member of ScriptFodder, I just have the access.[/QUOTE]
Willox pulls this sort of thing a lot, but I find it really hard to judge or think badly of him for it because he never acts maliciously. I don't think you should get angry at people for showing exploits, especially considering the OP mentions that this site isn't opening until like May.
Better for someone like Willox to bring light of it in a way that doesn't harm anyone in advance, I think. Pretty sure he's even told people how to fix these issues in the past, as well
[QUOTE=LauScript;47619462]Someone is rather upset they were disproven? What I said about your portfolio was a complete example of how a meaningless opinion is not constructive and can be viewed as just an insult. Infact, in the original post where I mention your portfolio, right after I deliberately bring up the point that it's an example and that it is not constructive.
I'm not being irrational at all, nor am I trying to be a white knight. I'm saying it's ridiculous how so many people just want to jump the gun and give this guy shit, just because his idea is unoriginal.
I also don't see how i have a big ego, what exactly do you mean? Does mentioning that people aren't being productive with this guy inflate my ego?
Look, you can deny it all you want. You can sit here and say i have a big ego, or that i'm trying to be a white knight, or say that i'm flaming. I'm as calm as can be, not irritated at all. I don't see how i'm inflating my ego..? You admitted that it's immature, you agreed with me.[/QUOTE]
I don't know if you have some kind of issue with me or what's going on, considering again that this attack was out of nowhere. You're delusional if you think you're making any kind of point here, considering there was no point to make. As it stands i'm not going to continue posting. I've made my points and this thread needs to get back on track so the website owners can continue doing what they do.
[QUOTE=NiandraLades;47619483]Willox pulls this sort of thing a lot, but I find it really hard to judge or think badly of him for it because he never acts maliciously. I don't think you should get angry at people for showing exploits, especially considering the OP mentions that this site isn't opening until like May.
Better for someone like Willox to bring light of it in a way that doesn't harm anyone in advance, I think. Pretty sure he's even told people how to fix these issues in the past, as well[/QUOTE]
Well, truthfully, pointing out an exploit is sort of the best form of criticism anyone can give.
[QUOTE=Willox;47619342]I'm notifying you of an abusable page that could cripple your website. What if an attacker uses this to change a user's paypal ID so that they receive money instead of the user? What if an attacker steals an administrator's cookies and bans people?
You're clueless. I'm hardly a staff member of ScriptFodder, I just have the access.[/QUOTE]
Dude, please calm down. We are not saying the webpage is 100% done, nor saying it is super secured. We are aware of that "stealing cookie/session" is possible and can be done pretty easily. That is why we posted that thread, not to listen your Harlem Shake but to get some feedbacks. You are saying you are hardly a staff member of ScriptFodder, then behave like you are.
In light of willox's post we will now be working on the implementation of restricting urls that include things like:
.js <script? %27%3E%3C/script%3E
This should be enough as a TEMPORARY Fix until we can fully explore the other exploitation options which we will need to work on regarding use of custom links within websites.
Also Please lau and nooky stop this fighting. If you really have to have a boxing match about this then facepunch's private messages be the way of doing rather than this thread. Thank you
[QUOTE=WalkerJetBat;47619501]You are saying you are hardly a staff member of ScriptFodder, then behave like you are.[/QUOTE]
I'll go fetch my business suit.
[QUOTE=Willox;47619509]I'll go fetch my business suit.[/QUOTE]
Take a picture for us
[QUOTE=pkminer30;47619503]In light of willox's post we will now be working on the implementation of restricting urls that include things like:
.js <script? %27%3E%3C/script%3E
This should be enough as a TEMPORARY Fix until we can fully explore the other exploitation options which we will need to work on regarding use of custom links within websites.[/QUOTE]
This is the wrong way to fix it. JavaScript files can have any extension, not just ".js". HTML tags do not need to stick to your styling: The tags could be uppercase or even part of a valid user's input.
The solution is as easy as HTML encoding the URL you output to the error page.
[QUOTE=Willox;47619509]I'll go fetch my business suit.[/QUOTE]
Yeah please also update your Steam Profile too. Good luck in your "career".
[IMG]http://s27.postimg.org/k9yruncrm/Ekran_Al_nt_s.jpg[/IMG]
[QUOTE=Nookyava;47619495]I don't know if you have some kind of issue with me or what's going on, considering again that this attack was out of nowhere. You're delusional if you think you're making any kind of point here, considering there was no point to make. As it stands i'm not going to continue posting. I've made my points and this thread needs to get back on track so the website owners can continue doing what they do.[/QUOTE]
Never seen you around before, definitely no issue. Not an attack.
My point is insulting/demeaning the author with opinions that are irrelevant to the actual development of his project has no purpose except to annoy him. There is absolutely nothing he can take from "Your project is unoriginal, think of something else". And posting steam chat logs and other things to discredit the author and attempt to make him lose his audience.
You agreed yourself you were shitposting.
You agreed that my statement mocking your logic behind posting opinions on a public forum is immature.
There was a point made, you agreed with it. I wouldn't say I'm delusional. Lol.
But alright, I do agree it is time to stop the derailing/bullshit. Sorry OP. And as I said in a PM with you, it's not that I singled you out and attacked you. You defended what I was posting about, so you got an argument and you got used as an example, I didn't mean to insult [i]you[/i] or anything.
[QUOTE=Willox;47619534]This is the wrong way to fix it. JavaScript files can have any extension, not just ".js". HTML tags do not need to stick to your styling: The tags could be uppercase or even part of a valid user's input.
The solution is as easy as HTML encoding the URL you output to the error page.[/QUOTE]
That is informative. However, still its a temporary fix. It's better to stop that script from execution.
[QUOTE=WalkerJetBat;47619594]That is informative. However, still its a temporary fix. It's better to stop that script from execution.[/QUOTE]
It's not a temporary fix. It's what every professional web developer does. It's industry standard in web dev to SQL-escape input just before passing it to the database and HTML-escape strings just before emitting it as HTML.
[QUOTE=!cake;47619755]It's not a temporary fix. It's what every professional web developer does. It's industry standard in web dev to SQL-escape input just before passing it to the database and HTML-escape strings just before emitting it as HTML.[/QUOTE]
This shit is super fucking basic to do and you have zero reason to not be doing it.
Fuck, if you're using a templated framework for the site, the framework probably provides a one call solution to escaping dangerous HTML. I've not got a single thing published at all site or code wise, but I do this shit even in coursework for my degree because it's so simple.
This is like offering a new 3rd party "facepunch", when the original facepunch is just fine.
This OP and his "team" obviously has no idea what he is doing, so there is no point flaming about it. Also, something's telling me this is another alt of serverwatch, even with the join date of 2013. I really hope not though..
is there any reason this redirects to scriptfodder now?
[url]https://gluascripts.com/users/[/url]
No longer redirects to scriptfodder and Jamie i would appreciate it if you would STOP exploiting the site whilst its in development to PROMOTE Scriptfodder. Should you persist we will temporarily ban all your ips/steam accounts from the website until the site goes live.
[QUOTE=pkminer30;47622221]No longer redirects to scriptfodder and Jamie i would appreciate it if you would STOP exploiting the site whilst its in development to PROMOTE Scriptfodder. Should you persist we will temporarily ban all your ips/steam accounts from the website until the site goes live.[/QUOTE]
you should probably fix it before it goes live - not ban people who help you fix it
Im currently not working on the website as i have personal matters which i need to attend to which are more pressing on my time (my business management degree thesis) which is due in the next 24 hours. This is on the to do list though after i have handed this in. Its not like we don't know how to fix it as we have already applied this fix to comments it just a case of adding it to the OpenID data grab functions.
This seemed to start out good when you got suggestions but now that people find exploits it's not ok? if you knew it or not, whatever reason you had for not preventing those when you made that part of the site, what if members here find something you didn't know/think about? if you ban them and those exploits doesn't come up then it's you who'll regret it when your site starts? suggestions was taken positive but what is more important is the security and that's also positive since people bring up those issues without abusing them(atleast initially)
To be honest. This exploitation shit is the only thing that's going to make you learn. Obviously, the people breaking into your shit know something that you don't. How about you try to learn from them instead of threatening them? Maybe then your website can begin developing.
I had high expectations for this, but they're lowering every time I return to this thread. If you really do want a website [I]similar [/I]to SF, then you better cope with this type of drama quickly.
Some of the links on your site don't work. The notifications button leads to an non-existant page: [url]https://gluascripts.com/notifications[/url]
So much untouched default bootstrap and lightbox. At least make the borders square :v:
[QUOTE=James xX;47624749]Some of the links on your site don't work. The notifications button leads to an non-existant page: [url]https://gluascripts.com/notifications[/url][/QUOTE]
That is because we added that button yesterday. It is just an overlay, not functional yet.
[QUOTE]"Many functions may not work before the release date."[/QUOTE]
[editline]29th April 2015[/editline]
[QUOTE=Karp;47624358]To be honest. This exploitation shit is the only thing that's going to make you learn. Obviously, the people breaking into your shit know something that you don't. How about you try to learn from them instead of threatening them? Maybe then your website can begin developing.
I had high expectations for this, but they're lowering every time I return to this thread. If you really do want a website [I]similar [/I]to SF, then you better cope with this type of drama quickly.[/QUOTE]
Yeah, that is really nice of them to show me that I missed securing the SQL syntax at Steam OpenID. Done so far. I've also seen their attemps on comment system, which was denied.
[QUOTE=WalkerJetBat;47625109]That is because we added that button yesterday. It is just an overlay, not functional yet.
[editline]29th April 2015[/editline]
Yeah, that is really nice of them to show me that I missed securing the SQL syntax at Steam OpenID. Done so far. I've also seen their attemps on comment system, which was denied.[/QUOTE]
Your changes are causing data to be escaped more times than necessary. The issues with that are that:
a) Data you're storing may not be the data the user has actually inserted.
b) Data you're outputting is not the data the user has actually inserted.
An obvious issue that could elevate from this would be a user who's email address contains a character such as a double quote. You'll tell the paypal API the email actually contains the string """ and payments will end up going to the wrong.
You're also fucking over any users that have Unicode characters in their input.
[QUOTE=Handsome Matt;47625525]Why do you have to fix SQL syntax? Why aren't you using PDO? Why aren't you using templates? Ughhhhhh[/QUOTE]
I mean securing the variable being sent. Not the query. My bad.
[QUOTE=WalkerJetBat;47625637]I mean securing the variable being sent. Not the query. My bad.[/QUOTE]
If you were using PDO or similar thing this would be done for you automatically.
Honestly, I'm not trying to actively insult the guys making this site, but the whole things reeks of "we really don't know what we're doing". You seem to be rolling your own for a lot of the infrastructure, and whilst that is entirely valid as a method to develop something, you're now seeing why nobody worth their salt does it for a project they want to make cash from.
You put the thing up far, far too early and appear to have no testing methodology to ensure that simple things like XSS attacks and SQL injections are 100% protected against. I'm actually surprised someone who lurks here hasn't just fucked the entire site up out of sheer malice yet. Be thankful that the people pointing out your sites flaws haven't actually killed it to prove a point yet.
You should have given it more time, actually ironed out the simple bugs and done some hard testing, only then should you have considered hosting a live copy of it and asking for extra testing from the community.
Thank You for the Input Hex. Me and Walker have both decided that untill the bugs are ironed out we are going to put the website into maintenance mode.
Sorry, you need to Log In to post a reply to this thread.
