Jump to content

What would you do if you found an exploit on FA?


root
 Share

Recommended Posts

2 hours ago, Sutekh_the_Steak said:

Ahaaaaaah I love how this thread about what we'd do if we found an FA exploit appeared literally days before someone actually found a way to use an FA exploit. 

Irony (it is irony right?) at it's best.

Nah, it'd be pretty stupid to leave a trail this obvious two days before executing your plan. Funny thing is, I did consider this happening, but I thought "meh what are the chances FA is going to get hacked right after I make this thread."

1 hour ago, Terminal7 said:

Aye.

I truly don't understand what someone would do with the code - I don't know,  maybe that's why they didn't bother trying to patch up security holes.

They should really get into the process of having an overhaul of the site, but maybe too many users are relying on it for income (or something like that)

A lot of people (including me) want it out of mere curiosity. It's been reported by ex-developers for years that the code is an utter trainwreck and I'd love to feast my eyes upon its insides to see for myself. I'm too lazy to scour over all of it, but there would be certain points I would look for to see what's going on under the hood. I'm still trying to figure out how the little thing I found gives the results that it does. I'd expect PHP to prematurely exit the script after hitting too many nested functions, but I'm not sure that's what's happening...

Honestly I hope FA stays around for a long time because I love the simplistic, homemade, slapped together in a week feel to it. I also like finding random novelty names and registering my own.

Link to comment
Share on other sites

Just now, root said:

Nah, it'd be pretty stupid to leave a trail this obvious two days before executing your plan. Funny thing is, I did consider this happening, but I thought "meh what are the chances FA is going to get hacked right after I make this thread."

Oh nah I was just laughing at the coincidence, not inferring some sort of trail. lol

  • Like 1
Link to comment
Share on other sites

10 minutes ago, Ricky said:

All you need to do is send one unchecked value to the DB through an un-parameterized query.

Are they even using parameterized queries? I assumed they were probably using something like mysqli_real_escape_strring and preg_replace :-p

Link to comment
Share on other sites

1 minute ago, root said:

Are they even using parameterized queries? I assumed they were probably using something like mysqli_real_escape_strring and preg_replace :-p

No clue either, and yeah, probably not given the trends so far.

I'm not sure what someone found but if it's the User-Agent string and un-escaped quotes I'll laugh my ass off.

Link to comment
Share on other sites

Guys I have a confession.... I took down FA.

I was thirsty and spilled some mountain dew on the servers. I warned Neer to help me grab some towels but him and Chase were having their hourly "diddle time" so I wasn't allowed to disturb their slumber.

I apologize to artists everywhere.

  • Like 3
Link to comment
Share on other sites

4 minutes ago, PastryOfApathy said:

Guys I have a confession.... I took down FA.

I was thirsty and spilled some mountain dew on the servers. I warned Neer to help me grab some towels but him and Chase were having their hourly "diddle time" so I wasn't allowed to disturb their slumber.

I apologize to artists everywhere.

goddamit

Link to comment
Share on other sites

1 hour ago, PastryOfApathy said:

Guys I have a confession.... I took down FA.

I was thirsty and spilled some mountain dew on the servers. I warned Neer to help me grab some towels but him and Chase were having their hourly "diddle time" so I wasn't allowed to disturb their slumber.

I apologize to artists everywhere.

thats fine, the last person tripped over a cable and FA was down for several months cause the person hid the cable to not get in trouble

Link to comment
Share on other sites

1 hour ago, root said:

Are they even using parameterized queries? I assumed they were probably using something like mysqli_real_escape_strring and preg_replace :-p

They aren't even using mysqli.

Link to comment
Share on other sites

22 minutes ago, RTDragon said:

Does'nt really matter much since the source code is out in the open.

The people who have it don't seem to be spreading it around very well.

Link to comment
Share on other sites

7 hours ago, PastryOfApathy said:

Guys I have a confession.... I took down FA.

I was thirsty and spilled some mountain dew on the servers. I warned Neer to help me grab some towels but him and Chase were having their hourly "diddle time" so I wasn't allowed to disturb their slumber.

I apologize to artists everywhere.

Sue Mountain Dew xD

Link to comment
Share on other sites

4 hours ago, root said:

The people who have it don't seem to be spreading it around very well.

and thats the scary and also weird thing

 

The average person would think: They gonna spread this around via internet
instead we only know of it being spread around via usb. 

The thing is "they still have an ID card into the site TECHNICALLY"
meaning they could still come back unless they redo EVERYTHING

Even when SoFurry updated its site, there was still old code, we have to HOPE FA has their suppose new code stored ELSEWHERE or else they gonna end up learning "yea they have a copy of that code too..."

Link to comment
Share on other sites

9 hours ago, Crazy Lee said:

Why is this thread still going when there's the other megathread....

You're right. We shoulda locked it a long time ago, since there is a thread for this sorta thing. 

 

Link to comment
Share on other sites

  • Guest locked this topic
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...