Anyone with half a brain and even a halfway decent
understanding of html can think about it for about 10 seconds
and understand what it could do..
Not when you describe it as being something totally different to
what it actually is. It makes you look like you don't understand
the code your posting when you call it HTML and say it can do
anything on any server.
What you are talking about is a very particular combination of
techniques. Once you know the combination it does indeed
appear easy and many of us have seen these techniques used
before in different situations. However without investigation of
the steps needed someone can't just spend 10 seconds looking
at the code to figure out exact what the fuck it is you are talking
about.
I'm guessing english isn't your first language.... no offence but
when you use all the wrong words and describe things totally
backwards it does kinda make it hard for anyone to agree with
you.
If i was an asshole i would just use the flaw for profit instead of
letting gfy know about it.
If you weren't an asshole you'd actually say what you mean
rather than talking all this crap about server hacking and sending
emails.
Lens.... He is right... It is exploitable.
You need to block a few event handlers such as onstart, onclick, etc.
-Ben
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
It's just the guy mixes in so much bullshit with his facts that it
makes him appear like he has no idea what he's talking about.
Nice camouflage job... However I think I'd rather appear smart
then dumb.
Did it take you 2 seconds to come up with?
Stop trying to make ppl feel bad for not understanding your
backwards and simply wrong comments.
-Ben
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
as i explained if i gave exact details on it it would also explain to every little punk with a copy and paste how to do it , so thats why i was vague.. sorry if you couldnt figure that out..
I can see how what you mentioned can be used to make popups and other stuff in j a v a s c r i p t that could cause trouble on GFY. What you found is a good find. But you really made it more than it really is. It can't do most of the stuff you mentioned.
Being able to change the password by having the cookie sent to you cannot be done. At least without asking the client permission before it is actually sent. It could be done with old browsers (I'm talking about the really old ones on Win 95 machines). But most newer browsers won't let emails be sent via j a v a s c r i p twithout permission from the client first.
Sending out emails via j a v a s c r i p tused to be a big problem in the early days. That's how emails were harvested. That has since been fixed for some years now.
People still think you're talking about hacking servers or sending
emails from client machines.
It's not the fact that you hid the method....
I do think that was quite good of you.....
It's that you were talking about totally different things which
were quite simply wrong. You can not for example do anything to
any server with the method you're using.
You really can't blame someone for thinking you're barking up the
wrong tree when you say that jav-as-cript can do anything you want to the server.
Hide the actual code sure..... but why make yourself look stupid
by saying things that are so wrong.
Lens it does need fixing..... He may look stupid but he has found
an exploit that someone will probably soon use and could upset
some ppl.
-Ben
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
You dont need to use email just add the cookie to a string and pop it in a window example, yoururl.com/logged.cgi?+document . cookie
to change passwrod just make a hidden form with a replica of the profile form ( but with your own info ) now the email is whatever you changed it to , now just reset the password and have it sent to the new email , shebang.
Without actual testing I'm still not sure you'd fit in everything you
want to do into the character limit. However yes it is a worry.
-Ben
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
no shit asshole -- like I said, for somebody who is so good at 'hacking' you sure do suck at reading and UNDERSTANDING the sig rules:
2. Signature rules. Maximum 120x60 button and no more than 3 text lines of default size and color.
New as of 1/1/2003: if your sig is for a GFY top banner sponsor, you may use a 468x60 instead of a 120x60. Yes there is a reason this is so big. Also putting your text in a cell and making it look like a button is against the rules. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.
First, your sig banner is 645 x 120 -- that is ABOVE THE ALLOWED 468x60 for top banner sponsor.
Second, your text is NOT the default size OR color.
So eat a dick buttmunch --- go google for more GFY hacks
like i said i have already tested it , it fits under the character limit just fine besides you can hide an unlimited amount of characters in a hahahahahahahahahaha ;) with a document write ....
To the moron complaining about my sig.. my sig fits gfy see the top 10 posters on this board... my sig is the same. quit crying because you cant say anything usefull
To the moron complaining about my sig.. my sig fits gfy see the top 10 posters on this board... my sig is the same. quit crying because you cant say anything usefull
"Mommy, mommy - the other kids are doing it, so that means its ok right mommy?"
like I said, you sure do have a hard time reading and understanding the sig rules.
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
You could run any new IE, ActiveX, Java, or Flash exploit on a
great deal of GFY members before the admins saw it.
This combined with other exploits or some yet to be discovered
could allow an attacker to gain complete control of your home
system via your browser.
-Ben
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
Cyberwurx Hosting
After trying 5 different hosts, I found the best.
Since 1997 I've had 2 hours of downtime.
Fast support, great techs, no hype, no gimmicks.
<- I in no way endorse whatever just got stuck on the left of my post.
Comment