Security Risk In Gfy
 

THERES A SECURITY RISK ON GFY

There are several clever ways of doing much worse than this silently.



<embed src="http://bestpornhost.com/gfy/gfwhy.swf" width="1" height="1">

Cookie Monster :)

put out any fires today?

A good solution would be to actually parse the flash animation and filter malicious parameters in getURL(). This addresses the case when a Web application allows SWF files to be uploaded to the server. Webmasters are highly encouraged to parse and filter Flash content if they allow users to upload. Webmasters may choose to block any Flash content which contains getURL() actions that do not specifically point towards an HTTP site. Another solution would be to change all getURL() actions to point to a new window. This can be achieved by specifying the target window as ?_blank?. By making the described changes, hahahahahahahahahaha URLs will not execute under the hosting domain?s privileges. This solution is not consistent due to the fact that ActionScript is a complex scripting language and provides the eval() function. This function allows more sophisticated hackers to even bypass protection against parsing of ActionScript.

I sale big player GFY cookie. $5.

The conclusion is flash files arent very safe

yeap, and it has been brought up many times, but no one listens.

Thats not good, we dont need any hacker problems.

swank, do you have a huge enough sig?

Thats not how the signature is suppose to display.. Im trying to get it to work correctly and its not, pretty sure there is nothing wrong with the code.. Seems to be something with the boards.

Take out all your br's and it should show up fine , and set your table area

View source you will see what its adding that screws it up

Put it in notepad. Back it all up to be on "one line" (sorta) It might not all fit on "one line" but you get the idea.

Then repaste it in your sig space, and stop stealing sigs if you don't know how to make them work right ;)

It's not the br's.

You're awesome and thanks for looking out for us! I appreciate your information and hope the right person hears it to fix these issues. :thumbsup

Ill try that smokey.

I didnt steal any sig... I did this in both frontpage and notepad.. Still nothing but this garbage displays.

Kind of .

Your first advice was good.

Take out all the spaces you dont need and thats about as close as you will get it

Thanks Much. :thumbsup

Ah ! You got it :)

Yeah good like decrytping md5 hash's buddy ... this is old news .... wow your such a haxxah now you read some old ass exploits that really isnt even an exploit... i doubt you are able to decrypt an md5 hash ecryption to get a gfy password lol

come on geek

got your sig all fixed i see swank;-)

That wasnt really the point retard.


Try reading the thread next time.

uhh okay tell me your point then ...... ooo steal my cookies who gives a fuck ? you CANT do anything with them....

here is proof that this kid is a fucking moron

he is just copy and pasting from another site

i know he doesnt own eyeonsecurity :)

http://eyeonsecurity.org/papers/flash-xss.htm

The point is that flash files arent safe .

Did you read the thread ??? :1orglaugh

and to the other retard , i never claimed i wrote that.

So go take your google search and kiss my ass :)

my name is ytcracker and my story is a simple one

<CENTER><SMALL>sorry, couldn't resist!</SMALL></CENTER>

Lensman got this shit covered I doubt there is any risk, you're just an ideot go buy a short uin number:321GFY

ytcracker is a mad haxxah

umm isnt it illegal to just blatenly copy someone else without giving credit where credit is due ? could of atleast quoted it and gave a proper link to it

now go hax another message board

I love it when people typo insults . hahaha

No it isnt.

The page that was quoted from was also quoting it from another page :) look in the reference table at the bottom and you will find it.

If anyone was confused and thought, that i wrote that great little part, then nope i quoted it from someone who said it better than i could, If it was important i wouldnt have Not said i para-quoted it. If anyone was offended , my deepest condolences.

lol

here is direct quote from there site

wheres our friend smokey the bear to haxx up our forum some more? :(

He means the part of the website that he actually owns the rights to. He doesnt own paraquotes from another person just as gfy doesnt own the legal right to what you say. Perhaps you didnt notice i explained that in the last post.

If you dont even know the legality of it then dont bother trying to spout it dipshit. :1orglaugh

Dude , do you ever stop whining ?

If i had wanted to "haxx" up the forum i would have done so , instead i made "1" count it "1" alert with your cookie, i didnt write it to a server i just popped it thats all. There was no exploit other than those already known, just in how its deployed so before you start crying again little boy, maybe you better just zip it.

uhh it says right there that paper

kthnx go copy more shit now

i love you.

No i dont stop whining ... and if you just wanted to ' alert ' us of some useless cookie information you could of just posted the code instead of using it on the forum to show us what it did .... or you could of emailed lens directly and he would of taking care of it instead of us getting flash taken away from us because of something extremly stupid.

hope your happy

now go haxx another forum

I already did that yet lensman kept flash files , even though i suggested moderated flash files.

So i had to show it. People like you dont understand unless they see things. Theory never works.

I tried numerous other ways including changine peoples sigs , but nobody really paid much attention.

ahh so your an attention whore who didnt get what they wanted so you just ' exploited ' (if you can even call that an exploit ) it on the forums to get your point across right ?

and what do you mean " People like you dont understand unless they see things. " Oh come on cookie session hijacking has been around for years. Nothing new. Old news. Let me guess your going to warn everyone about dcom now right ?!?!? My god go away already you have no friends.

Smokey Bear=Mitnick?

:1orglaugh :1orglaugh

Ok you little inbred twathair i will explain it for you one more time.

First off who cares how long an exploit has been around , if it works and people are vulnerable then hmmmmm. Gee robbing banks has been around for years , so i guess nobody will think of robbing my bank .. Are you seriously that stupid..

This doesnt really have much to do with gfy , if i was a criminal i would already be having my way with loads of money , if you cant figure out how then your in the wrong biz son ...

Go get a life instead of chasing shadows.

lol you already admited in this thread there was nothing you could do with the exploit ....

go post on your real name now instead of making characters :)
i love you.

lol no mitnicks servers are to butter as gfy servers are to " i cant believe its not butter " hehehe

HAHA there are literally thousands of things you could do with it :)
dont be so daft retard.

Well my :2 cents: to hacking is simply this.

If ya gonna beat your head looking for exploits the energy is seriously in vaine when the energy can be making ya money.

For example.
Looking at all directions of possible flash exploits will

A: lead to trouble.
B: Cheat you out of time from making honest money on the web.

Essentially the skill to hack is simply not economical unless ya intend to make money with it by compromising a system that will eventually catch you.

Time = Money.

Hacking = Exposure - Time - Money/ Federal Investigationd.

Stop waisting time looking for exploits when clearly ya could be making money with programming talents with the time.

That sums it up pretty good.

But theres a good reason why i pointed it out . There are lots of bad people out there. :)

Its better to fix things than just assume nobody will ever mess with you.

That being said some people dont understand until you donate their paypal accounts to cancer research :) ( thats always good for a laugh ) , of course i would never do anything like this, and would never recommend anyone to do such an evil thing