|
Author |
Thread Statistics | Show CCP posts - 43 post(s) |
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 01:54:00 -
[1]
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 06:16:00 -
[2]
Originally by: Misanth
Originally by: Dacil Arandur of all people Akita T has the most to lose!
No. The playerbase as a whole, has, if that monster of a forum comes back.
Better than this stinky old turd. Not nearly as much better as it ought to be, but better nonetheless.
Originally by: Bargealta McSpacebuxx So are you going to post how the exploit worked after it's fixed for the curious, or no?
It was ******ed simple. Basically, there were two completely unrelated problems. One was HTML injection via signatures - basically, HTML was blocked for the post body, but you could put whatever you wanted in your sig via a fairly simple workaround. It started when people wanted to use font colours and images in their sigs(functionality not yet implemented on the new forum), and then they realized it wasn't limited to making sigs colourful.
The second problem was even dumber. The forum's method of telling what character you're posting as was a simple cleartext string in the cookie, of the type "lastSelectedCharacter=1840703239". Fair enough - it's a non-crazy way to remember which of your three toons to post as - except that the server just took the character ID and trusted it completely, with no checking. If I set my last ID to CCP Sreegs(which is the ID number I used above - they're easy to look up), then I could post as Sreegs, edit Sreegs' posts, and have access to all mod tools and hidden forums Sreegs can see...without ever having to actually log in to Sreegs' account. Just set your ID in the cookie, the server takes it as gospel without checking, and you're in as anyone you like.
Seriously, I can't overstate just how ******ed this was. "Derp" is far too weak a word.
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 16:34:00 -
[3]
Originally by: Super Whopper Sreegs, thank you very much for engaging the community like this. While I am usually (rightly) negative about CCP, I'd like to commend you for taking the time to respond to all these concerns. Also you are to be commended for trying to explain, albeit in basic details, how the flaw worked and the security of the new forums.
I would like to know whether the new forums allow the scaling of frames to fit all resolutions or whether they've been designed to fit 1280x1024 only.
I read forums on a 1280x1024 monitor, and I can say with confidence that they're actually designed for 1024x768.
Originally by: Qordel Having the server verify it isn't enough, either. That would still be a sloppy solution. The real solution that they should have deployed (and which is pretty much Cookies/sessions-101) would be that the cookie should have contained NOTHING except a single salted hash key, so that even someone looking at the cookie would have no idea what data it contains. Not even the username or UID that it is regarding.
Then it's dead simple to match that hash key against the database of non-expired sessions and get any data you could possibly require on the server side.
I could see someone like myself who doesn't do webdev for a living making a mistake like that. Ignorance and all, you know (though almost any reference to how to handle sessions on the internet should explain it to a newbie). Professional web developers, however, should never ever make that mistake. That shoudn't be an after-release "oops". That should be a fundamental flaw that doesn't make it past the rough white-board sketch.
Webdev isn't my thing either, so I don't know what really good security looks like. But I'm pretty sure that if the lastSelectedCharacter thing was limited to picking between the characters on the account you're logged in as, it wouldn't be a serious vulnerability, even if it was suboptimal.
Originally by: mazzilliu the fact that i'm not banned does say something.
That CCP is deaf, dumb, and blind?
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 19:00:00 -
[4]
Originally by: JitaPriceChecker2 We didnt want new forums anyway !!!
Seriosuly they sucked.
But not as much as these ones. Srsly CCP, just buy a vBulletin license.
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 22:35:00 -
[5]
Originally by: Kern Hotha CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.
You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.
|
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.13 04:40:00 -
[6]
Originally by: Ebbytingizotay
Originally by: Herschel Yamamoto
Originally by: Kern Hotha CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.
You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.
Annndddd.... that little fact does not worry anyone?
Why would it? He's got experience at organizing a group of highly-educated professionals who act pants-on-head all the time into a cohesive and effective group. Sounds like he's better-qualified to work at CCP than half of the management.
|
|
|
|