bright-shadows.net Click me :) [TBS]

::[Home]

::[News]

::[Challenges]

::[Ranking]

::[My Account]

::[Forum]

::[Chat]

::[Private Messages]

::[Vulnerable Code]

::[Tutorials]

::[Downloads/Scripts]

::[Support]

::[Links]

::[Contact/FAQ]

::[Login]

0 anonymous

Views:	1088973	Challenges:	342
Users:	12689	Online:	11

Page 1 of 3

bright-shadows.net Click me :) – 24 Posts

bright-shadows.net Click me :)
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Oops [image]http://www.bright-shadows.net/logout.php[/image] Edit: yeah, it is annoying

Edited by noother 01/21/2008 12:38 ago

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

quangntenemy 7120
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Yeah that's an old CSRF bug that hasn't been fixed. <a href="%5C"><img alt="\"link\"" src="%5C">http://www.bright-shadows.net/forum/forum_showtopic.php?topicid=2329</a>

Edited by quangntenemy 01/21/2008 12:05 ago

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Then let's try to fix it. The most simple way would be a little form at the logout.php which asks \"Do you really want to logout?\" or something with a POST-Button i guess.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

quangntenemy 7120
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Yeah but the admins are quite busy/lazy for now <img alt="\":P\"" src="%5C"> PS. did u get urself logged out too? <img alt="\":P\"" src="%5C">

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Well, i turned off loading images to bypass it. But that screws the layout up, so i just edited it <img alt="\":)\"" src="%5C">

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

ok, i played around with this a while and noticed the fact that a POST-Form is worthless. You can't just do an <img src="for" alt="for"> Example: <div class="\"tbscode_standard_quote_headline\""><img alt="\"Quote\"" src="%5C">Quote:</div><div class="\"tbscode_standard_quote\""> <form id=\"test\" method=\"POST\" action=\"http://www.bright-shadows.net/logout.php\"> <input type=\"hidden\" name=\"submit\" value=\"ya, log me out\"> </form> <body onload=\"test.submit()\"></body> </div> assuming the logout.php checks for $_POST['submit'] == \"ya, log me out\" With this you could of course do other funny things, like giving admin-rights to yourself, adding news etc. All you need is an admin clicking your link. I don't think everyone here is surfing with javascript turned off and checks the source of every page before visiting <img alt="\";)\"" src="%5C"> A secure way would be to add an

Edited by noother 01/21/2008 15:03 ago

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

this is pretty old news, 

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Oh well, maybe you overlooked the \"With this you could of course do other funny things, like giving admin-rights to yourself, adding news etc.\"-line. The logout-thing is just a very simplified example. The same way you can post forum-posts with the corresponding nick automatically for example, open topics, or if an admin clicks the link: delete topics. Or if an admin is logged into the adminzone/ (htaccess) do nasty things. (assumed you know the field-names for the different actions.)

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

I didn't miss anything, It's just old news. 

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

quangntenemy 7120
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

So there's no other way than using random/secret code? Imagine we have to secure 100 pages like that... It'll be a tedious and error-prone job. I wonder what the www's evolving into...

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

<div class="\"tbscode_standard_quote_headline\""><img alt="\"Quote\"" src="%5C">Quote from rhican:</div><div class="\"tbscode_standard_quote\""> The fact that it isn't fixed is because it isn't considered to big of a deal to log people out, you will see that this works on nearly all challenge sites. </div> Looks to me like you say it's generally only possible to log people out, nothing else. And no, i can't write anything that gives me admin rights without knowing the form-fields for everything. But that's not the point, it's the idea itself - If I can make you write forum topics by clicking on a link, i can do other (and worse) stuff as well. Btw: I really don't care where you throw your bones at, I didn't ask you to reply to this topic, did I?

Edited by noother 01/23/2008 18:08 ago

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

Towley 1790
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Some probably wonder why the csrf logouts dont work for them. It is because some of them use the url <a href="%5C"><img alt="\"link\"" src="%5C">http://bright-shadows.net</a> where others use <a href="%5C"><img alt="\"link\"" src="%5C">http://www.bright-shadows.net</a> (notice the www) It seems like at least some browsers distinguish between these domains, and wont send the phpsessid's if the domain wont match. So rhican, if you want to delete some thread, be sure to use your victims choices <img alt="\";)\"" src="%5C"> 

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

cba either.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

<a href="%5C"><img alt="\"link\"" src="%5C">Proof of concept</a> Happy now? <img alt="\":P\"" src="%5C">

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Oh well, I see you don't get it. Your last post is just ridiculous. And to be honest, I don't wanna waste my time with you anymore.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

cba. ps: you are for the loose.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

It's funny how you edit all your posts, so people don't see that everything you put in question had been already answered in my previous posts. Over & out.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

aceldama 4340
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

yep, <a href="%5C"><img alt="\"link\"" src="%5C">content</a> i tried to make the admins see none the less. <img alt="\"LOL\"" src="%5C">

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

noother 150
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Another stupid comment by you, rhican. You should really read all posts in this topic which were made, not only the first one and ignore the rest. But yeah, I know, you're too busy with devising plans to annoy other people. And no, i didn't know about the topic by quangntenemy before.

Edit

Reply

Quote

0 Likes
01/21/2008 11:52

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

<div class="\"tbscode_standard_quote_headline\""><img alt="\"Quote\"" src="%5C">Quote from <a href="%5C">noother</a>:</div><div class="\"tbscode_standard_quote\""> i didn't know</div> that really seems to be the theme of this thread. facts: - Quang posted about this in 2006 - aceldama had stated only 3 days before your thread that it was still around, and active - and then you \"\"discovered\"\" it all on your \"own\". Hurray! - And after all those people, annoyed with noother's tone. It was still my experience that got Inferno to disable all user generated images. Because unlike the people above, I could exploit it in a way that is harmful. And that's what security is all about. Convincing the people in charge that it is worth spending money on, and as this csrf issue illustrated you do not do that with Theory. Not even when the admins are ex-security geeks, which in turn motivates my in your face attitude. 

Edit

Reply

Quote

0 Likes

Page 1 of 3

Impressum Privacy Contact