 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| Acmlm's Board - I2 Archive - - Posts by Jesper |
| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
| User | Post | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Jesper Busy, busy, busy. Level: 69  Posts: 2155/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| You've got your mother's wits - it seems her are gone, so it's only logical. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2156/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Originally posted by HyperHackerNo way that's not a pain in the ass. You don't even know what happened in the first place, you just know that it's something in your profile, which is like trying to perform medical surgery on yourself with the complete journal content being "it hurts".  |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2157/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| I used to use Tabbrowser Extensions which was great and provided a metric assload of configurability. The downside was that it's a bit of a memory hog - a result of the author literally rewriting the entire tabbed browsing part - "tabbrowser". But now, someone has thought hard and come up with the fact that "hey, we have these fifty small-purpose tabbed browsing extensions, but wouldn't it be neat if we just made one extension with most of the features in TBE instead?", and so they did. Tab Mix is a kick-ass extension that makes tabbed browsing more flexible. It can help spawn multiple rows when the tabs overflow (like TBE), it can do drag and drop reordering of tabs (like TBE), even combine these (UNlike TBE) and it also has lots of setting to tweak like how to behave in the way of spawning new tabs or windows depending on what link or bookmark you click or URL you enter - less than TBE, but I find that I don't miss the extra options because it behaves the same way now as when I had TBE installed. And since it doesn't have to rewrite the tab component, it's lighter and Firefox, while not exactly slow before, is definitely snappier now. The home page of the extension warns that it may be instable, but I've been using it for a few days now and it hasn't crashed once. I highly recommend this extension. If you are using Firefox, install this extension now. It's that good. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2158/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Originally posted by NSNickIs that an euphism for "don't put on any underwear"?  I'm late, late, late! Belated happy birthday. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2159/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Originally posted by Xkeeper |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(restricted)|
Jesper |
Busy, busy, busy. Level: 69 Posts: 2161/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
Uh. If you only like chocolate bars with coffee in them, then you like coffee and not chocolate. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2162/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
He's not releasing his hack, he's just putting it on the sidewalk with a post-it note saying "take it if you want to". Screenshots aren't required. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2163/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
What makes a Fuckhead? |
The Fuckhead will defend his or her inflexibility by saying, "I have every right to my opinion," and "I have every right to participate in this discussion." And, in the egalitarian world of IRC and Usenet, the Fuckhead is correct. But the Fuckhead will find that other participants, who do not appreciate the Fuckhead's presence or contributions, will make use of tools such as "Ignore" commands or killfiles. These tools would not exist if it weren't for the Fuckheads. I know I've been a part-time Fuckhead. I know others are or have been. It's the permanent Fuckheads I have problems with.
Jesper |
Busy, busy, busy. Level: 69 Posts: 2164/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
Originally posted by Banedon1.FF is the max version under the new system. We're using Hex for both numbers, and for the integer part as well.Originally posted by Jarukoth That said, even though it's impossible to predict, I tried anyway, but I can't even decide on a coherent theory myself. There's just too many ways every little detail can change. (restricted) |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2166/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
The last few months exploits have been (re-)discovered and used on this board and, primarily, on other, old or relatively new, AcmlmBoards. During this period, me and ||bass have been basically buried under "oh my fucking god, someone has admin and I didn't give him admin, plz help" requests. |
The good news is that exploits have been fixed in this board version, and that we're planning to put out a new dist before March ends. The good news ends here. To put it simply, AcmlmBoard was *not* designed to be safe from exploits. Not in the slightest. It has basic protection in some cases, but for the most part it's an open wound. By far, SQL injections are the most common tricks, so I'll be detailing here how to fix those. Imagine a typical SQL query. SELECT * FROM table1 WHERE id=$id. Pretty basic. What if $id is "0; UPDATE table2 SET admin=1 WHERE id=insertmyidhere"? Not good. So what can one do to prevent this? Here's what you can do: $id = intval($id); This uses the intval PHP function, which basically says "here's this variable, take whatever integer value - number without decimals - you can find, if any, return that value, and shove the rest of it". This protects you against these kinds of attack. Why are not queries like the following affected? SELECT * FROM table1 WHERE name="$name". Because you have already run - or won't need to run, depending on server configuration - addslashes, another PHP function, on $name. What that does is it escape every occurance of " and \ so that content in $name can't 'break out' of the SQL query by containing something like "; UPDATE table2 SET admin=1 WHERE id=insertmyidhere; SELECT * FROM table1 WHERE " (the quotes are INCLUDED in the variable value). The quotes would be escaped to \", and conversely you couldn't even break the query by just entering \, which would be converted to \\. If you have no idea what I just said through any of this - learn PHP, or get someone who knows to either help you or teach you enough PHP so you'll be able to fix things like this. If you're running or caring for an AcmlmBoard without knowing how to fix it, it's like flying a plane knowing how to steer but not much else. When that gas runs out (those exploits hit you) you're going to wish you knew a little more about flying a plane (use PHP). I'll end on this note: I told you that a new distributable version of AcmlmBoard will be out before the end of March. However, listen closely. There are basically very few copies of AcmlmBoard in circulation that are untouched - that haven't been 'hacked' in one way or another, and I'll wage that that number is zero for those of us who read this forum. You will need to leave your old AcmlmBoard setup, however magnificent, hacks and all, if you want the security that this new version will offer. Either that, or you'll need to close these exploits by yourself. The fact is that I would have preferred a set of patches for closing the most common exploits. But things have moved around a lot in the latest versions and so we'd basically need different patches for different versions of AcmlmBoard, which are at least 1.65, 1.8, 1.9 beta and 1.92, and let's not even get into Acmlm+Erk. (We don't support any of the versions beyond doing it as a courtesy, but Acmlm+Erk is a dist built upon a lot of hacks, which makes it all the more painful to upgrade from or to and which we conversly support even less, if you can believe that.) For those of you that remember which places you changed and what changes you did, I encourage you to make new threads in here with instructions on how to patch what on which version. Oh, and if you're going to patch it on your own? Trust me, you'll want to do this in *every file*, near *every SQL query*, with *everything featured in every SQL query*. Do it, or sit back, moan, and be hit by the exploits. It's not easy. And I'd like it if you ran *here* instead of to me and ||bass regarding fixing exploits on your boards. I'll be spending most of my time regarding these things on working on the development board, and occasionally go in here and set things straight if they need be - but I'll still accept reports of existing exploits via PM. ||bass won't be spending any time on this, because he's no longer on the development team. (edited by Jesper on 03-05-05 01:24 PM)
Jesper |
Busy, busy, busy. Level: 69 Posts: 2167/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
Read this, if you haven't already. It covers ground on how to fix the most serious exploits - as a general method rather than specific places, because specific places are *everywhere* - and what the dev team (which is currently just me, yes, but that might expand) is doing in terms of putting out a new dist. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2168/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
Originally posted by BanedonUh. No. We were at 1.93 and still had 1.94 thru 1.99 to go, we just felt that some of the versions added more than some of the versions who jumped 0.2 steps before them and we wanted to make that more clear.
Jesper |
Busy, busy, busy. Level: 69 Posts: 2169/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
I used Electronic Workbench for the electronic classes I had, plus a few (mostly) half-assed microprocessor programming simulators/editors. This was three years ago, though, and I only used it during those classes. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2170/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
If you're just dealing with images, which it seems you are, and you use PHP 4.3.0 or higher, why not use image_type_to_mime_type()? It has no extension dependencies (just the version dependency as mentioned above) but I don't know what it does when passed, say, a text file or something. Try and see, and just check that the mime type is not that (or better yet, confine it to jpegs, pngs and gifs to start with) to acheive valid data. |
PHP extensions on Windows have the uncanny ability to fail at the drop of a hat, and I'm not going to swear by it, but the two times I've experienced the most problems were with Apache 2. The EXIF extension even gave me some flak because I didn't have a japanese text handling extension enabled, and when I turned that on it just crashed on me.
Jesper |
Busy, busy, busy. Level: 69 Posts: 2171/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
akron.oh.us.irc.acmlm.org. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2172/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
You're asking the wrong question. If you had sex with the clone, would it be masturbation? |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2173/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
People don't read stickies. |
Jesper |
Busy, busy, busy. Level: 69 Posts: 2174/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days
|
Originally posted by XeogredIt seems you just used the intval function before the variable was correctly set in the first place, so it'd be empty, which would translate into 0 which might very well be Rank set. Solution: move the intval-line to after the line where it's being set for real. (If you're uncertain, always "intval" as soon as possible!) This is something right out of the proverbial manual, by the way. You should be able to debug and deduce these kinds of things, or you should strongly consider getting another board. AcmlmBoard is very easily hackable, but the downside is that you *should* be able to go into every nook and cranny when things go wrong and fix them! Thankfully we have a helpful few in here that *do* have this sort of knowledge and are willing to share. This is worth very much. To re-iterate my point, if it hasn't been driven home already, I'll always enjoy doing code work on AcmlmBoard to develop it. That's the fun part. Fixing bugs is still productive if it's done at the core and these fixes will benefit other people... but fixing bugs or exploits for others where the code might even vary (and thus be based on code that I or Acmlm didn't even write and that I am thusly not familiar with) is - relatively seen - a chore. I try to help out where I can, but between other personal projects and jobs where actual money is offered, I can't help everyone, and I can't even guarantee that I won't be tired as hell and just want to rest. I don't want to come off as greedy, but I make my money by working, and I can't do good work eight hours per day, go home and work on the development version of the board and then spend even another hour or so helping others fix bugs. It's just not tenable. In a large percentage of the cases, you can get competent help here too. So I ask of you atleast during this period to please consider posting about your worries here instead of bugging me first thing you do. | |||||||||||||||||||||||||||||||
| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
| Acmlm's Board - I2 Archive - - Posts by Jesper |
