 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
|
| | ||
| 0 users currently in Help, Suggestions, Bug Reports. |
| Acmlm's Board - I3 Archive - Help, Suggestions, Bug Reports - HTML on the reply page |
New poll |  |  |
| Add to favorites | Next newer thread | Next older thread |
| User | Post | ||
emcee Red Super Koopa                    Since: 11-20-05 Last post: 6301 days Last view: 6301 days |
| ||
| Even with the filters its still very easy to steal passwords. There are several ways in IE, and at least one that I tested that works on lololol. And they're all just one simple line of code.
There's even a way of doing it that doesn't involve javas Simple solution: Disable html in the overview of the thread shown on the reply page. |
|||
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6302 days Last view: 6302 days |
| ||
I imagine some of these methods would be exploitable on pretty much any page to grab cookies. Unless you're thinking of one particular method I just thought of that would be nearly impossible to actually pull off.  |
|||
|
Xkeeper Took the board down in a blaze of glory, only to reveal how truly moronical ||bass is. Since: 11-17-05 From: Henderson, Nevada Last post: 6301 days Last view: 6301 days |
| ||
| I have an even simpler solution. Actually doing it is another matter entirely. | |||
pikaguy900 Sparky Since: 08-10-06 Last post: 6314 days Last view: 6301 days |
| ||
| Ummm... It's easy to steal them while replying? *shudders* Why not just take away that part that has your username and password inputted to post? You could have that page simply check to see who is logged in when you post, and whoever you're logged in as, that's the username that'll appear. I know they never ask for your username when posting on any other board, even if you're logged in. | |||
|
Metal Man88 Gold axe It appears we have been transported to a time in which everything is on fire! Since: 11-17-05 Last post: 6301 days Last view: 6301 days |
| ||
| Eh, I can't see it happening any time soon. Most people prefer to register en masse and post garbage... hijacked accounts, I think, are a rarity. | |||
|
emcee Red Super Koopa Since: 11-20-05 Last post: 6301 days Last view: 6301 days |
| ||
| Yeah, HyperHacker is right. I could actually steal cookies right from the main page. But unlike the password on the reply page, the password in the cookie appears to be encrypted to some extent. I tried decrypting it using the function shdec from functions.php, but it didn't seem to work, maybe it's outdated.
Of course, it's not really necessary to decrypt it, all you have to do is use the cookie like it's your own. But it still wouldn't help to steal on the main page or from a post, since it would be kind of hard to determine whose cookies are whose. Instead, you could just put the code in a pm and wait for them to read it. Maybe the best solution is to store the password in the cookie and html with one way encryption (I don't how this is done in php, but in perl it just crypt(password,salt)). Then, to validate it encrypt the password on the server the same way and compare. Then, just check the referrer to make sure it's coming from the right site. That would completely solve the problem. |
|||
|
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6302 days Last view: 6302 days |
| ||
| I think the best solution is to not store passwords in the cookie at all, but rather session IDs. Cookies store user IDs and decrypting the password is pretty easy. | |||
|
emcee Red Super Koopa Since: 11-20-05 Last post: 6301 days Last view: 6301 days |
| ||
| Wouldn't that make it so you would have to constantly re-login? How would the server start a new session after the last one expired without the password? | |||
|
Xkeeper Took the board down in a blaze of glory, only to reveal how truly moronical ||bass is. Since: 11-17-05 From: Henderson, Nevada Last post: 6301 days Last view: 6301 days |
| ||
| Or I could just filter < to <.
Seriously, your solutions are all crap. |
|||
|
emcee Red Super Koopa Since: 11-20-05 Last post: 6301 days Last view: 6301 days |
| ||
| Even in layouts? | |||
|
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6302 days Last view: 6302 days |
| ||
Originally posted by emcee It wouldn't. You'd just make them last a long time, or however long the user chooses on the login page. Despite their name, session IDs can span multiple sessions. |
|||
|
emcee Red Super Koopa Since: 11-20-05 Last post: 6301 days Last view: 6301 days |
| ||
| Then how does that prevent people from stealing cookies and using them as their own? | |||
|
HyperHacker Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6302 days Last view: 6302 days |
| ||
| Hm, you're right. Come to think of it there's really no way to prevent having to log in every session without people being able to do just that, except locking the session ID to an IP address which is no good for dynamic IPs. :-/ I figured that's what things like VBulliten and PHPBB did, but looks like they just store a user ID and password hash. | |||
|
Xkeeper Took the board down in a blaze of glory, only to reveal how truly moronical ||bass is. Since: 11-17-05 From: Henderson, Nevada Last post: 6301 days Last view: 6301 days |
| ||
Originally posted by HyperHacker I was considering adding some salt to the MD5 hash the cookie stores, but I ran into that same problem -- it has to be unique to each user. IPs would work, but then you have the dynamic IP problem. |
| Add to favorites | Next newer thread | Next older thread |
| Acmlm's Board - I3 Archive - Help, Suggestions, Bug Reports - HTML on the reply page |
| |
