MegaApuTurkUltra wrote:

@thisandagain pls fix

comp09 wrote:

MegaApuTurkUltra wrote:

@thisandagain pls fix

indeed.

Superdoggy wrote:

Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.

But it's still not fixed. *dies*

comp09 wrote:

MegaApuTurkUltra wrote:

@thisandagain pls fix

indeed.

scratchyone wrote:

Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error

Jonathan50 wrote:

scratchyone wrote:

Just testing if anything like this will work:


Nope. Trying to send a 401 authentication error

Woah. Cool. It displays the authentication dialog in Firefox/IceCat

hiccup01 wrote:

Jonathan50 wrote:

scratchyone wrote:

Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error

Woah. Cool. It displays the authentication dialog in Firefox/IceCat

Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
-

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset

As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.

[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/%252B1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/-1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/poop.png%26size=20[/img]

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain

thisandagain wrote:

- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.

thisandagain wrote:

- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.

thisandagain wrote:

- Users who were using some of these exploits in their signatures have had their signature reset

MegaApuTurkUltra wrote:

Does that include me?

thisandagain wrote:

MegaApuTurkUltra wrote:

Does that include me?

Gah. Looks like our clean-up query caught you too. Sorry about that.