Discuss Scratch
- Discussion Forums
- » Bugs and Glitches
- » This is how comp09's unreply-able topic works
- NoMod-Programming
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
It includes a link to a php page located here: https://andrewsun.com/meowinator.php inside an image tag
That way the scratch page loads the php page as well, which can do a multitide of things (such as deleting your post as soon as you post it).
[img]https: //blog.library.si.edu/redir.php?URL=https: //andrewsun.com/meowinator.php[/img]
Last edited by NoMod-Programming (Jan. 8, 2016 04:13:58)
Long-since moved on from Scratch, if you need to find all my posts, search this in google: 3499447a51c01fc4dc1e8c3b8182b41cb0e88c67
- MegaApuTurkUltra
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
@thisandagain pls fix
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- comp09
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
indeed. @thisandagain pls fix
- DrKat123
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Wat the heck ar u duin btw?indeed. @thisandagain pls fix
Moving from Scratch? Don't learn C or Java, try Snap!
it haz OOP
DrKat McKatFace
First of all I'm 100% human and humans does not have a cat face
and second, the Boaty McBoatFace/Parsey McParseFace madness has just begun
λ
Sharp, my new Scratch mod
Is my post/siggy worthy for an internet?
- MegaApuTurkUltra
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Comp09 did not discover the Smithsonian redirect link. He didn't even discover the bug behind this exploit. Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.
But it's still not fixed. *dies*
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- thisandagain
- Forum Moderator
500+ posts
This is how comp09's unreply-able topic works
Fix for this and a bunch of other `djangobb` issues is on it's way. Just testing in our staging environment right now. Thanks for reporting.
- scratchyone
- Scratcher
100+ posts
This is how comp09's unreply-able topic works
Nevermindindeed. @thisandagain pls fix
Last edited by scratchyone (Jan. 10, 2016 00:41:44)
- scratchyone
- Scratcher
100+ posts
This is how comp09's unreply-able topic works
Just testing if anything like this will work:
Nope. Trying to send a 401 authentication error
EDIT: Removed to prevent annoyance. I will make a topic about it.
https://scratch.mit.edu/discuss/topic/177365/
Nope. Trying to send a 401 authentication error
EDIT: Removed to prevent annoyance. I will make a topic about it.
https://scratch.mit.edu/discuss/topic/177365/
Last edited by scratchyone (Jan. 8, 2016 20:45:30)
- Jonathan50
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Woah. Cool. It displays the authentication dialog in Firefox/IceCat Just testing if anything like this will work:
https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error
Last edited by Jonathan50 (Jan. 8, 2016 20:57:35)
Not yet a Knight of the Mu Calculus.
- hiccup01
- Scratcher
100+ posts
This is how comp09's unreply-able topic works
Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.Woah. Cool. It displays the authentication dialog in Firefox/IceCat Just testing if anything like this will work:
Nope. Trying to send a 401 authentication error
- Jonathan50
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Nope, IceCat and Iceweasel are different (but similar)Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.Woah. Cool. It displays the authentication dialog in Firefox/IceCat Just testing if anything like this will work:
https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error
[/offtopic]
Last edited by Jonathan50 (Jan. 8, 2016 20:57:18)
Not yet a Knight of the Mu Calculus.
- scratchyone
- Scratcher
100+ posts
This is how comp09's unreply-able topic works
Can you guys please remove the image in your quotes to prevent annoying people? I am making a topic about it.
https://scratch.mit.edu/discuss/topic/177365/
https://scratch.mit.edu/discuss/topic/177365/
Last edited by scratchyone (Jan. 8, 2016 20:45:13)
- thisandagain
- Forum Moderator
500+ posts
This is how comp09's unreply-able topic works
Alright. Patch is landed. A few changes:
- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset
As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.
- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset
As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.
- WooHooBoy
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Nooooo! Alright. Patch is landed. A few changes:
- We no longer accept images from any .edu domain
-
Anyways thank you for actually fixing this bug. Last time the api url was just blacklisted.
considered harmful
- -Io-
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Awww. I'll miss you custom emojis Alright. Patch is landed. A few changes:
- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset
As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/%252B1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/-1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/poop.png%26size=20[/img]
- MegaApuTurkUltra
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Noooo, how am I going to display random projects in my signature now??? Alright. Patch is landed. A few changes:
- We no longer accept images from any .edu domain
Yay - DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
Yay - DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature resetDoes that include me? Apparently it does. Welp
I don't wanna make a bot to change my signature all the time though…
Last edited by MegaApuTurkUltra (Jan. 8, 2016 22:38:39)
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- thisandagain
- Forum Moderator
500+ posts
This is how comp09's unreply-able topic works
Does that include me?
Gah. Looks like our clean-up query caught you too. Sorry about that.
- NoMod-Programming
- Scratcher
1000+ posts
This is how comp09's unreply-able topic works
Me too No more extra smilies (until we find another bug)Does that include me?
Gah. Looks like our clean-up query caught you too. Sorry about that.
Long-since moved on from Scratch, if you need to find all my posts, search this in google: 3499447a51c01fc4dc1e8c3b8182b41cb0e88c67
- Discussion Forums
- » Bugs and Glitches
- » This is how comp09's unreply-able topic works