This is how comp09's unreply-able topic works

NoMod-Programming

It includes a link to a php page located here: https://andrewsun.com/meowinator.php inside an image tag

[img]https: //blog.library.si.edu/redir.php?URL=https: //andrewsun.com/meowinator.php[/img]

That way the scratch page loads the php page as well, which can do a multitide of things (such as deleting your post as soon as you post it).

Last edited by NoMod-Programming (Jan. 8, 2016 04:13:58)

Long-since moved on from Scratch, if you need to find all my posts, search this in google: 3499447a51c01fc4dc1e8c3b8182b41cb0e88c67

MegaApuTurkUltra

@thisandagain pls fix

$(".box-head")[0].textContent = "committing AT crimes since $whenever"

comp09

MegaApuTurkUltra wrote:
@thisandagain pls fix

indeed.

Visit the website of Andrew Sun!

DrKat123

comp09 wrote:
MegaApuTurkUltra wrote:
@thisandagain pls fix
indeed.

Wat the heck ar u duin btw?

Moving from Scratch? Don't learn C or Java, try Snap!
it haz OOP
DrKat McKatFace
First of all I'm 100% human and humans does not have a cat face
and second, the Boaty McBoatFace/Parsey McParseFace madness has just begun
λ
Sharp, my new Scratch mod
Is my post/siggy worthy for an internet?

Superdoggy

Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.

But it's still not fixed. *dies*

MegaApuTurkUltra

Superdoggy wrote:
Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.

But it's still not fixed. *dies*

Comp09 did not discover the Smithsonian redirect link. He didn't even discover the bug behind this exploit.

$(".box-head")[0].textContent = "committing AT crimes since $whenever"

thisandagain

Fix for this and a bunch of other `djangobb` issues is on it's way. Just testing in our staging environment right now. Thanks for reporting.

scratchyone

comp09 wrote:
MegaApuTurkUltra wrote:
@thisandagain pls fix
indeed.

Nevermind

Last edited by scratchyone (Jan. 10, 2016 00:41:44)

Give me an internet

-Io-

lemme check if it's possible now

EDIT: nope, it seems like it doesn't work now. thx thisandagain

Last edited by -Io- (Jan. 8, 2016 19:50:59)

scratchyone

Just testing if anything like this will work:
Nope. Trying to send a 401 authentication error
EDIT: Removed to prevent annoyance. I will make a topic about it.
https://scratch.mit.edu/discuss/topic/177365/

Last edited by scratchyone (Jan. 8, 2016 20:45:30)

Give me an internet

Jonathan50

scratchyone wrote:
Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error

Woah. Cool. It displays the authentication dialog in Firefox/IceCat

Last edited by Jonathan50 (Jan. 8, 2016 20:57:35)

Not yet a Knight of the Mu Calculus.

hiccup01

Jonathan50 wrote:
scratchyone wrote:
Just testing if anything like this will work:

Nope. Trying to send a 401 authentication error
Woah. Cool. It displays the authentication dialog in Firefox/IceCat

Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.

I'm a veteran Scratcher who likes to challenge themself with Scratch's limited toolset.
website | github

Jonathan50

hiccup01 wrote:
Jonathan50 wrote:
scratchyone wrote:
Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error
Woah. Cool. It displays the authentication dialog in Firefox/IceCat
Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.

Nope, IceCat and Iceweasel are different (but similar)
[/offtopic]

Last edited by Jonathan50 (Jan. 8, 2016 20:57:18)

Not yet a Knight of the Mu Calculus.

scratchyone

Can you guys please remove the image in your quotes to prevent annoying people? I am making a topic about it.
https://scratch.mit.edu/discuss/topic/177365/

Last edited by scratchyone (Jan. 8, 2016 20:45:13)

Give me an internet

thisandagain

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.

- Users who were using some of these exploits in their signatures have had their signature reset

As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.

WooHooBoy

thisandagain wrote:
Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
-

Nooooo!

Anyways thank you for actually fixing this bug. Last time the api url was just blacklisted.

considered harmful

-Io-

thisandagain wrote:
Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset

As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.

Awww. I'll miss you custom emojis

[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/%252B1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/-1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/poop.png%26size=20[/img]

MegaApuTurkUltra

thisandagain wrote:
Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain

Noooo, how am I going to display random projects in my signature now???

thisandagain wrote:
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.

Yay

thisandagain wrote:
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.

Yay

thisandagain wrote:
- Users who were using some of these exploits in their signatures have had their signature reset

Does that include me? Apparently it does. Welp

I don't wanna make a bot to change my signature all the time though…

Last edited by MegaApuTurkUltra (Jan. 8, 2016 22:38:39)

$(".box-head")[0].textContent = "committing AT crimes since $whenever"

thisandagain

MegaApuTurkUltra wrote:
Does that include me?

Gah. Looks like our clean-up query caught you too. Sorry about that.

NoMod-Programming

thisandagain wrote:
MegaApuTurkUltra wrote:
Does that include me?

Gah. Looks like our clean-up query caught you too. Sorry about that.

Me too

No more extra smilies (until we find another bug)

Long-since moved on from Scratch, if you need to find all my posts, search this in google: 3499447a51c01fc4dc1e8c3b8182b41cb0e88c67

Discuss Scratch