Discuss Scratch

NoMod-Programming
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

It includes a link to a php page located here: https://andrewsun.com/meowinator.php inside an image tag
[img]https: //blog.library.si.edu/redir.php?URL=https: //andrewsun.com/meowinator.php[/img]
That way the scratch page loads the php page as well, which can do a multitide of things (such as deleting your post as soon as you post it).

Last edited by NoMod-Programming (Jan. 8, 2016 04:13:58)

MegaApuTurkUltra
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

@thisandagain pls fix

cute cute cute cute cute

rip in pizza ATs
comp09
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

MegaApuTurkUltra wrote:

@thisandagain pls fix
indeed.



Visit the website of Andrew Sun!


DrKat123
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

comp09 wrote:

MegaApuTurkUltra wrote:

@thisandagain pls fix
indeed.
Wat the heck ar u duin btw?

Moving from Scratch? Don't learn C or Java, try Snap!
it haz OOP
DrKat McKatFace
First of all I'm 100% human and humans does not have a cat face
and second, the Boaty McBoatFace/Parsey McParseFace madness has just begun

λ
Sharp, my new Scratch mod
Is my post/siggy worthy for an internet?
Superdoggy
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.

But it's still not fixed. *dies*








































MegaApuTurkUltra
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

Superdoggy wrote:

Welp. About a year ago I pointed out a glitch where scripts could run in image tags. I didn't actually know how to use it, I just noticed that the scripts would run when I pressed preview. I see comp09 has figured out how to run them by redirect links - clever.

But it's still not fixed. *dies*
Comp09 did not discover the Smithsonian redirect link. He didn't even discover the bug behind this exploit.

cute cute cute cute cute

rip in pizza ATs
thisandagain
Scratch Team
500+ posts

This is how comp09's unreply-able topic works

Fix for this and a bunch of other `djangobb` issues is on it's way. Just testing in our staging environment right now. Thanks for reporting.
scratchyone
Scratcher
100+ posts

This is how comp09's unreply-able topic works

comp09 wrote:

MegaApuTurkUltra wrote:

@thisandagain pls fix
indeed.
Nevermind

Last edited by scratchyone (Jan. 10, 2016 00:41:44)

-Io-
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

lemme check if it's possible now

EDIT: nope, it seems like it doesn't work now. thx thisandagain

Last edited by -Io- (Jan. 8, 2016 19:50:59)


scratchyone
Scratcher
100+ posts

This is how comp09's unreply-able topic works

Just testing if anything like this will work:
Nope. Trying to send a 401 authentication error
EDIT: Removed to prevent annoyance. I will make a topic about it.
https://scratch.mit.edu/discuss/topic/177365/

Last edited by scratchyone (Jan. 8, 2016 20:45:30)

Jonathan50
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

scratchyone wrote:

Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error
Woah. Cool. It displays the authentication dialog in Firefox/IceCat

Last edited by Jonathan50 (Jan. 8, 2016 20:57:35)

hiccup01
Scratcher
100+ posts

This is how comp09's unreply-able topic works

Jonathan50 wrote:

scratchyone wrote:

Just testing if anything like this will work:


Nope. Trying to send a 401 authentication error
Woah. Cool. It displays the authentication dialog in Firefox/IceCat
Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.

| git | kybs | I | Jag lära sig svenska.
Floorball is a fast indoor rink sport played with lightweight sticks with a strong plastic blade. On the rink there are 5 players + goalie (Me). Even though it requires fast reactions and quick thinking it's great for anybody wanting to have fun. Still want to get a taste for floorball? Watch this!
Jonathan50
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

hiccup01 wrote:

Jonathan50 wrote:

scratchyone wrote:

Just testing if anything like this will work:

https://blog.library.si.edu/redir.php?URL=http://scratchyone.com/1o1/image.png
Nope. Trying to send a 401 authentication error
Woah. Cool. It displays the authentication dialog in Firefox/IceCat
Isn't it IceWeasel? Auth box also shows in Mobile safari for iOS 9.2.
Nope, IceCat and Iceweasel are different (but similar)
[/offtopic]

Last edited by Jonathan50 (Jan. 8, 2016 20:57:18)

scratchyone
Scratcher
100+ posts

This is how comp09's unreply-able topic works

Can you guys please remove the image in your quotes to prevent annoying people? I am making a topic about it.
https://scratch.mit.edu/discuss/topic/177365/

Last edited by scratchyone (Jan. 8, 2016 20:45:13)

thisandagain
Scratch Team
500+ posts

This is how comp09's unreply-able topic works

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset

As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.
WooHooBoy
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
-
Nooooo!

Anyways thank you for actually fixing this bug. Last time the api url was just blacklisted.

considered harmful
-Io-
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
- Users who were using some of these exploits in their signatures have had their signature reset

As always please let me know if you see things like this in the future. Thank you to everyone who was proactive in bringing this to my attention. I really do appreciate it.
Awww. I'll miss you custom emojis
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/%252B1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/-1.png%26size=20[/img]
[img]https://blog.library.si.edu/redir.php?URL=http://io.gwiddle.co.uk/tools/resizer.php%3Fimage=https://assets-cdn.github.com/images/icons/emoji/poop.png%26size=20[/img]

MegaApuTurkUltra
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

thisandagain wrote:

Alright. Patch is landed. A few changes:

- We no longer accept images from any .edu domain
Noooo, how am I going to display random projects in my signature now???

thisandagain wrote:

- DjangoBB by default allows for multiple admin commands to be done over HTTP GET. This causes problems because it bypasses our CSRF protection and is just generally kinda gross. These endpoints now only accept HTTP POSTs.
Yay

thisandagain wrote:

- DjangoBB by default allows users to do all sorts of crazy things like look at lists of deleted posts. We did an audit of these and locked down a whole bunch of them.
Yay

thisandagain wrote:

- Users who were using some of these exploits in their signatures have had their signature reset
Does that include me? Apparently it does. Welp

I don't wanna make a bot to change my signature all the time though…

Last edited by MegaApuTurkUltra (Jan. 8, 2016 22:38:39)


cute cute cute cute cute

rip in pizza ATs
thisandagain
Scratch Team
500+ posts

This is how comp09's unreply-able topic works

MegaApuTurkUltra wrote:

Does that include me?

Gah. Looks like our clean-up query caught you too. Sorry about that.
NoMod-Programming
Scratcher
1000+ posts

This is how comp09's unreply-able topic works

thisandagain wrote:

MegaApuTurkUltra wrote:

Does that include me?

Gah. Looks like our clean-up query caught you too. Sorry about that.
Me too No more extra smilies (until we find another bug)

Powered by DjangoBB

Standard | Mobile