miscellaneous

bigsteve [24]
2019-03-12 07:24:19
[5 years, 258 days ago]

Looks like a self-proclaimed white hat hacker cross site scripted ed's old site Bots Unauthorized.


 
Luthrin [101]
2019-03-12 09:27:07
[5 years, 258 days ago]

lol petty hacks dont merit exposure.


 
bigsteve [25]
2019-03-12 16:08:37
[5 years, 257 days ago]

lol not worth turning into a moral issue, I'd presume others here have really old memories associated with that site and thought some folks might want to know


 
Ender [1]
Administrator
2019-03-14 01:26:04
[5 years, 256 days ago]

Yeah, I'm unfortunately aware of this. I wrote most of BU ~15 years ago when I knew a lot less about web security and SQL injection, so there are a number of vulnerabilities. I don't want to have to take the site offline because it still has some useful information for bots4 and it's an otherwise interesting historical artifact of the bots world, but I do need to cleanup the defacement and patch the security holes.

The good news is that bots4 is thankfully not subject to the same basic vulnerabilities (and is obviously more actively maintained). For instance, prepared statements are used for all SQL queries, so SQL injection is (in theory) impossible. The most serious security incidents with bots4 IMO have been a reflected XSS attack (theoretical attack, never actually abused AFAIK - it was possible for someone to steal your account if they could get you to click a link) and bmail title leak bug (also theoretical, discovered myself and never actually abused AFAIK).