- Portals
- The Current Year
- ED in the News
- Admins
- Help ED Rebuild
- Archive
- ED Bookmarklet
- Donate Bitcoin
Contact an admin on Discord or EDF if you want an account. Also fuck bots.
FimFiction: Difference between revisions
imported>Meepsheep |
imported>Meepsheep |
||
| Line 7: | Line 7: | ||
==Exploits== | ==Exploits== | ||
[[File:Knightyascii.png|thumb|right|ASCII representation of Knighty]] | |||
*On January 27, 2012, the [[NCF]] and [[GNAA]] came together to take advantage of a [[XSS]] vulnerability in FimFiction. It was then discovered that Knighty, being the genius he is, was storing password hashes in cookies. The result: Knighty's cookie stolen, the website defaced, and hundreds of hased passwords taken. | *On January 27, 2012, the [[NCF]] and [[GNAA]] came together to take advantage of a [[XSS]] vulnerability in FimFiction. It was then discovered that Knighty, being the genius he is, was storing password hashes in cookies. The result: Knighty's cookie stolen, the website defaced, and hundreds of hased passwords taken. | ||
**'''The Practical Solution:''' Mass logout, stop storing password hashes in cookies. | **'''The Practical Solution:''' Mass logout, stop storing password hashes in cookies. | ||
Revision as of 16:50, 6 December 2012
FimFiction is the largest internet database for fanfiction of or relating to the My Little Pony fandom. While that fact alone makes this site a hell-hole of itself, the incompetent Graeme Pollard (aka Knighty) is the head admin, who, with a lack of basic knowledge of web security, tries his hardest to manage the site. Unfortunately, a number of trolls have chosen to target FimFiction, ultimately ruining the LOVE AND TOLERANCE experience for every user, especially by maliciously exploiting Knighty's failure of a web framework.
Exploits
- On January 27, 2012, the NCF and GNAA came together to take advantage of a XSS vulnerability in FimFiction. It was then discovered that Knighty, being the genius he is, was storing password hashes in cookies. The result: Knighty's cookie stolen, the website defaced, and hundreds of hased passwords taken.
- The Practical Solution: Mass logout, stop storing password hashes in cookies.
- Knighty's solution: Unknowing what to do, Knighty disconnected the DB, effectively shutting the site down. He later binded cookies to ip addresses to prevent such an incident from reoccurring, but forgot to fix the vulnerability.
- On December 4, 2012, a CSRF vulnerability was utilized to join almost 1000 users to a group titled "FAGGOT HORSEFUCKER AUTISTS". In addition, a similar exploit was used to delete users journals without their consent.
- The Practical Solution: Fix the problem by using an authentication key with every request.
- Knighty's solution: Remove the deletion feature, delete troll groups as they are created.
IRC
In addition to a horrific site, FimFiction has an irc channel on the grossly incompetent network irchighway (that is vulnerable to the Firefox XPS IRC Attack). #fimfiction has historically been such a prime trolling target that for months +R (registered users only) has been forced to prevent the massive bot spam they had grown accustom to.