- Portals
- The Current Year
- ED in the News
- Admins
- Help ED Rebuild
- Archive
- ED Bookmarklet
- Donate Bitcoin
Contact an admin on Discord or EDF if you want an account. Also fuck bots.
FimFiction: Difference between revisions
Jump to navigation
Jump to search
imported>Meepsheep No edit summary |
imported>Meepsheep No edit summary |
||
| Line 1: | Line 1: | ||
[[File:Fimfictionhack.png|thumb|right|A normal day on FimFiction]] | [[File:Fimfictionhack.png|thumb|right|A normal day on FimFiction]] | ||
'''FimFiction''' is the largest internet database for [[fanfiction]] of or relating to the [[My Little Pony]] fandom. While that fact alone makes this site a hell-hole of itself, the incompetent '''Graeme Pollard''' (aka Knighty) is the head admin, who, with a lack of basic knowledge of web security, tries his hardest to manage the site. Unfortunately, a number of trolls have chosen to target FimFiction, ultimately ruining the LOVE AND TOLERANCE experience for every user, especially by maliciously exploiting Knighty's failure of a web framework. | '''FimFiction''' is the largest internet database for [[fanfiction]] of or relating to the [[My Little Pony]] fandom. While that fact alone makes this site a hell-hole of itself, the incompetent '''Graeme Pollard''' (aka Knighty) is the head admin, who, with a lack of basic knowledge of web security, tries his hardest to manage the site. Unfortunately, a number of trolls have chosen to target FimFiction, ultimately ruining the LOVE AND TOLERANCE experience for every user, especially by maliciously exploiting Knighty's failure of a web framework. | ||
==Exploits== | |||
*On January 27, 2012, the [[NCF]] and [[GNAA]] came together to take advantage of a [[XSS]] vulnerability in FimFiction. It was then discovered that Knighty, being the genius he is, was storing password hashes in cookies. The result: Knighty's cookie stolen, the website defaced, and hundreds of hased passwords taken. | |||
**'''The Practical Solution:''' Mass logout, stop storing password hashes in cookies. | |||
**'''Knighty's solution:''' Unknowing what to do, Knighty disconnected the DB, effectively shutting the site down. He later binded cookies to ip addresses to prevent such an incident from reoccurring, but forgot to fix the vulnerability. | |||
*On December 4, 2012, a [[CSRF]] vulnerability was utilized to join almost 1000 users to a group titled [[Truth|"FAGGOT HORSEFUCKER AUTISTS"]]. In addition, a similar exploit was used to delete users journals without their consent. | |||
**'''The Practical Solution:''' Fix the problem by using an authentication key with every request. | |||
**'''Knighty's solution:''' Remove the deletion feature, delete troll groups as they are created. | |||
Revision as of 16:42, 6 December 2012
FimFiction is the largest internet database for fanfiction of or relating to the My Little Pony fandom. While that fact alone makes this site a hell-hole of itself, the incompetent Graeme Pollard (aka Knighty) is the head admin, who, with a lack of basic knowledge of web security, tries his hardest to manage the site. Unfortunately, a number of trolls have chosen to target FimFiction, ultimately ruining the LOVE AND TOLERANCE experience for every user, especially by maliciously exploiting Knighty's failure of a web framework.
Exploits
- On January 27, 2012, the NCF and GNAA came together to take advantage of a XSS vulnerability in FimFiction. It was then discovered that Knighty, being the genius he is, was storing password hashes in cookies. The result: Knighty's cookie stolen, the website defaced, and hundreds of hased passwords taken.
- The Practical Solution: Mass logout, stop storing password hashes in cookies.
- Knighty's solution: Unknowing what to do, Knighty disconnected the DB, effectively shutting the site down. He later binded cookies to ip addresses to prevent such an incident from reoccurring, but forgot to fix the vulnerability.
- On December 4, 2012, a CSRF vulnerability was utilized to join almost 1000 users to a group titled "FAGGOT HORSEFUCKER AUTISTS". In addition, a similar exploit was used to delete users journals without their consent.
- The Practical Solution: Fix the problem by using an authentication key with every request.
- Knighty's solution: Remove the deletion feature, delete troll groups as they are created.