Don't enter!

Last edited by sanddbox on Wed Dec 16, 2009 11:41 pm, edited 2 times in total.

Dammit, you entered. Just testing something.

Yep, time for a bug report.

EDIT: Image replaced with something less malicious (if you can call it that) because I hate having to log in after visiting this thread.

Haha, awesome, it works! Probably the only way to disable this is for them to explicitly ban that url with image inclusion. Even at that, im sure there would still be a way to get around it. But some pretty annoying stuff could be done with this, like logging out of the forums on viewing or something, and some other much more annoying things I can think of. But, basically, it doesn't seem to me like much can be done.

To be honest, I hit 'preview' and knew it worked right then, but posted it anyway because I'm an egotistical bastard.

They just need to have the logout based on the session id like the forum.

I wish I would've seen this before you took it down hehe.. I know what it did though. yay for CSRF.

myhexhax wrote:I wish I would've seen this before you took it down hehe.. I know what it did though. yay for CSRF.

Wish granted.

Merry Christmas!

s are awesome.

I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png (

) in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....

faazshift wrote:I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png () in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....

yep. it's very evil

by **tgoe** on Tue Dec 22, 2009 8:22 pm ([msg=31766]see Re: Don't enter![/msg])

faazshift wrote:I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png () in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....

This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job :mrgreen:

tgoe wrote:This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job

Nice. My log is already up at nearing 250 unique ip's (almost 700 lines in total). I seem to be about the only Gentoo Linux user (so far).

faazshift wrote:
tgoe wrote:This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job

Nice. My log is already up at nearing 250 unique ip's (almost 700 lines in total). I seem to be about the only Gentoo Linux user (so far).

Careful, your you-know-what is showing...

And here too...

I'm not exactly comfortable with my session id being publicly displayed...
ADBLOCK PLUS TIME!