FA+
Shop
246
Views
Views
0
Favorites
Favorites
Category
All / All
Species Unspecified / Any
Size 200 x 200
File Size 6.5 kB
Report this content
More from white-hat
![[RESOLVED] Cookie Thievery -- Successful account hijacking.](http://d.furaffinity.net/art/white-hat/1488278723/1154497266.white-hat__hackurfur_.gif "Click to change the View")
[RESOLVED] Cookie Thievery -- Successful account hijacking.
Done with the same exploit in another location, I managed to take over this account, with permission: 
coolguy
The bad news is that I was able to do it. The good news is that I have limited access. I can't change someone's password because I'd need their password to do it in the control panel. Plus, nowadays passwords aren't stored in cookies-- only the session ID and user ID. Meaning, if someone hijacks your account, all they can really do is post as you.
The exploit was done through the comissions page, but with the contact information fields, which weren't filtered to escape HTML on the comissions page itself. Which, unfortunately, implies that escaping is only done server-side, and not on the database level. In my opinion, it should be done on the database level, but maybe that's why I'm a hacker and not a coder here. :)
This is still bad, but it's not as bad as you think it'd be. It's kind of like being covered in dog shit as opposed to elephant shit-- regardless, you're covered in shit, but the type is what matters here.
coolguyThe bad news is that I was able to do it. The good news is that I have limited access. I can't change someone's password because I'd need their password to do it in the control panel. Plus, nowadays passwords aren't stored in cookies-- only the session ID and user ID. Meaning, if someone hijacks your account, all they can really do is post as you.
The exploit was done through the comissions page, but with the contact information fields, which weren't filtered to escape HTML on the comissions page itself. Which, unfortunately, implies that escaping is only done server-side, and not on the database level. In my opinion, it should be done on the database level, but maybe that's why I'm a hacker and not a coder here. :)
This is still bad, but it's not as bad as you think it'd be. It's kind of like being covered in dog shit as opposed to elephant shit-- regardless, you're covered in shit, but the type is what matters here.
Category All / All
Species Unspecified / Any
Size 200 x 200px
File Size 6.5 kB
ok, i had enough of partial fixes so i sat down and completly rewrtten from scratch the code responcible for userpage and commission info page generation
yes, now i'm thrashing the CPU, but escaping everything that gets displayed.
*sigh* yes, i completly agree that the filtering of any text should be done prior putting it in the databse. alas, we already have a DB full of data that wasn't filtered. so i guess i should shedule a "filtering" maintenance some time in the future. :)
thanks again for poking around the security fence!
yes, now i'm thrashing the CPU, but escaping everything that gets displayed.
*sigh* yes, i completly agree that the filtering of any text should be done prior putting it in the databse. alas, we already have a DB full of data that wasn't filtered. so i guess i should shedule a "filtering" maintenance some time in the future. :)
thanks again for poking around the security fence!
Comments