You are currently looking at Flamebate, our community forums. Players can discuss the game here, strategize, and role play as their characters.
You need to be logged in to post and to see the uncensored versions of these forums.
Possible Vuln: Community Ad's
|
|||||||
|---|---|---|---|---|---|---|---|
|
So after posting some very special community ad’s (one of which I wanted deleted) I’ve come to realize a possible exploit.
Scenario is as follows.
1: I submit an ad cleverly worded, that links to something safe on my server 2: The ad gets approved by one of the mods 3: The ad goes public 4: I change the content on my server to redirect to either a fake log in page, a known exploit in common browsers, etc or worse set the content type of the file being linked (through php/etc) to an executable/download thus making it look like a file comes directly from the ad and trojan/etc **** up. 5: The acting mods go insane as they can’t change content in the ad’s. To quote ”... there is no feature in place to modify an existing ad. Yes, ...”
Besides that problem, the mods as far as I know should have the power to edit community ad’s already (dead links 404/403’s, content that gets changed etc) in case this sort of **** happens anyways. |
|||||||
| Posted On: 02/07/2009 9:34PM |
Rate this Post: 0
View rush68's Profile
|
#
  |
||||||
|
Good thinking…but would’ve been way better to use the private bug report message to suggest your scenario to CZ. |
||||||
| Posted On: 02/08/2009 3:03AM |
Rate this Post: 0
View Hackmeister's Profile
|
#
|
||||||
|
If you had sent it as a bug report you could have gotten the haxplotation e-peen |
||||||
| Posted On: 02/08/2009 3:05AM |
Rate this Post: 0
View pieyum's Profile
|
#
|
||||||
|
It could work but I suppose only new players would fall for that and you’ll get banned soon enough. Still it would make sense to allow the mods to edit such thing. |
||||||
| Posted On: 02/08/2009 3:37AM |
Rate this Post: 0
View quangntenemy's Profile
|
#
|
||||||
|
You would be banned and ET would pull down the ad.
Is this actually the first time somebody has thought of this and told people? |
||||||
| Posted On: 02/08/2009 3:55AM |
Rate this Post: 0
View TUBSWEETIE's Profile
|
#
|
||||||
|
i am reminded of falconfour |
||||||
| Posted On: 02/08/2009 4:06AM |
Rate this Post: -1
View Inertia's Profile
|
#
|
||||||
Hackmeister Posted:
“Start a thread in game discussion, AND submit a bug report. I’ll link the report to the thread and ET will then decide what, if anything, he wants to do about it.” -MCB
Too late, Hambanner suggested that I do the cross posting |
|||||||
| Posted On: 02/08/2009 4:11AM |
Rate this Post: 0
View rush68's Profile
|
#
|
||||||
|
rush68 Posted:
I suggested that because I thought you were going to report it as a problem (an ad which became irrelevant because it was advertising an expired auction or contest), not as an exploit. If I thought you’d be reporting it as an exploit I would’ve told you to do the bug report and keep it to yourself, for the peen. |
||||||
| Posted On: 02/08/2009 1:52PM |
Rate this Post: 0
View MC Banhammer's Profile
|
#
|
||||||
MC Banhammer Posted:
Peen is irrelevant to me. Just wanted to get it out of the way in hopes it would speed up you mods having more power. |
|||||||
| Posted On: 02/08/2009 7:06PM |
Rate this Post: 0
View rush68's Profile
|
#
|
||||||
