Author Topic: And the winner is.......  (Read 8637 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #15 on: December 04, 2005, 11:02:36 pm »
Nono, you misunderstand. 

www.javaop.com/~iago/test.php.anything

Nevermind the warning, I used my Rabbit-friendly program to test :)

Oh, hahaha.

That's actually pretty nice to know.  Upload scripts should always have a list of allowed extensions, not a list of banned ones.

http://sidoh.org/test.php.iz3nything

A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #16 on: December 04, 2005, 11:09:03 pm »
A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

I don't know, but that should not be the default setting of Apache by any means.

I found another one:

.sql

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #17 on: December 04, 2005, 11:18:38 pm »
A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

I don't know, but that should not be the default setting of Apache by any means.

I found another one:

.sql

.rar, too.  There's a lot of them...

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #18 on: December 04, 2005, 11:25:59 pm »
.rar, too.  There's a lot of them...

I guess the safest thing to do is to determine the real extension of the file, then rename it accordingly.  That's what my upload script does.  I bypassed an exploit without even knowing it!

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: And the winner is.......
« Reply #19 on: December 04, 2005, 11:29:08 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)

There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Hitmen

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: And the winner is.......
« Reply #20 on: December 04, 2005, 11:41:06 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)

There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it.  I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.
Quote
(22:15:39) Newby: it hurts to swallow

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #21 on: December 05, 2005, 12:02:33 am »
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it.  I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.

Hitmen has no problem seeing through any of my lies, me and him BS together too much :)

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: And the winner is.......
« Reply #22 on: December 05, 2005, 12:26:12 pm »
What do I win? Yeah, I was the first one, shows how much of a life I LACK.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: And the winner is.......
« Reply #23 on: December 05, 2005, 05:00:43 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #24 on: December 05, 2005, 05:43:37 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

No, it assumed that it was a string instead. :]

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #25 on: December 05, 2005, 05:44:01 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

Notice the next line, the one about iago being right?