Posted August 25, 2017
Snolus
Registered: Oct 2012
From Germany
WinterSnowfall
Bastard Lunatic
WinterSnowfall Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2012
From Other
Posted August 25, 2017
tinyE: The OP once claimed that I was a severe threat and claimed that I had ordered a group of people to intentionally spam delete any post I disagreed with, via a script, in an attempt to take over the forum.
Oh, please... everyone knows your true identity by now, Keyser Söze! He does have a point now though. I tend to log out and back in frequently though, so I'm not too worried.
Breja
You're in my spot
Breja Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2012
From Poland
Posted August 25, 2017
Maybe if he first informed GOG, waited for them to take action, and only did this as a last resort after they obviously ignored his warning. But as plan A this just sucks.
Snolus
Registered: Oct 2012
From Germany
Lin545
May. 24, 2022
Lin545 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Russian Federation
Posted August 25, 2017
Let me guess.
You can attach JS code?
You can attach JS code?
Alaric.us
Slava Ukraini
Alaric.us Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Feb 2010
From United States
Posted August 25, 2017
high rated
> Have you reported the issue to GOG staff?
I have. In the past. Many times. Nothing was ever done.
This time around I also don't expect any action on their part. My goal is to warn the users. I just decided to look into this issue today (prompted by the "91" debacle) and found it right away. If someone was looking for vulnerabilities on purpose and with a malicious goal in mind, they'd have found this a looooong time ago.
So yea, informing GOG is useless. I'd much rather let you know.
I have. In the past. Many times. Nothing was ever done.
This time around I also don't expect any action on their part. My goal is to warn the users. I just decided to look into this issue today (prompted by the "91" debacle) and found it right away. If someone was looking for vulnerabilities on purpose and with a malicious goal in mind, they'd have found this a looooong time ago.
So yea, informing GOG is useless. I'd much rather let you know.
Post edited August 25, 2017 by Alaric.us
Frozen
Snake Eater
Frozen Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2008
From Poland
Posted August 25, 2017
Scary...
I assume copying text and putting it in the "quote_x" "/quote" brackets while using the "new post" option is safe, right?
Alaric.us
Slava Ukraini
Alaric.us Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Feb 2010
From United States
Posted August 25, 2017
> I assume copying text and putting it in the "quote_x" "/quote" brackets while using the "new post" option is safe, right?
Should be safe. If you use {quote}{/quote} but with square brackets you probably won't get the name of the person you are quoting. If you note the number of their post and do {quote_22}{/quote} you'll get the regular quote with their avatar.
Should be safe. If you use {quote}{/quote} but with square brackets you probably won't get the name of the person you are quoting. If you note the number of their post and do {quote_22}{/quote} you'll get the regular quote with their avatar.
ZFR
I love gold!
ZFR Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2010
From Ireland
Posted August 25, 2017
Alaric.us
Slava Ukraini
Alaric.us Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Feb 2010
From United States
Posted August 25, 2017
> It's only the buttons that can be dangerous
Incorrect. The very act of clicking on the reply button will execute code. The fake buttons are just to demonstrate what can be done. Notice that if you hit reply to my original post, an alert message will be displayed before you ever see the buttons.
Incorrect. The very act of clicking on the reply button will execute code. The fake buttons are just to demonstrate what can be done. Notice that if you hit reply to my original post, an alert message will be displayed before you ever see the buttons.
ZFR
I love gold!
ZFR Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2010
From Ireland
Posted August 25, 2017
Yes. By "buttons" I meant Reply button as well.
WinterSnowfall
Bastard Lunatic
WinterSnowfall Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2012
From Other
Posted August 25, 2017
A quick and easy partial fix which breaks OP's exploit would be to disallow any post that contains </textarea>. Just like they did for +91. Just saying.
But to be honest they really should properly escape everything, I'm quite surprised that's currently not the case.
But to be honest they really should properly escape everything, I'm quite surprised that's currently not the case.
Breja
You're in my spot
Breja Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2012
From Poland
Posted August 25, 2017
low rated
ZFR
I love gold!
ZFR Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2010
From Ireland
richlind33
bong hits for beelzebub
richlind33 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2016
From United States
Posted August 25, 2017
Munchausen by proxy? lol