CodeWalrus

Featured Member Projects => Completed and Inactive Projects => [Completed] CodeWalrus Tools (Web/Android/PC) => Topic started by: Dream of Omnimaga on April 11, 2015, 04:41:45 PM

Title: WalrusIRC disabled until further notice
Post by: Dream of Omnimaga on April 11, 2015, 04:41:45 PM
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Title: Re: WalrusIRC disabled until further notice
Post by: novenary on April 11, 2015, 04:42:34 PM
Juju disabled the exploitable code for now. Re-enabling.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 04:43:00 PM
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 PM
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Sorry, @DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
Title: Re: WalrusIRC disabled until further notice
Post by: Yuki on April 11, 2015, 04:46:05 PM
Yeah, please don't abuse security issues next time, told ya to not use alert()...

EDIT: Nope you're not getting banned :P
Title: Re: WalrusIRC disabled until further notice
Post by: Dream of Omnimaga on April 11, 2015, 04:47:31 PM
Quote from: DarkestEx on April 11, 2015, 04:43:00 PM
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 PM
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Sorry, @DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
It's ok, thanks for letting us know at least :). Just make sure to not actually use the exploit next time unless it's not harmful or anything :P (in the current case, it was more annoying than harmful, with random alerts popping up, but that could have scared some users away)
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 05:21:31 PM
This issue becomes its own logo:
(http://img.codewalr.us/rainbowwalrii3.gif)

Lets call it Derpywalrus exploit
Title: Re: WalrusIRC disabled until further notice
Post by: Yuki on April 11, 2015, 05:29:52 PM
The linkifier has been disabled until further notice until we have a fix (which should be quite simple). The exploit is also on OmnomIRC.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 05:33:11 PM
I wonder if the chat software could have problems aswell.

EDIT: It seems fine to me.
Title: Re: WalrusIRC disabled until further notice
Post by: Yuki on April 11, 2015, 06:03:54 PM
It's been fixed on both WalrusIRC and OmnomIRC, on both CodeWalrus and Omnimaga, as of OmnomIRC version 2.9.0.5 and WalrusIRC version 0.0.3.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 06:10:25 PM
Sounds great!

For everybody who missed the thing, this was basically a way to sneak in javascript into links, like this:
(http://media.muessigb.net/Images/Misc/js_exploit_cw.png)

Mouse-hovering over them executed (possible malicious) javascript.
Title: Re: WalrusIRC disabled until further notice
Post by: Yuki on April 11, 2015, 06:13:53 PM
Yep. On WalrusIRC, it also worked with image tags, which also support onload, which could lead to even more disastrous results.
Title: Re: WalrusIRC disabled until further notice
Post by: Dream of Omnimaga on April 11, 2015, 06:34:26 PM
Hopefully you can fix the bug soon since being able to click links in WIRC is very convenient, especially from New post notifications. On Cemetech we can't (anymore) so I always have to copy/paste them.
Title: Re: WalrusIRC disabled until further notice
Post by: Yuki on April 12, 2015, 06:00:12 AM
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given @DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Title: Re: WalrusIRC disabled until further notice
Post by: Snektron on April 12, 2015, 09:29:10 AM
Maybe give him "the Honor of finding a bug" :P
Title: Re: WalrusIRC disabled until further notice
Post by: Duke "Tape" Eiyeron on April 12, 2015, 11:13:03 AM
Quote from: Cumred_Snektron on April 12, 2015, 09:29:10 AM
Maybe give him "the Honor of finding a bug" :P

Bug-tracker rank? ;)
Title: Re: WalrusIRC disabled until further notice
Post by: Snektron on April 12, 2015, 11:38:48 AM
Somebody make a pixel art trophy with some bugs crawling over it as a badge :P
Title: Re: WalrusIRC disabled until further notice
Post by: Dream of Omnimaga on April 12, 2015, 03:03:09 PM
Quote from: Juju on April 12, 2015, 06:00:12 AM
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given @DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Wow I didn't know the bug was there since that long. That said, I kinda doubt it could have allowed people to execute PHP, right? But yeah they could have linked to anything off-site that is annoying or malicious. That said, I don't know if it has been present since 2010 because back then OmnomIRC was completely different code. It was rewritten from scratch in 2011.