Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).
WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Juju disabled the exploitable code for now. Re-enabling.
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 PM
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).
WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Sorry,
@DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
Yeah, please don't abuse security issues next time, told ya to not use alert()...
EDIT: Nope you're not getting banned :P
Quote from: DarkestEx on April 11, 2015, 04:43:00 PM
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 PM
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).
WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Sorry, @DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
It's ok, thanks for letting us know at least :). Just make sure to not actually use the exploit next time unless it's not harmful or anything :P (in the current case, it was more annoying than harmful, with random alerts popping up, but that could have scared some users away)
This issue becomes its own logo:
(http://img.codewalr.us/rainbowwalrii3.gif)
Lets call it Derpywalrus exploit
The linkifier has been disabled until further notice until we have a fix (which should be quite simple). The exploit is also on OmnomIRC.
I wonder if the chat software could have problems aswell.
EDIT: It seems fine to me.
It's been fixed on both WalrusIRC and OmnomIRC, on both CodeWalrus and Omnimaga, as of OmnomIRC version 2.9.0.5 and WalrusIRC version 0.0.3.
Sounds great!
For everybody who missed the thing, this was basically a way to sneak in javascript into links, like this:
(http://media.muessigb.net/Images/Misc/js_exploit_cw.png)
Mouse-hovering over them executed (possible malicious) javascript.
Yep. On WalrusIRC, it also worked with image tags, which also support onload, which could lead to even more disastrous results.
Hopefully you can fix the bug soon since being able to click links in WIRC is very convenient, especially from New post notifications. On Cemetech we can't (anymore) so I always have to copy/paste them.
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given
@DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Maybe give him "the Honor of finding a bug" :P
Quote from: Cumred_Snektron on April 12, 2015, 09:29:10 AM
Maybe give him "the Honor of finding a bug" :P
Bug-tracker rank? ;)
Somebody make a pixel art trophy with some bugs crawling over it as a badge :P
Quote from: Juju on April 12, 2015, 06:00:12 AM
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given @DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Wow I didn't know the bug was there since that long. That said, I kinda doubt it could have allowed people to execute PHP, right? But yeah they could have linked to anything off-site that is annoying or malicious. That said, I don't know if it has been present since 2010 because back then OmnomIRC was completely different code. It was rewritten from scratch in 2011.