CodeWalrus

Featured Member Projects => CodeWalrus Tools (Web/Android/PC) => Topic started by: DJ Omnimaga on April 11, 2015, 04:41:45 pm

Title: WalrusIRC disabled until further notice
Post by: DJ Omnimaga on April 11, 2015, 04:41:45 pm
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.
Title: Re: WalrusIRC disabled until further notice
Post by: Streetwalrus on April 11, 2015, 04:42:34 pm
Juju disabled the exploitable code for now. Re-enabling.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 04:43:00 pm
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 pm
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.

Sorry, @DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
Title: Re: WalrusIRC disabled until further notice
Post by: Juju on April 11, 2015, 04:46:05 pm
Yeah, please don't abuse security issues next time, told ya to not use alert()...

EDIT: Nope you're not getting banned :P
Title: Re: WalrusIRC disabled until further notice
Post by: DJ Omnimaga on April 11, 2015, 04:47:31 pm
Quote from: DarkestEx on April 11, 2015, 04:43:00 pm
Quote from: DJ Omnimaga on April 11, 2015, 04:41:45 pm
Due to a security exploit, WalrusIRC has been disabled until further notice. Please use OmnomIRC for the time being instead (go to profile->Group Membership then join the "OmnomIRC mode" usergroup).

WalrusIRC will be re-enabled once the bug has been fixed and that anything that can disrupt your CodeWalrus browsing experience has been deleted from the OIRC/WIRC logs.

Sorry, @DJ Omnimaga for finding, that javascript exploit. I just wanted to let you know :(
Hopefully I don't get banned for that or anything...
It's ok, thanks for letting us know at least :). Just make sure to not actually use the exploit next time unless it's not harmful or anything :P (in the current case, it was more annoying than harmful, with random alerts popping up, but that could have scared some users away)
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 05:21:31 pm
This issue becomes its own logo:
(https://codewalr.us/proxy.php?request=http%3A%2F%2Fimg.codewalr.us%2Frainbowwalrii3.gif&hash=d0ab190c2618b6d814a0c578f55e1e27)

Lets call it Derpywalrus exploit
Title: Re: WalrusIRC disabled until further notice
Post by: Juju on April 11, 2015, 05:29:52 pm
The linkifier has been disabled until further notice until we have a fix (which should be quite simple). The exploit is also on OmnomIRC.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 05:33:11 pm
I wonder if the chat software could have problems aswell.

EDIT: It seems fine to me.
Title: Re: WalrusIRC disabled until further notice
Post by: Juju on April 11, 2015, 06:03:54 pm
It's been fixed on both WalrusIRC and OmnomIRC, on both CodeWalrus and Omnimaga, as of OmnomIRC version 2.9.0.5 and WalrusIRC version 0.0.3.
Title: Re: WalrusIRC disabled until further notice
Post by: DarkestEx on April 11, 2015, 06:10:25 pm
Sounds great!

For everybody who missed the thing, this was basically a way to sneak in javascript into links, like this:
(https://codewalr.us/proxy.php?request=http%3A%2F%2Fmedia.muessigb.net%2FImages%2FMisc%2Fjs_exploit_cw.png&hash=b876061f374db15df8a0f42da7d3954b)

Mouse-hovering over them executed (possible malicious) javascript.
Title: Re: WalrusIRC disabled until further notice
Post by: Juju on April 11, 2015, 06:13:53 pm
Yep. On WalrusIRC, it also worked with image tags, which also support onload, which could lead to even more disastrous results.
Title: Re: WalrusIRC disabled until further notice
Post by: DJ Omnimaga on April 11, 2015, 06:34:26 pm
Hopefully you can fix the bug soon since being able to click links in WIRC is very convenient, especially from New post notifications. On Cemetech we can't (anymore) so I always have to copy/paste them.
Title: Re: WalrusIRC disabled until further notice
Post by: Juju on April 12, 2015, 06:00:12 am
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given @DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Title: Re: WalrusIRC disabled until further notice
Post by: Snektron on April 12, 2015, 09:29:10 am
Maybe give him "the Honor of finding a bug" :P
Title: Re: WalrusIRC disabled until further notice
Post by: Duke "Tape" Eiyeron on April 12, 2015, 11:13:03 am
Quote from: Cumred_Snektron on April 12, 2015, 09:29:10 am
Maybe give him "the Honor of finding a bug" :P


Bug-tracker rank? ;)
Title: Re: WalrusIRC disabled until further notice
Post by: Snektron on April 12, 2015, 11:38:48 am
Somebody make a pixel art trophy with some bugs crawling over it as a badge :P
Title: Re: WalrusIRC disabled until further notice
Post by: DJ Omnimaga on April 12, 2015, 03:03:09 pm
Quote from: Juju on April 12, 2015, 06:00:12 am
Come to think, this bug's been there since at least 2013 (https://github.com/Sorunome/OmnomIRC2/blob/efdb7b8c335ea1cc535de6d4e3083007db1d446f/omnomirc_www/Omnom_Parser.js#L499), maybe even since 2010-2011. Omnimaga's (and also CodeWalrus and a bunch of other sites) been vulnerable since all this time, kind of weird when you think about it. If we were a big company such as Google or Facebook, we would have given @DarkestEx something like $5000 (http://www.google.com/about/appsecurity/reward-program/index.html), but sadly we are not a big company. Please accept 5000 internet points instead. Oh well, it was fun while it lasted.
Wow I didn't know the bug was there since that long. That said, I kinda doubt it could have allowed people to execute PHP, right? But yeah they could have linked to anything off-site that is annoying or malicious. That said, I don't know if it has been present since 2010 because back then OmnomIRC was completely different code. It was rewritten from scratch in 2011.