Blah blah blah , in other words your wrong and can't admit it, either that or you dont know html very well.

Go look up how many threads are named I Love Smokey

Ok now you're actually starting to communicate rather than make
ridiculous statements relating to completely different methods of
doing something like this. Now it actually sounds like you
understand the code. Before you sounded silly because you were
saying the code could do things, which it certainly can not.

What you are describing doesn't allow you to do "anything they
want with the server".

It does not give you a way to shutdown the server. Sure you
could make a mess but it wouldn't hurt much and wouldn't take
down anything.

There would be no form button instead you'd use an onstart like
above to do a form submit. If you decided to include a form
button you'd have little hope of "attaching" it to the reply button.
Instead you'd want to use one of the events that would be fired
as a user navigates.

From the example given I'm guessing everything has to be
contained in the Poll section, as I'm sure the post section would
strip any form tags. The poll section would also need to not have
limits on length.

Lets sets see.....

http://www.gofuckyourself.com/showth...hreadid=249969

gee what do u know......

form is a banned word even in the polls and there is a character limit.

-Ben

There is another way to do it....

However once again it's nothing like what you've described.

-Ben

Again this shows your complete lack of understaning how html works.. I can get around ANY BANNED WORD..

Dont believe me, Want proof ? tell me any html command and i will show you :)

Think that injecting code into your posts cant affect the gfy server ?? smoking crack again ??

If your going to make some dumb ass moronic post , dont bother , i dont care - This is for the mods to take care of

If this was so important GFY would already be down

[QUOTE]You sir are a complete moron who doesnt know html yet. go back to sleep.

ITS AN EXAMPLE YOU FUCKING DIPSHIT !!!!QUOTE]

So show the code that you would use to do this big thing of being able to change other peoples passwords and such. I gotta see this code that you have. I'm pretty sure Lensman and others would believe what you have to say if you showed the code that would do all this damage your talking about.

You haven't shown shit, so nobody believes what you say is true. All you can do is spew out crap and nonsense. Prove to me what can be done and stop being a drama queen.

You would think so , but i suppose there isnt that many people who dont like gfy .

Why would anyone want to shut down gfy ?? other than maybe a few board owners.

The code is very important..

Anyone with half a brain and even a halfway decent understanding of html can think about it for about 10 seconds and understand what it could do..

There are already a few people using the code to hit pages ( slowing down gfy )

If i was an asshole i would just use the flaw for profit instead of letting gfy know about it.

If lensman gives me permission i will show it, other than that you can wait.

Would it be a good idea to show every moron how to take down boards left and right . NO !!!

I will give you hints so anyone who KNOWS HTML can figure it out without actually showing how..


Hint #1 "SPACES"

Hint #2 " DOCUMENT WRITE "

Hint #3 "+"

First of all it sounds like your talking about j a v a s c r i p t and not html. Do you even know what the difference is between html and j a v a s c r i p t? Second, if you post what the code is, Lensman would have to fix the problem and he would have to take you serious.

Email me this code to
roadrash AT axx DOT net
If it looks like something to be concerned about, I'll take you seriously. I won't post the code on the board either.

email sent .

You can post your reply in the room :)

when i posted the flaws before everyone freaked out..

gfy used to allow flash sigs until i pointed out the flaws in allowing them. ever since then i have become the gfy flaw scapegoat..

50 GFY codes Exploitable :glugglug

Hehe nice job Road Rash do you have ICQ!

If you weren't such a pompus ass and obvious attention whore people might think you were actually trying to help.

heh :angel

Road Rash I would also like to see how this code works and how it can be fixed if you can email me the code to harbinc at cox.net

Not when you describe it as being something totally different to
what it actually is. It makes you look like you don't understand
the code your posting when you call it HTML and say it can do
anything on any server.

What you are talking about is a very particular combination of
techniques. Once you know the combination it does indeed
appear easy and many of us have seen these techniques used
before in different situations. However without investigation of
the steps needed someone can't just spend 10 seconds looking
at the code to figure out exact what the fuck it is you are talking
about.

I'm guessing english isn't your first language.... no offence but
when you use all the wrong words and describe things totally
backwards it does kinda make it hard for anyone to agree with
you.

If you weren't an asshole you'd actually say what you mean
rather than talking all this crap about server hacking and sending
emails.

Lens.... He is right... It is exploitable.

You need to block a few event handlers such as onstart, onclick, etc.

-Ben

You know no one gives a shit when....

Road Rash 23
mryellow 7
icedemon 4

You have three times as many posts as the second person in the thread (who successfully tore you down, might I add)

No I will not grab a brain and no I'm not your son.

http://www.polarhome.com/~plasticlsd/4smokey.MP3

nobody

jc so far everyone who doubted me has admitted after thinking about it for 2 seconds they were wrong .. Go back to bed jc. :)

It's just the guy mixes in so much bullshit with his facts that it
makes him appear like he has no idea what he's talking about.
Nice camouflage job... However I think I'd rather appear smart
then dumb.

Did it take you 2 seconds to come up with?

Stop trying to make ppl feel bad for not understanding your
backwards and simply wrong comments.

-Ben

Go back to the secureity forum.... where peopel give a fuck.

Your nothing but an exploit baby.

Produce one piece of usefull software you have written.



FEEL THE NOBODIES, WANNA BE SOMBODIES.....

<img src="http://www.gofuckyourself.com/images/smilies/1orglaugh.gif" width=360 height=360>

mryellowsnow.

as i explained if i gave exact details on it it would also explain to every little punk with a copy and paste how to do it , so thats why i was vague.. sorry if you couldnt figure that out..

I can see how what you mentioned can be used to make popups and other stuff in j a v a s c r i p t that could cause trouble on GFY. What you found is a good find. But you really made it more than it really is. It can't do most of the stuff you mentioned.

Being able to change the password by having the cookie sent to you cannot be done. At least without asking the client permission before it is actually sent. It could be done with old browsers (I'm talking about the really old ones on Win 95 machines). But most newer browsers won't let emails be sent via j a v a s c r i p twithout permission from the client first.

Sending out emails via j a v a s c r i p tused to be a big problem in the early days. That's how emails were harvested. That has since been fixed for some years now.

See the problem?

People still think you're talking about hacking servers or sending
emails from client machines.

It's not the fact that you hid the method....
I do think that was quite good of you.....

It's that you were talking about totally different things which
were quite simply wrong. You can not for example do anything to
any server with the method you're using.

You really can't blame someone for thinking you're barking up the
wrong tree when you say that jav-as-cript can do anything you want to the server.

Hide the actual code sure..... but why make yourself look stupid
by saying things that are so wrong.

Lens it does need fixing..... He may look stupid but he has found
an exploit that someone will probably soon use and could upset
some ppl.

-Ben

You dont need to use email just add the cookie to a string and pop it in a window example, yoururl.com/logged.cgi?+document . cookie

to change passwrod just make a hidden form with a replica of the profile form ( but with your own info ) now the email is whatever you changed it to , now just reset the password and have it sent to the new email , shebang.

For somebody that is so good at 'hacking' you sure do suck at reading and understanding the sig rules.

:glugglug

duocash is a top banner sponsor moron

Without actual testing I'm still not sure you'd fit in everything you
want to do into the character limit. However yes it is a worry.

-Ben

no shit asshole -- like I said, for somebody who is so good at 'hacking' you sure do suck at reading and UNDERSTANDING the sig rules:

2. Signature rules. Maximum 120x60 button and no more than 3 text lines of default size and color.
New as of 1/1/2003: if your sig is for a GFY top banner sponsor, you may use a 468x60 instead of a 120x60. Yes there is a reason this is so big. Also putting your text in a cell and making it look like a button is against the rules. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

First, your sig banner is 645 x 120 -- that is ABOVE THE ALLOWED 468x60 for top banner sponsor.

Second, your text is NOT the default size OR color.


So eat a dick buttmunch --- go google for more GFY hacks

:thefinger

like i said i have already tested it , it fits under the character limit just fine besides you can hide an unlimited amount of characters in a hahahahahahahahahaha ;) with a document write ....

To the moron complaining about my sig.. my sig fits gfy see the top 10 posters on this board... my sig is the same. quit crying because you cant say anything usefull

"Mommy, mommy - the other kids are doing it, so that means its ok right mommy?"

:1orglaugh :1orglaugh :1orglaugh


like I said, you sure do have a hard time reading and understanding the sig rules.

I dont bend over , you do.. big difference.

Why would i use an undersized sig when the mods allow people to use oversized sigs if they are using a top sponsor.

Maybe if you sent one of the mods and angry email about it or cried to them via icq they might change all the sigs just for you..

Whoops i must have been dreaming there for a second :1orglaugh

ext jv.... yeah got ya.

-Ben

Something close to this..

<img src="http://216.130.172.224/haha1.jpg">
<img src="http://216.130.172.224/haha2.jpg">
<img src="http://216.130.172.224/haha3.jpg">

No no.... much more dangerious.

You could run any new IE, ActiveX, Java, or Flash exploit on a
great deal of GFY members before the admins saw it.

This combined with other exploits or some yet to be discovered
could allow an attacker to gain complete control of your home
system via your browser.

-Ben

lol

GFY needs to block the following words:

onload
onunload
onchange
onsubmit
onreset
onselect
onblur
onfocus
onkeydown
onkeypress
onkeyup
onclick
ondblclick
hahahahahahahadown
hahahahahahahamove
hahahahahahahaout
hahahahahahahaover
hahahahahahahaup

-Ben

yes, those hahaha's will fuck you up everytime

sorry, it was funny...

Now your catching on..


BTW you missed a few event handlers ;) and several other things..

Yeah can't be bothered hunting everything, leave that to GFY.

Just posting again to see if they are blocked......
Lens.... It's actually quite serious.

onload
onunload
onchange
onsubmit
onreset
onselect
onblur
onfocus
onkeydown
onkeypress
onkeyup
onclick
ondblclick

-Ben