A SERIOUS SECURITY VULNERBILITY HAS BEED DISCOVERED AND HAS BEEN USED TO CRIPPLE 711CHAN, 99CHAN, ASSCHAN, AMONG OTHERS.
ALLOWS REMOTE LINUX COMMAND EXECUTION
DELETE OR RENAME AFFECTED FILES IMMEDIATELY!!!!!!!!
>>23
Can still access the boards at
http://img.pushthenet.com/nm/
Just had to spoil the moment, didn't you. Prick.
Kusaba X just released a patch that fixes the security vulnerabilities in Kusaba, this patch will not require you to convert to Kusaba X but will just add onto the Kusaba files.
It seems that both Serissas and PushTheNets "fix" for the exploits are both the exact same, and both still seem to be vulnerable.
The files are at http://kusabax.org
Shame I can't force someone to not fix their websites :(
Also, I'm surprised everyone has these 10,000 line fixes to paint_save.php, when all it requires is one cast.
>>27
You basically took the fix from Serissa 1.0.4 and added some other unnecessary crap. Nice job.
>>32
And you either took the fix from Tahko, or vice versa.
>>30
D'oh, you're right. Just fixed the Kusaba X patch with this new way of doing it.
>>31
Yes, but the entire point of that script is to upload files.
The real correct way would be to store the filenames outside of the reach of users, I think you can overwrite other people's animations still with all of the current fixes, and have some temporary image hosting through "image.jpg"
Not that anyone cares but I'm writing my own PHP based imageboard now. :3
>>36
The thing about it is that folder shouldn't have anything in it for a long period of time anyways. Unless the person is typing out an essay, that folder shouldn't have crap in it for really more than 5 minutes at the most, and that's giving them leeway.
>>36
Also, inb4 PHP BAWWWWWWWWWW shitstorm.
Well I've combed through Kusaba enough times now to say it's probably safe if you remove the entire oekaki and load balancing system.
>>38
Heh, no matter what anyone says, PHP is too popular among things like free hosts to not use. (which is probably another reason people would cry)
>>39
While that would be a good idea on the security side, it would be a bit of a drawback to everyone who actually uses Oekaki.
Load balancer seems like it was a bit of a joke though.
PHP is also insecure from it's core functions because its dev team shuns proper security practices.
Anyways, anybody running a serious imageboard off a free host has yet to learn the horrors of bandwidth and CPU load restrictions. Even so, there are a lot of free hosts with perl installed on the machines in their datacenter, even some running python, making the whole "well some people have to use PHP" argument void.
I really implore you not to continue this project, but if you decide you're going to, just don't add stickies. We don't need another kusaba clone on the net.
>>41
Not to be an ass, but really, you all say 'the dev team shuns proper security practices.' Where is your source of that? Kusaba had been out for over 2 years, and Sausage's exploit has been the first (that was publicly released).
Sausage's wasn't the first to be publicly released, though. There were a few exploits that were found and released before the 1.00 release, but they didn't really have that big an impact and were all patched by Trevor.
Don't get me wrong, I don't completely hate PHP. It was, in fact, the first programming language that I learned, but it is certainly not my most preferred language to work with.
Let me get one thing straight though. I'm sick and tired of every single person on the planet who's made any sort of modification to the kusaba source at all releasing it as a "continuation of" or as completely new software "based off kusaba." Yeah, we get it. Instead of plain text, your stylesheet switcher is a dropdown menu! Holy crap how did you learn such mad skills?
To serv, the primary coder(s) of serissa, Tahko, whoever's coding Kusaba X, and anybody else working on shitty forks (it's kind of sad how long that list extends), shut up. You're doing a disservice to the entire community by continuing a failed project that played in the creation of >9000 imageboards nobody will ever use, ever, and your bitching about who stole what patch for Sausage's load balancer and oekaki module exploits is funny, yet annoying as all hell at the same time.
tl;dr: do the impossible see the invisible row row fight the powah
hay guys, here is some juicy gossip - i found the load receiver thing a few months ago - i informed a few admins about it and then reported it to trevor, whereby many lulz where had:
>Very nice work. Also, plus points for using Python. I'm planning on replacing kusaba with my own Python project I'm working on, you can take a look at http://code.google.com/p/pyib-standalone/
>I'm thinking about writing a PHP version of your Python code, and then sending the PHP version in Python's 64'd code. Sort of a "proxy' if you will. Then the remote site will be exploiting other remote sites, and if you set it up properly you could make it a star network of the chans executing malicious code on each other. As soon as they look up the logs they would start calling each other out on operating it. This would cause epic confusion.
>Something which comes to mind for being malicious would be to have it try and download a large file as many times as it can under new file names, causing tons of bandwidth usage and filling up the hard drive at the same time. Do you have any ideas?
sorry tj9991 D:
Did he tell you to DELETE OR RENAME AFFECTED FILES IMMEDIATELY!!!!!!!!?
do you EVER STOP WHINING!!!!?
I'm just keeping it real.
Lol, Tahko thinks that it was /soc/ that hacked his shitty board.
>>49
He probably wasn't even hacked, he's probably just attention whoring, and you're buying right into it.
I got in thru vulns and just fucked stuff up for about an hour.
62.141.52.224 is the IP of the person that was using the exploit on IMG and Konatachan.
IMG has patched but Konatachan didn't and they are working on it.
Please ban this IP and don't let him see the board. At least it shows that you guys were not partially involved.
Thank You.
>>55
he thinks we're some sort of secret cabal and that we hacked his shitty site. the fact that just about everyone who has anything to do with imageboards, including trevor, knows that kusaba is shit couldn't have anything to do with it. i say we should encourage him in his crazy conspiracy theories, it might be somewhat amusing.
That IP has never posted on this board.
Of course, we would say that, wouldn't we?
Kusaba is shit anyway, hope all KusaTravor sites bite the big weeny.
>>53 Very very very likely not their real IP, probaly 7th one in the chain. My Poirot-genes tell me so. Also why make a confusing name like IMG when it's standard on imageboards. Please don't tell me you just took it from that without really thinking anything at the time.
They did it for bandwagoning weenysuckery.
>>66
did you really need to bump the thread for that?
>>68
no u