bonkmaykr: extra bonks @bonkmaykr@gameliberty.club

@josh iirc
Content-Security-Policy: script-src <source> <source>;
means either of the sources is allowed, not that you need both to apply
so troonshine.opus would be loaded just fine with 'self'
from there it's https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#file-upload-+-self
as for how you'd put it there, i'd reckon one of the many .innerHTML = userinput; since all of them seem unsanitized

Challenge for security experts: explanation of the XenForo scripting vulnerability.
t.me/kiwifarms/50

Yesterday, Vsys, a host we used as a forward-proxy, was compromised.

Today, the site was hacked to change everyone's avatars to logos of Poast.

Then, each node on the forum index was deleted one at a time.

There are backups of the site so no information is permanently lost but I have not diagnosed what the attack vector was yet or the extent of the breach.

This statement regards user impact.

- Assume your password for the Kiwi Farms has been stolen.
- Assume your email has been leaked.
- Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.

The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa). He would have been able to access user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff.

However,
```
2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
```
In this access.log entry for the only attempt made to export this information, he tried to export 120k+ users at once. This caused it to crash and respond Error 500. No other attempt was made to export the user list. It's unclear if he obtained any user information.

I am still deducing the attack vector. I currently have two theories that I will explain later.

>install arch
>can't connect to the internet
>can't get an ipv4 address
>can eventually autoinstall
>go to set up Brave
>requires yay
>yay takes 2 and a half fucking hours to download and build 30 gigabytes of dependencies to compile Brave from fucking source
>throws an error at the very end and uninstalls everything
>fonts break because it installed a font package that got uninstalled
>go to install obs
>no version with fucking streaming browser support
>go to install flatpak to install obs 28 with browser
>cinnamon not supported

>try fedora for the first time
>beautiful installer
>beautiful de out of the box
>sudo dnf brave-browser
>works
>flatpak installed by default
>obs 28 works and has browser support

archsisters... you lose

Extremely frustrating that OBS Custom CSS only does not work on Google Chat specifically for some reason. What the fuck could be causing that?

Stream with Jim at 4pm US East / 10pm EU. Not sure if he'll be streaming on his end, but I'll have it up on the usual places.

odysee.com/mad-at-the-internet-2022-09-17:d8e733532da6531456e4f728f589ae9c420a1ebd
vk.com/video/@madattheinternet
poast.tv/w/etozLs62Mcep2oGJL5yMEo
t.me/mationair