bonkmaykr: extra bonks @bonkmaykr@gameliberty.club
- personal site
- https://bonkmaykr.xyz
- elon shit can
- https://twitter.com/thebonkmaykr
- XMPP / jabber
- bonkmaykr@worlio.com
CEO Canithesis Interactive, sysadmin Worlio LLC
wipEout and THE FINALS fan
UNIX enthusiast, Java / C# / C++ Dev
Old computer freak.
Missouri, United States
I made the Firestar Mod Manager for Playstation Vita. Currently working on a danmaku shooter.
Followers of all kinds welcome - no matter your place on the political spectrum, your language or your experience - just be respectful. Posts can range anywhere from deep nerd thoughts to brainless shitposting.
**DO NOT try to contact me from FreeSoftwareExtremist.com. I already have you muted.**
Joined Jun 2021
Twitter Crosspost
RT @TurboJehtt
Trust me and we will escape from federal prison (ft. @izziibel)
Twitter Crosspost
RT @LumLotus
No they think everyone on there is exactly the type of assholes they are being. (Hope everyone used a vpn and an alternative email like they were already suppose to be doing.) https://twitter.com/litdogger/status/1571598038589743104
Twitter Crosspost
RT @MutantDogz
OMG i forgot about this world pic i took while on an world exploration!
Twitter Crosspost
RT @OscarVReuenthal
I used to look at KiwiFarms just to see what it was about, and this is why I created a separate email account under a fake name in order to access it. https://twitter.com/litdogger/status/1571598038589743104
Twitter Crosspost
RT @dardartYT
i think teen titans go is a great example of great animators having to make dog shit for the majority of the series
Twitter Crosspost
RT @IMakeCowboysGay
first game of the season and its a win with the oomfie
Twitter Crosspost
never forget the time that someone featured in a 3kliksphilip video had cropped furry porn as their avatar
Twitter Crosspost
RT @JARG_7
I went to the zoo and the highlight was watching a giant grasshopper take a dump.
Twitter Crosspost
These are the kinds of people who support Keffals. Hurting the security of thousands of innocent people in order to retaliate against one that they don't like.
bonkmaykr: extra bonks
boosted
@josh iirc
Content-Security-Policy: script-src <source> <source>;
means either of the sources is allowed, not that you need both to apply
so troonshine.opus would be loaded just fine with 'self'
from there it's https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#file-upload-+-self
as for how you'd put it there, i'd reckon one of the many .innerHTML = userinput; since all of them seem unsanitized
Content-Security-Policy: script-src <source> <source>;
means either of the sources is allowed, not that you need both to apply
so troonshine.opus would be loaded just fine with 'self'
from there it's https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#file-upload-+-self
as for how you'd put it there, i'd reckon one of the many .innerHTML = userinput; since all of them seem unsanitized
bonkmaykr: extra bonks
boosted
Challenge for security experts: explanation of the XenForo scripting vulnerability.
t.me/kiwifarms/50
t.me/kiwifarms/50
bonkmaykr: extra bonks
boosted
Yesterday, Vsys, a host we used as a forward-proxy, was compromised.
Today, the site was hacked to change everyone's avatars to logos of Poast.
Then, each node on the forum index was deleted one at a time.
There are backups of the site so no information is permanently lost but I have not diagnosed what the attack vector was yet or the extent of the breach.
Today, the site was hacked to change everyone's avatars to logos of Poast.
Then, each node on the forum index was deleted one at a time.
There are backups of the site so no information is permanently lost but I have not diagnosed what the attack vector was yet or the extent of the breach.
bonkmaykr: extra bonks
boosted
This statement regards user impact.
- Assume your password for the Kiwi Farms has been stolen.
- Assume your email has been leaked.
- Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.
The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa). He would have been able to access user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff.
However,
```
2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
```
In this access.log entry for the only attempt made to export this information, he tried to export 120k+ users at once. This caused it to crash and respond Error 500. No other attempt was made to export the user list. It's unclear if he obtained any user information.
I am still deducing the attack vector. I currently have two theories that I will explain later.
- Assume your password for the Kiwi Farms has been stolen.
- Assume your email has been leaked.
- Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.
The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa). He would have been able to access user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff.
However,
```
2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
```
In this access.log entry for the only attempt made to export this information, he tried to export 120k+ users at once. This caused it to crash and respond Error 500. No other attempt was made to export the user list. It's unclear if he obtained any user information.
I am still deducing the attack vector. I currently have two theories that I will explain later.
@josh Kiwifarms passwords are hashed, right? Right?
Twitter Crosspost
RT @taizou_hori
Turned on the TV expecting wall to wall Queen coverage only to see Mr Chips ripping a massive fart
- personal site
- https://bonkmaykr.xyz
- elon shit can
- https://twitter.com/thebonkmaykr
- XMPP / jabber
- bonkmaykr@worlio.com
CEO Canithesis Interactive, sysadmin Worlio LLC
wipEout and THE FINALS fan
UNIX enthusiast, Java / C# / C++ Dev
Old computer freak.
Missouri, United States
I made the Firestar Mod Manager for Playstation Vita. Currently working on a danmaku shooter.
Followers of all kinds welcome - no matter your place on the political spectrum, your language or your experience - just be respectful. Posts can range anywhere from deep nerd thoughts to brainless shitposting.
**DO NOT try to contact me from FreeSoftwareExtremist.com. I already have you muted.**
Joined Jun 2021
