Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Badspot

Pages: 1 ... 3 4 5 6 7 [8] 9 10 11 12 13 ... 434
106
General Discussion / Master server maintenence
« on: October 15, 2018, 06:17:48 PM »
I'm messing with the master server, might break for a bit.

107
General Discussion / Re: Steam Users BTFO
« on: October 05, 2018, 02:07:13 AM »
Some back end reorganization caused the publisher API key to be deactivated, should be fixed now.

108
Some back end reorganization caused the publisher API key to be deactivated, should be fixed now.

109
Drama / Re: GreenBH - Total idiot, big ego cunt
« on: August 02, 2018, 08:34:39 PM »
Here's the big picture you insignificant, absent minded, weak excuses for argument starters. why are you still posting millennial age wordplay to this godforsaken forum? In which coincides with a game that's 11 years old. So please if you'd like to continue your toxic rambling i suggest going to a more firm standing ground, lest you like getting shot to the dirt for being here complaining like a bachelor's many interlopes collapsing on him while he spits in all of their drinks. Might i suggest Reddit, steam group or chat, or make your own website full of neat nit picks from website formulas. It's easy just say blockland is garbage and let the hate spark for 3 years. Or bash some actually popular game. I think iv'e been polite enough to say that i don't want this as the top result when i look for fun modifications for my gameplay. If you think your so high and mighty complaining about someone's hissy fit on a server and banned you you haven't played video games long enough to see the big picture. Oh by the way i wont be responding to what you reply with unless its more creative than your mental capacities form of a "comeback". See you never!

This is amazing.  The quality of the grammatical errors is top notch.  Misusing the word "coincides", then trying to use "interlopes" as a noun and some kind of metaphor that is "collapsing" but also as a literal term meaning "female prospects" (?) so that the metaphorical bachelor can spit in their drinks?  If you were tasked with making up something this stupid you wouldn't be able to.  It almost looks like the product of a Markov chain.  I really hope this is a true Blockland original.

110
Old accounts are 'deactivated' and if you send an activation letter, you get this
https://i.imgur.com/Go1ZdIm.png

Welp, the activation codes don't work the same way as the password recovery codes, even though they use the same field in the database.  Trying again.

111
i cant change my password because i lost the privilege to edit my profile.

How about now?

112
Damn, does it really not salt hashed passwords? SMF is worse than I thought.

To be fair, it sort of does.  There is a password_salt field which is not used for salting the password, but is used as part of the login cookie and changes every time you log in.  The passwd field itself is sha1(username + password).  Why they did not at least switch to the built in password_hash php function for smf 2.x remains a mystery. 

Of course talk of secure hashing is academic when you can just walk up to the server and brute force any password using the un-logged, un-rate-limited, ssi_checkPassword function which existed for years as part of smf 1.1

113
Everyone should change their password if they have not done so since the update.  You should use a unique password just for this website.  If you used the same password for other sites, you should change your password on those other sites as well. 

SMF does not have a way to force everyone to reset their password.  It also does not hash passwords correctly or understand the concept of a salt.  To mitigate the problem of old accounts being compromised, I have reset the email activation status of every account that has not made a post within the past 6 months. 

114
General Discussion / Re: SMF Login vulnerability
« on: July 12, 2018, 04:44:19 PM »
Do the admins have a special log in window, or do they log in normally just like the rest of us? That might explain why they haven't attacked the admin accounts yet.

To log in and post it's normal, to do some admin stuff you have to enter your password again.  But I also have a long password that I only use on this site, so I would be immune from most external data leaks and resistant to offline cracking of a dumped hash.

115
General Discussion / Re: SMF Login vulnerability
« on: July 12, 2018, 03:01:35 PM »
I remember they posted a topic along the lines of "LOL this guy's password is mondayjew" or something so I'm gonna guess #3 since they were able to see somebody's password in plaintext. Also maybe 'mondayjew' is a common password so who knows.
This also goes along with them being unable to log into Rotondo's account since it kept saying "username does not exist" for them.

It would be kind of a weird vulnerability to be able to dump the password and account id fields of the user table but not the username field.  I'm leaning towards #1 or #4.

116
General Discussion / Re: SMF Login vulnerability
« on: July 12, 2018, 02:53:15 AM »
I just discovered a few accounts with suspicious log ins.  There are likely more. 

Here are the possibilities:

1. A data leak from another site provided attacker with exact passwords for these accounts.  Phishing is unlikely due to age of the accounts, but data dumps like this happen all the time and people don't always use different passwords for each site like they should.

2. Accounts were compromised more than two months ago (the age of the user table backup that I restored after the forum upgrade), passwords were changed, and the attacker is very patient

3. A vulnerability at some point allowed an attacker to dump the crapily hashed smf password table for offline cracking.  Easy passwords get cracked first, hence the target-of-opportunity style attacks. 

4. An unknown login vulnerability on the forum still exists, but requires some special conditions so they can't just log into my account and wreck the place (else they would do it).


117
General Discussion / Re: SMF Login vulnerability
« on: July 10, 2018, 09:51:00 PM »
how come this happens when i search

https://i.imgur.com/ci0t8Ao.png

It's debug info I added to track down errors with the default theme.  It was supposed to go to the php error log but I did it wrong.  Anyway it was because the code was trying to set the active button to a button that didn't exist, should be fixed now.

never had that issue wtf

Only happened when you did quick search when not logged in.

118
General Discussion / Re: SMF Login vulnerability
« on: July 09, 2018, 11:09:41 PM »
Assuming that has finished by now, it doesn't look like it's solved. Here is a good example topic that is missing from it's board index: https://forum.blockland.us/index.php?topic=319701.0

Given the timestamps of other topics currently on that board, it should be visible on the first page of add-ons, but it is not.

I think I have fixed it now.

119
Games / Re: Pokémon VG Megathread
« on: July 09, 2018, 11:07:52 PM »
Is this fixed now?

120
General Discussion / Re: SMF Login vulnerability
« on: July 09, 2018, 12:59:26 PM »
Fyi a lot of threads seem to have gone 'missing' without much explanation, but are still perfectly accessible if you have a link directly to them. The board indexing probably got screwed up somehow during the migration, bumping the topic makes it reappear. These 'missing' topics seem to also get missed by the search function, so you have to get the link from your posting history or find the topic with google.

I am running the repair function, we'll see what happens.

Pages: 1 ... 3 4 5 6 7 [8] 9 10 11 12 13 ... 434