would it make your richard hard hearing about how lub/ephi made a mistake or something?
it's not even something you can waggle over their head, they simply forgot to call a function they already had defined elsewhere.
I'd love it if you could tell me about this incident.
unauthenticated users could inject html and js and, well, anything, into the webpage of administrators viewing the webchat and/or server console.
saying <script>alert(1);</script> or whatever in game would make exactly that pop out the other end into webchat. literally the only requirement was that the victim was viewing the webchat page, or had opened the console viewer (opened, not "had it open." Just clicking on it made you vulnerable for as long as you were on the page) - the vulnerability literally affected every single page in the servers administration backend.
ephi promptly released a fix that patched the problem in the webchat, and then, the next day I think, fixed the console.
Ephi pmed me saying "thanks for reporting that vulnerability," so I then asked him if they had a bounty program or anything and he asked what exactly that was, so I told him and linked him to
facebook and
google's bounty program info pages, and told him that I didn't really want money, but they have a server hosting service. one of those for a while would be cool. he said that "we're not some big corporation or even a small business that makes a profit - no I am not paying or rewarding someone for doing the responsible thing, sorry."
I didn't respond, but I should've responded with a link to
these people, who gave me a free lifetime subscription for discovering a persistent xss vulnerability that only affected the user who triggered it themselves. in other words, not even a loving vulnerability, but they still gave me stuff. I also inspired them to create
this page.
I'll admit, I get where he's coming from. roll20 did give me a lifetime subscription, but that subscription means less to them (computational resource wise) than a lifetime subscription of hosting a blockland server would mean to RTB hosting, but I still think he made the wrong move for two reasons:
1: if he had done it, I can't say I would've been completely swayed to their side, permanently against the tyranny that is the kalphiter, cause I wouldn't be, but I still would've posted a favorable review in their topic - "guys, ephi is pretty chill, maybe not around kalphiter, but at least when it comes to this kind of serious stuff"
2: he would've placated me. even if had given me only a month of subscription or something, and I never used it, it would be better than nothing. as it stands, i'm still convinced ephi is a richard - and this practically proves it:
There have been several cases in the past where RTB has provided people who have a worth while cause free hosting for as long as they want.
like i said, apparently I didn't have a worthwhile cause. you know, not royally loving them over.
additionally, he's setting a precedent that rtb hosting uses the reports from white hats, then tosses them away with nothing but a thanks. I'm positive I could've gone behind tor, an alt key, an alt account, and then pmed certain individuals who view rtb less favorably, and turned a profit selling the vulnerability. this one in particular - all you have to do is convince the target to view webchat, and be in their server when they do it. not even hard. I didn't though, because I'm a good person who isn't particularly interested in being arrested for computer crimes/blackmail, but someone else longer along the line might not be, and they might not handle it the same way.
whatever, that was like 2 months ago, and it's been fixed for a while now, so I think I'm in the clear to post it.
edit sorry kalphiter, forgot which topic this was. didn't mean to fill your topic with this stuff
edit 2: just got a pm from ephi about this topic, he made some good points and pointed out that I'm being a touch immature about this.
I want to clarify something in particular - I don't like how ephi handled this, and since I've never actually run a hosting service before, this bit:
I'll admit, I get where he's coming from. roll20 did give me a lifetime subscription, but that subscription means less to them (computational resource wise) than a lifetime subscription of hosting a blockland server would mean to RTB hosting
might be a little more potent than I thought. on the other hand, ephi has been an administrator for this community for a forgetload of time, and while I don't actually believe his tales of gore, I do believe he's had to ban people for stuff like research and other assorted nasty stuff. he's also ran RTB for free and stuff without ads, and I thank him for that too. But from my point of view, I feel he handled this wrong. Given a greater perspective, he probably handled it pretty well.
I wish he had clarified that in his pm though - "we don't have the resources to give out free servers, sorry" - that would've been nice.
I just want to clarify that
A: I didn't like how he handled this, but he probably had good reason for his decision
B: I don't like how he and lub did their raids of kalphiters topic prior to their own service starting
C: I'm not a fan of this loving flame war going between lub/ephi/kalphiter/every other loving person involved. it's stupid and childish as well
D: ephi does a pretty good job as an admin aside from those things
E: RTB (the add-on) is pretty nifty too.
and no, he didn't pay me or anything to say all that.
Poll