Post ANhMRpsVLRhGZY4cHg by POASTAL@poa.st
(DIR) More posts by POASTAL@poa.st
(DIR) Post #ANhHCqMwjnGnyrLPDE by josh@poa.st
2022-09-18T18:26:28.995784Z
18 likes, 10 repeats
Challenge for security experts: explanation of the XenForo scripting vulnerability.t.me/kiwifarms/50
(DIR) Post #ANhHg4hqVme8qP3gMC by n3f_X@nicecrew.digital
2022-09-18T18:31:45.657390Z
0 likes, 0 repeats
lol its an xss attack im pretty sure ... eh idk ill look into it
(DIR) Post #ANhHvPNVw4RzIjrNCK by Anton_Sturm@chudbuds.lol
2022-09-18T18:32:35.653703Z
0 likes, 0 repeats
If I got promoted to be an admin I will reign with iron fist and ban everyone with anime pfp.
(DIR) Post #ANhHvPqEDJQ2jnIIxE by Sigh@poa.st
2022-09-18T18:34:32.500764Z
1 likes, 0 repeats
@Anton_Sturm @josh The world before anime was a mistake. :ablobhyper:
(DIR) Post #ANhI7aSaYk7L972aQa by PunishedD@poa.st
2022-09-18T18:36:44.724510Z
7 likes, 0 repeats
@josh Once again, Javascript and its consequences have been a disaster for the World Wide Web.
(DIR) Post #ANhM25IrN8rwsp7c92 by cope@eeeeeeeee.eu
2022-09-18T19:20:34.070251Z
0 likes, 0 repeats
@josh iircContent-Security-Policy: script-src <source> <source>;means either of the sources is allowed, not that you need both to applyso troonshine.opus would be loaded just fine with 'self'from there it's https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#file-upload-+-selfas for how you'd put it there, i'd reckon one of the many .innerHTML = userinput; since all of them seem unsanitized
(DIR) Post #ANhMP25FVaVHYghKzY by sowbooz@poa.st
2022-09-18T18:34:30.392243Z
1 likes, 0 repeats
@josh problem: XSS injectionsolution to problem: don't use javashit
(DIR) Post #ANhMQ3z5vXblk8JKHg by sowbooz@poa.st
2022-09-18T18:47:34.449006Z
1 likes, 0 repeats
@PunishedD @josh this, kill yourself josh moon for ruining the web
(DIR) Post #ANhMQcQDtBViY7GTI0 by samlowry@poa.st
2022-09-18T18:42:11.252648Z
2 likes, 0 repeats
@josh I know Josh already knows this but the Kiwi Farms needs Sneedforo more than ever.
(DIR) Post #ANhMROp1wFsIexExcW by GorillaRapeFantasy@poa.st
2022-09-18T19:02:05.671431Z
3 likes, 0 repeats
@josh Just remove the fucking chat. I block that shit in Ublock Origin anyways.
(DIR) Post #ANhMRpsVLRhGZY4cHg by POASTAL@poa.st
2022-09-18T19:21:30.140926Z
3 likes, 1 repeats
@GorillaRapeFantasy @josh >just remove the only remotely interesting aspects of the siteYou need to overdose on the nearest bottle of pain meds, faggot.
(DIR) Post #ANhMSjQ4qKEQpbChkW by Pugulus@poa.st
2022-09-18T19:06:49.610369Z
1 likes, 0 repeats
@josh I blame Javascript.
(DIR) Post #ANhONZRwgPfAN2kEb2 by ezdiy@poa.st
2022-09-18T19:04:05.249068Z
1 likes, 0 repeats
@josh 1. XenForo has a lot of place it can pop an iframe. This is why you don't CSP via meta-equiv, but force it in server headers.2. I find it hilarious that now an entire domain registrar performs actively hostile act against KF. You truly are the public enemy #1.I won't tell you which registrar, it's trivial to find via breadcrumbs.
(DIR) Post #ANhTBpMKCqn20aKrAW by Patrick_S_Tomlinson@poa.st
2022-09-18T19:25:18.566580Z
1 likes, 0 repeats
@josh Have you tried rerouting the Tachyon grid through the main deflector dish, stalker?
(DIR) Post #ANhgGdRnDiiZutW2uu by DumpsterDivedWaifu@poa.st
2022-09-18T21:24:22.312619Z
0 likes, 0 repeats
@josh I don't know fuck all about rust, or what tools you have available to you, but it may be a good idea to just find an open source library that sniffs files to check if they are considered safe or not.
(DIR) Post #ANhgGkOVOLFPSj21GS by Special_Needs_Tiger@poa.st
2022-09-18T21:25:13.807521Z
1 likes, 0 repeats
@DumpsterDivedWaifu @josh All I know about Rust is that it has a lot of naked men beating eachother over the head with rocks.
(DIR) Post #ANi9Yydu3K4xXIHKtc by eriner@noagendasocial.com
2022-09-19T04:35:33Z
0 likes, 0 repeats
@josh If the file is uploaded to the same origin as the site (with the path /data/audio/whatever.opus), it won't violate CORS. The CSP allows 'self'.The question is, what is the value of the Content-Type header that the OPUS file is served with? If it serves it as text/html or some other bullshit, then yeah easymode XSS. OPUS should be served as "audio/opus" or similar and should probably have a "Content-Disposition: attachment" header.
(DIR) Post #ANiAiha6ROMvTHhas4 by eriner@noagendasocial.com
2022-09-19T04:48:30Z
0 likes, 0 repeats
@josh To clarify, CORS has nothing to do with the CSP (which you called CORS in the post you linked). Additionally, the presence of the 'self' directive in the CSP means any script can run from the origin's domain, including that "opus" file which may have been rendered as inline HTML due to an incorrect Content-Type header and the lack of a Content-Disposition header.But IDK though this is just a guess based on what you posted. I haven't looked beyond that.PS: CORS is for cross-origin reqs.
(DIR) Post #ANiDNCVT53jEsMyP7g by sowbooz@poa.st
2022-09-18T18:30:33.957861Z
1 likes, 0 repeats
@josh >bug bountyeat ass faggot
(DIR) Post #ANiDhIuMzO00WQCsvQ by ehhh@poa.st
2022-09-19T05:21:52.999513Z
1 likes, 0 repeats
@POASTAL @GorillaRapeFantasy @josh "people don't visit kiwifarms for the forums, the topics, the lolcow documentations, they only go for the chat at the top of the website."wut bro
(DIR) Post #ANiDloPtmbzpP06VIu by RabbiChaimNosenberg@poa.st
2022-09-18T20:07:37.583748Z
1 likes, 0 repeats
@josh Please kill off SneedChat until this blows over.
(DIR) Post #ANiIZR5jBDJLM7aSHY by POASTAL@poa.st
2022-09-19T06:14:07.449321Z
0 likes, 0 repeats
@ehhh @GorillaRapeFantasy @josh People do, but the different chats is what ties it all together in a more social sense and creates a decent amount of cohesion.I couldn't really imagine only posting in threads at this point.It's just not that interesting to me (and plenty of others) without that part of it tying everything together.
(DIR) Post #ANiIZRbHHuY2vyLeSW by ehhh@poa.st
2022-09-19T06:16:29.082507Z
1 likes, 0 repeats
@POASTAL @GorillaRapeFantasy @josh there's already the telegram channel and a matrix... i don't know why there needs to be a chat, specifically on the site. it's kinda just bloat, if there's a way for me to turn that off (not that it matters anymore) i would've.
(DIR) Post #ANiJWPS8unZXMMByng by POASTAL@poa.st
2022-09-19T06:20:52.663217Z
1 likes, 0 repeats
@ehhh @GorillaRapeFantasy @josh Anything off-site ends up being utterly retarded and will inevitably turn into a shitshow, because Josh isn't as involved in it or has control over it to the same extent.There's been quite a few times where he's had to disavow something like that, most recently "@kiwifarmschat".It all just turns into gayops and filled with banned users plotting and seething.
(DIR) Post #ANisaDqHWQQCu62K1Y by GorillaRapeFantasy@poa.st
2022-09-19T09:02:27.400826Z
1 likes, 0 repeats
@POASTAL @ehhh @josh At least segregate it to its own page on KF, so it's not wasting resources on users who don't use it or care about it.
(DIR) Post #ANkCQp0OgiBNVbWTBo by MadAtTheInternetFish@poa.st
2022-09-18T20:58:30.679639Z
1 likes, 0 repeats
@ezdiy @josh Would be nice to know for those of us who would not want to use this registrar
(DIR) Post #AP5LfSLmk20Q2JFAWW by anechoicmedia@poa.st
2022-09-18T22:06:17.619100Z
1 likes, 0 repeats
@josh Putting user-controlled message data into the document via innerHTML is inviting injection unless I'm missing some context here.Would not require much sophistication when combined with the previously mentioned misconfigured security policy.