IPB is open to right-to-left unicode injection which allows you to obfuscate file names, links, and more. That's not all, because you can inject RTLO while registering you can copy any user name you like! Go to any IPBoard and try to register "& #82 38;nimdA" w/o the quotes and spaces, you will see when you login it displays you as Admin! Now you can go on the forums and run wild as the Admin or any other user you like. No you don't get admin privs. or anything and if anyone looks close at a "spoofed" account its not to hard to spot, but its good for a few lulz and im sure you can get more then one n00b to dl a payload you posted as admin >:) Ok thats all i got, laters.
Tuesday, May 25, 2010
Sunday, May 23, 2010
Well HH is dead which sucks all on its own but due to one fucked up person, Raze, i cant get any of my shit off the servers HH was hosted on :( Yeah i kept backups but it wasnt nightly nor automated so i lost a lot of shit. i could have had time to get everything off the server but Raze, who was paying for the server, some how forgot to tell me he had stopped paying so i got ripped off like $50 on top of losing everything else!! See it was a Germen hosting company that hosted HH and Raze lived close by and he set everything up, i sent him $100 to pay for everything. So i figure he used about 25-50 dollars of it and i guess ran off with the rest :( Anyway blogger is my hangout once again.