Notice: Tinychanners, welcome to dev.bbs. Official home of open-source ATBBS devlopment.


Topic: Is ATBBS still being developed?

Anonymous A started this discussion 9.2 years ago #27     

is it?
Advertisement: (hominum)

Whoreos joined in and replied with this 9.2 years ago, 1 day later#152     

Yes it is! We've been pretty quiet because I want to fix the CSRF vulnerability before I release the new version. Besides that, things are pretty much ready.
Also, I'm going to be omitting the styles which use images, so the new package will be considerably more compact than previous ones.

Anonymous C joined in and replied with this 9.2 years ago, 4 days later, 6 days after the original post#153     

I would like to know more about this CSRF vulnerability.

Whoreos replied with this 9.2 years ago, 1 day later, 1 week after the original post#154     

Unfortunately, the original post explaining it was on t4c, which is gone now, and the other one on the tinybbs dev site has been removed.
To the best of my knowledge, it works something like this:
*troll creates a web page which performs a valid ATBBS function
*trolls posts a link to the page on the target site
*someone clicks the link, and the action is executed on the target database, even though the script belongs to a different site
It seems to be exploiting the fact that the software apparently doesn't check the url executing'' the command, only the url which ''triggered the execution.
For the end user, this is fairly harmless, as they have relatively few actions available to them (namely "drop ID"). However, if a mod or admin were to click one of these traps, it could potentially be used to ban a user (even themselves?), or possibly delete the entire database.

This page took 0.005 seconds to be generated.
[ ATBBS 1.5c ]

In order to conserve space and bandwidth, this site uses arithmetic coding for full-size jpeg images. If your browser does not support arithmetic coding, please report it as a bug to the browser's developer.