http://kusabax.cultnet.net/c Live RSS feed for http://kusabax.cultnet.net/c en'; http://kusabax.cultnet.net/c/res/6093.html#6099 >>>/sup/59442

]]> http://kusabax.cultnet.net/c/res/6093.html#6098

>>6095

]]> http://kusabax.cultnet.net/c/res/6096.html#6097
Most have old, outdated versions of php, and might have unpatched exploits as a result, and shared hosts with shared sessions are more vulnerable to hacking, cookie theft and spreading of malware. Though this can be sort of mitigated by using custom session handlers and https if it's available.

tl;dr they're fine as long as you don't care if one day you wake up and find your site taken over by chechens.

]]> http://kusabax.cultnet.net/c/res/6096.html

What's your opinion on free hosts?

]]> http://kusabax.cultnet.net/c/res/6093.html#6095 >>6094
i am working on one, "hold on to your butts"

]]> http://kusabax.cultnet.net/c/res/6093.html#6094 >>6093
There are some small projects out there, but none seem to be very popular.

]]> http://kusabax.cultnet.net/c/res/6093.html

So, seeing that anonsaba and kusaba have been abandoned, is there any imageboard software that is still updating?

]]> http://kusabax.cultnet.net/c/res/6058.html#6092 >>6090
The problem isn't that it's php.. because obviously there are php frameworks much better designed, the problem is that kusaba's old and only really being supported by a couple of people, in their spare time, and it was never really designed with expandability in mind. They just recently addressed the fact that split() was still in there.

A lot of what you're suggesting is supposedly being added to the next version and I believe Jmyeom's redo of version 9. I know they're switching to Twig, don't know if they're auto-escaping by default but if they're not and not using the sandbox, function whitelists, etc they should, and they're planning to use a PDO driver.

But who knows when they'll even be done. It seems to be hobbyist code that took off, and you're probably right about there being a ton of bugs in it, just due to its complexity and age. If you can do better, go get a proper framework and do better.

]]> http://kusabax.cultnet.net/c/res/6080.html#6091 >>6080
>>6080
>2013
>ponies

]]> http://kusabax.cultnet.net/c/res/6058.html#6090 >>6085
Was bored and decided to look through a few parts of the codebase I didn't look at last time: found another persistent XSS, a very powerful one, just a few minutes ago. It does require certain conditions, however.

>>6087
Sorry, not really interested. Already have more than enough of my own cheap VPSs. Still willing to accept other offers. Not trying to be a dick here, I just want to have at least a half-decent incentive to divulge these.

Honestly, there are probably plenty more bugs hiding somewhere. I get lots of bad "vibes" when looking through this code. You guys need to revamp your entire coding style. Use a templating system that auto-escapes all markup output, and use an ORM or at least some kind of abstraction that utilizes SQL query paramaterization by default.

It's really hard to believe large, popular web projects like this one are still clinging to coding styles of 2003, when it's 2013. Then again, it is a PHP project, so I guess I can't expect very much.

]]> http://kusabax.cultnet.net/c/res/6089.html

Someone having problems to download latest kusaba?

]]> http://kusabax.cultnet.net/c/res/6053.html#6088
]]> http://kusabax.cultnet.net/c/res/6058.html#6087 >>6085
Jmyeom, Using public PC.

i do web hosting?...

i can offer webspace?

]]> http://kusabax.cultnet.net/c/res/6058.html#6086
]]> http://kusabax.cultnet.net/c/res/6058.html#6085 >>6074
>>6075

>>6073 here.

The persistent XSS bug was one I personally found in a code audit. I haven't disclosed it to anyone, not even friends. It's possible to exploit on most (but not all) public and popular boards, but takes a small amount of effort. I confirmed it is possible, and easy, to steal a staff cookie with it on a vulnerable board.

I also found a second persistent XSS, but it's user-specific-ish so it acts as a reflected XSS. It is easy to exploit, but no one really cares about reflected XSS.

Both are still in the most up-to-date version. I have no desire to exploit them in the wild, though.

I found absolutely no SQL injection vectors, which is good I guess. Also, I didn't check for other flaws very carefully but I did not seem to notice any.

I could give you the information on the two XSSs in exchange for like 0.5 - 1 BTC, if you want, I guess. Or if you have something else to offer.

]]>