# F5 Exploit - Resolved



## CinoxFellpyre (Sep 5, 2011)

http://img685.imageshack.us/img685/9332/screenshot12p.png

As explained in the shout my mouse is over, there has been an exploit on my page, from some furry who thought it'd be nice to plaster 90 "FUCK YOU" shouts on my page.

Is there a possibly fix for this?


----------



## Draconas (Sep 5, 2011)

*Re: F5 Exploit*

Looks like an awesome way to piss off someone.

EDIT: tested it on my own page, seems to do as claimed.


----------



## Lobar (Sep 5, 2011)

*Re: F5 Exploit*

so I guess you like tits


----------



## Xaevo (Sep 5, 2011)

*Re: F5 Exploit*

I've warned the admins back in 2010 about this..


----------



## Gavrill (Sep 5, 2011)

*Re: F5 Exploit*

What a dick move :1

Edit:



Lobar said:


> so I guess you like tits


I don't think that's his page


----------



## Volkodav (Sep 5, 2011)

*Re: F5 Exploit*

thats awesome

i will tell my troll brethren about this



im just kidding. admins, fix this shit please.


----------



## Qoph (Sep 5, 2011)

*Re: F5 Exploit*

Moved to prevent people from abusing this.  Tech staff should look at it.


----------



## SquiRoFL (Sep 19, 2011)

*Re: F5 Exploit*

Wow, just tried it. That's a pretty bad bug. How exactly does it work so they can fix it? is the code that is excecuted to make the shout ON the confirmation page? to fix, i'd assume they'd have to make the page the shout code is excecuted and the shout confirmation on different pages..or something to that effect.


----------



## Ozriel (Sep 19, 2011)

*Re: F5 Exploit*

Hahahahahaha--

I mean...that's awful and should be fixed.


----------



## Corto (Sep 19, 2011)

*Re: F5 Exploit*

I'll proceed NOT to abuse this on Xaerun's page. Excuse me.


----------



## Arshes Nei (Sep 21, 2011)

*Re: F5 Exploit*

Was this exploit fixed?


----------



## dinosaurdammit (Sep 21, 2011)

*Re: F5 Exploit*

No I raped corto's page


----------



## Corto (Sep 21, 2011)

*Re: F5 Exploit*

GOD DAMMIT


----------



## Xaerun (Sep 21, 2011)

*Re: F5 Exploit*



Corto said:


> I'll proceed NOT to abuse this on Xaerun's page. Excuse me.


Guys he totally abused it on my page
Guuuuuuuuuys


----------



## dinosaurdammit (Sep 22, 2011)

*Re: F5 Exploit*

For the record I only did the f5 once to see if it really worked. It did sadly :C


----------



## Ozriel (Sep 22, 2011)

*Re: F5 Exploit*

Still needs to be fixed.


----------



## ArielMT (Sep 22, 2011)

*Re: F5 Exploit*

When I tried it last night (about 10 hours ago), I tried it on my own user page because that's easiest to clean up.  It worked.  Firefox warned me that it was resubmitting form information, which means it was repeating the HTTP POST request that made the shout instead of an HTTP GET request that, ideally, should be the confirmation page.


----------



## net-cat (Sep 22, 2011)

*Re: F5 Exploit*

Fixed.



> 11:04 <@net-cat> This is something really, really simple I can do to fix this.
> 11:04 <@net-cat> DON'T LAND ON A FUCKING POST REQUEST
> 11:05  * net-cat has been raging against this for years.
> 11:05 <@net-cat> 302 REDIRECTS EXIST FOR A FUCKING REASON


----------



## ArielMT (Sep 22, 2011)

*Re: F5 Exploit*

This bug is squashed.

The cause was the confirmation page was a landing page on an HTTP POST request, and this should never, ever be the case on any Web site handling form information.  That form information is cached in the browser because it's the only way the browser knows how to fetch the same page from the server when the user hits reload/refresh.

The fix was to simply remove the confirmation page entirely and use the HTTP 302 status code to redirect the browser back to the shouted-at user's profile page.  This is the intended purpose of that status code, and most if not all Web browsers recognize it as such.  This page is fetched by an HTTP GET request, which doesn't require submitting any form information, thus no repeated shouts.

Credit for this fix goes entirely to net-cat.


----------



## net-cat (Sep 22, 2011)

*Re: F5 Exploit*

Well, there is a time when it's acceptable to land on a POST page. That's when there's an input error that you want the user to fix. (It's okay since resubmitting the form will just generate the same error.)

This, however, is obviously not the case here.


----------

