All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Attempt to fix the thank plugin.
I lurk at LET every day but I don't post very often because I'm the silent type of guy and English is not my first nor second language. Thanking was a very good way for me to 'interact' with other members. Since noone seems to be working on a fix, I figured I'd try to fix it myself.
I was aware for quite a while now that there's a CSRF exploit on the thank plugin that enables you to make others thank you without them having to click the thank you button. I never thought of reporting it so I don't know if it's the same thing that @gsrdgrdghd found and reported to @Chief
Anyway here's my attempt at fixing it:
https://github.com/macr/ThankfulPeople
I've only modified a few lines, I basically added the check for the TransientKey before adding the "thank".
see what I've changed:
https://github.com/macr/ThankfulPeople/commit/3ae895b8ab738868a88a8b05bed8ebd73e43fa79
@gsrdgrdghd
Can you confirm if it's the same exploit you found?
@Chief
Any chance you can test and implement it if it solved the exploit?
Comments
Anyway here's my attempt at fixing it:
https://github.com/macr/ThankfulPeople
https://github.com/macr/ThankfulPeople/commit/3ae895b8ab738868a88a8b05bed8ebd73e43fa79
Can you confirm if it's the same exploit you found?
Any chance you can test and implement it if it solved the exploit?
Why was this disabled because of this exploit? Were we scared people were going to get some extra thanks?
Possibly more dangerous than that @Corey
Is your way of checking the TransKey the recommended/standard way in Vanilla? This appears to fix the bug, i think you should also submit it to the plugin maintainer so that everyone can profit from it
@gsrdgrdghd
From what I read here http://vanillaforums.org/docs/singlesignon it is the recommended/standard way. It is also used by vanilla to prevent CSRF on the logout button.
Thanks. I hope to see it return, because I often read something that is noteworthy or helpful, but lack having anything to really say in return for that acknowledgement. I miss being able to just 'thank someone' without actually having to waste time saying, "Oh hey, that was helpful or interesting piece of information."
I hope it comes back. Even now after it's been gone for so long, I still instinctively mouse over to where the thanks link would be when I see a good post =(
@dnom
I already kind of forgot about the thank button, I think that it's very loyal and respectful of you to take your time to fix this.
If was a VPS provider I would have given you a free yearly VPS for your great community effort, however, I'm not
Good job again, you deserve something for the time you spent! (it's about the idea/effort, not about how hard it was)
I just noticed you got something like that (for a different reason though) from @anthonysmith
@BronzeByte
LOL yeah really unexpected. It's like you have some kind of magical power.
Lets tag @Liam too. So he can look into it perhaps.
dnom, hope your efforts get some results.
I refuse to thank you for your work until the button returns so that I may do it properly. So until then, no thanks for you!
+1
Any chance you can test and implement it if it solved the exploit?
Hi dnom,
I actually have a patched version as of a week ago, just haven't had time to scratch myself at the moment. I'll take a look at your forked version over the weekend, and put one or the other online over the weekend.
TY for your efforts anyway, appreciated.
Don't have a time for prisoners and chimps? ) lol
Thanks! I'm glad to know it's coming back soon.
Don't have a time for english? ) lol
@Chief GREAT news!
Best Christmas Gift evar.
Thanks! I'm glad to know it's coming back soon.
+1
Yes
@dnom @Chief - 2013 is looking good! :-)
Bring back the thanfulness in the new year!
Thank god !
@Chief I'd thank you but....
Will we not get this in 2012? :S
I bet someone a 256mb VPS that it'll be deployed after 2012 ends!
@HalfEatenPie
Give it to me if that's not the case :P
Hopefully not from my own company >_>
@Ishaq
I think a bet can be arranged.
LowEndCirclejerk is coming back? (it never left)
This weekend maybe?