Attempt to fix the thank plugin.

dnom

I lurk at LET every day but I don't post very often because I'm the silent type of guy and English is not my first nor second language. Thanking was a very good way for me to 'interact' with other members. Since noone seems to be working on a fix, I figured I'd try to fix it myself.

I was aware for quite a while now that there's a CSRF exploit on the thank plugin that enables you to make others thank you without them having to click the thank you button. I never thought of reporting it so I don't know if it's the same thing that @gsrdgrdghd found and reported to @Chief
Anyway here's my attempt at fixing it:
https://github.com/macr/ThankfulPeople

I've only modified a few lines, I basically added the check for the TransientKey before adding the "thank".

see what I've changed:
https://github.com/macr/ThankfulPeople/commit/3ae895b8ab738868a88a8b05bed8ebd73e43fa79

@gsrdgrdghd
Can you confirm if it's the same exploit you found?

@Chief
Any chance you can test and implement it if it solved the exploit?

Corey

@dnom said: I lurk at LET every day but I don't post very often because I'm the silent type of guy and English is not my first nor second language. Thanking was a very good way for me to 'interact' with other members. Since noone seems to be working on a fix, I figured I'd try to fix it myself.

I was aware for quite a while now that there's a CSRF exploit on the thank plugin that enables you to make others thank you without them having to click the thank you button. I never thought of reporting it so I don't know if it's the same thing that @gsrdgrdghd found and reported to @Chief

Anyway here's my attempt at fixing it:
https://github.com/macr/ThankfulPeople

I've only modified a few lines, I basically added the check for the TransientKey before adding the "thank".

see what I've changed:

https://github.com/macr/ThankfulPeople/commit/3ae895b8ab738868a88a8b05bed8ebd73e43fa79

@gsrdgrdghd

Can you confirm if it's the same exploit you found?

@Chief

Any chance you can test and implement it if it solved the exploit?

Why was this disabled because of this exploit? Were we scared people were going to get some extra thanks?

Cirium

Possibly more dangerous than that @Corey

gsrdgrdghd

Is your way of checking the TransKey the recommended/standard way in Vanilla? This appears to fix the bug, i think you should also submit it to the plugin maintainer so that everyone can profit from it

dnom

@gsrdgrdghd

From what I read here http://vanillaforums.org/docs/singlesignon it is the recommended/standard way. It is also used by vanilla to prevent CSRF on the logout button.

[Deleted User]

Thanks. I hope to see it return, because I often read something that is noteworthy or helpful, but lack having anything to really say in return for that acknowledgement. I miss being able to just 'thank someone' without actually having to waste time saying, "Oh hey, that was helpful or interesting piece of information."

Roph

I hope it comes back. Even now after it's been gone for so long, I still instinctively mouse over to where the thanks link would be when I see a good post =(

erhwegesrgsr

@dnom

I already kind of forgot about the thank button, I think that it's very loyal and respectful of you to take your time to fix this.
If was a VPS provider I would have given you a free yearly VPS for your great community effort, however, I'm not

Good job again, you deserve something for the time you spent! (it's about the idea/effort, not about how hard it was)

erhwegesrgsr

I just noticed you got something like that (for a different reason though) from @anthonysmith

dnom

@BronzeByte
LOL yeah really unexpected. It's like you have some kind of magical power.

Ishaq

Lets tag @Liam too. So he can look into it perhaps.

erichi

dnom, hope your efforts get some results.

jar

I refuse to thank you for your work until the button returns so that I may do it properly. So until then, no thanks for you!

Pats

+1

Chief

@dnom said: @Chief

Any chance you can test and implement it if it solved the exploit?

Hi dnom,

I actually have a patched version as of a week ago, just haven't had time to scratch myself at the moment. I'll take a look at your forked version over the weekend, and put one or the other online over the weekend.

TY for your efforts anyway, appreciated.

DewlanceVPS

Don't have a time for prisoners and chimps? ) lol

dnom

@Chief said: I'll take a look at your forked version over the weekend, and put one or the other online over the weekend.

Thanks! I'm glad to know it's coming back soon.

lbft

@DewlanceVPS said: Don't have a time for prisoners and chimps? ) lol

Don't have a time for english? ) lol

eastonch

@Chief GREAT news!

Best Christmas Gift evar.

MikeIn

@dnom said: @Chief said: I'll take a look at your forked version over the weekend, and put one or the other online over the weekend.

Thanks! I'm glad to know it's coming back soon.

+1

DewlanceVPS

@lbft said: Don't have a time for english? ) lol

Yes

bnmkl

@dnom @Chief - 2013 is looking good! :-)

pubcrawler

Bring back the thanfulness in the new year!

Maounique

@pubcrawler said: Bring back the thanfulness in the new year!

Thank god !

FRCorey

@Chief I'd thank you but....

rm_

Will we not get this in 2012? :S

HalfEatenPie

I bet someone a 256mb VPS that it'll be deployed after 2012 ends!

Ishaq

@HalfEatenPie

Give it to me if that's not the case :P

Hopefully not from my own company >_>

HalfEatenPie

@Ishaq

I think a bet can be arranged.

Zetta

LowEndCirclejerk is coming back? (it never left)

heiska

@Chief said: Hi dnom,

I actually have a patched version as of a week ago, just haven't had time to scratch myself at the moment. I'll take a look at your forked version over the weekend, and put one or the other online over the weekend.

TY for your efforts anyway, appreciated.

This weekend maybe?