I'm not going to test it and tell you what happens.
FAIL happens.
I love you.
I'm not going to test it and tell you what happens.
FAIL happens.
I love you.
First this won't work on the wow forums.
Second if you have the knowledge to fix his code you could have done it yourself anyway.
ummm.... right.....
Ok I looked at the code and read what Moskva said.
Moska is wrong on one thing:
What allows you to post are session variables (else you are considered as not logged). If you leave the forums, (by clicking on the link for example), session variables are lost.
When you come back to wow forums, wow forums cookie is included and auto log you (session variables are regenerated).
BUT WHEN YOU SUBMIT AN EXTERNAL FORM (like the one that would be stored on our site) SESSION COOKIE WON'T BE INCLUDED (and there's no way to include it), so your form submit will be rejected by wow forums cause you will be considered as not logged.
SORRY if what i wrote is hard to understand, english is not my mother tongue
Last edited by Ultrapowa; 07-04-2008 at 03:49 PM.
dubt its gonna work
Epic thread is epic.
![]()
Ultrapowa Said it more bluntly and clearly than me. "SESSION COOKIE WON'T BE INCLUDED" Your script would have to pass the headers and session info. Yes you can have you script pass this but as you said "That's only true if the form action is stored on your server." I highly doubt something as big as wow is gonna have unauthenticated forum posts. My reference to DDoS (Distributed denial of service so it's not just one person flooding the server) was just saying that this is a more realistic way to accomplish this. Also I'm sure loading a worm onto WoW's forums is just as illegal as DDoS. Just my thoughts on the matter.
edit: from what I understand he is doing this
forum browser clicks a link unwittingly which navigates them from the main wow site. (Session variables are scrapped)
The link takes them to his script that generates a post on wow's site with the same link as above.
It's just a MIM attack but the thing is you can pass the form info just fine but WOW's serverside script has no user name or session ID's to verify that it's a real post.
Last edited by shadesdude; 07-04-2008 at 08:22 PM.
Try using the [php*][/php*] tags (without star) another time, will you?
[16:15:41] Cypher: caus the CPU is a dick
[16:16:07] kynox: CPU is mad
[16:16:15] Cypher: CPU is all like
[16:16:16] Cypher: whatever, i do what i want
There's one flaw in that logic.
When you navigate away from a page, session variables are not destroyed. Session variables go away when you close your browser, not navigate away from a page.
And posting a worm would break some terms of use and whatnot, but it's not explicitly illegal - you aren't causing actual damage. DDoS, OTOH, if it succeeds, causes very real usage damage that is representable in a very real world form.
Ahhh you got me there I set my variables to go away after I navigate from the page forgot it wasn't standard. Giving you +rep for making me think.
Last edited by shadesdude; 07-04-2008 at 08:38 PM.
Im pretty sure...thats pretty damn illegal
wow, incredible worm haha
Nice one, would be cool to see.