Create a worm that will infect the official forums

**~~trancehax~~** · 07-04-2008

I'm not going to test it and tell you what happens.
FAIL happens.
I love you.

**glo** · 07-04-2008

First this won't work on the wow forums.
Second if you have the knowledge to fix his code you could have done it yourself anyway.

**Kyle94481** · 07-04-2008

ummm.... right.....

**imtel** · 07-04-2008

Originally Posted by Hasbro

LOL I DID READ UR WALL'O TEXT

SO DID I.!

**Ultrapowa** · 07-04-2008

Ok I looked at the code and read what Moskva said.
Moska is wrong on one thing:

What allows you to post are session variables (else you are considered as not logged). If you leave the forums, (by clicking on the link for example), session variables are lost.

When you come back to wow forums, wow forums cookie is included and auto log you (session variables are regenerated).
BUT WHEN YOU SUBMIT AN EXTERNAL FORM (like the one that would be stored on our site) SESSION COOKIE WON'T BE INCLUDED (and there's no way to include it), so your form submit will be rejected by wow forums cause you will be considered as not logged.

SORRY if what i wrote is hard to understand, english is not my mother tongue

**Moskva** · 07-04-2008

Originally Posted by Ultrapowa

Ok I looked at the code and read what Moskva said.
Moska is wrong on one thing:

What allows you to post are session variables (else you are considered as not logged). If you leave the forums, (by clicking on the link for example), session variables are lost.

When you come back to wow forums, wow forums cookie is included and auto log you (session variables are regenerated).
BUT WHEN YOU SUBMIT AN EXTERNAL FORM (like the one that would be stored on our site) SESSION COOKIE WON'T BE INCLUDED (and there's no way to include it), so your form submit will be rejected by wow forums cause you will be considered as not logged.

SORRY if what i wrote is hard to understand, english is not my mother tongue

That's only true if the form action is stored on your server. In this case, though, it's still using the wow-europe script; wow-europe server is requesting the cookies, not your own.

Worst case scenario: modify headers to show referrer as wow-europe.

**ghetzu** · 07-04-2008

dubt its gonna work

**Sylvor** · 07-04-2008

Epic thread is epic.

**shadesdude** · 07-04-2008

Ultrapowa Said it more bluntly and clearly than me. "SESSION COOKIE WON'T BE INCLUDED" Your script would have to pass the headers and session info. Yes you can have you script pass this but as you said "That's only true if the form action is stored on your server." I highly doubt something as big as wow is gonna have unauthenticated forum posts. My reference to DDoS (Distributed denial of service so it's not just one person flooding the server) was just saying that this is a more realistic way to accomplish this. Also I'm sure loading a worm onto WoW's forums is just as illegal as DDoS. Just my thoughts on the matter.

edit: from what I understand he is doing this
forum browser clicks a link unwittingly which navigates them from the main wow site. (Session variables are scrapped)
The link takes them to his script that generates a post on wow's site with the same link as above.
It's just a MIM attack but the thing is you can pass the form info just fine but WOW's serverside script has no user name or session ID's to verify that it's a real post.

**MaiN** · 07-04-2008

Try using the [php*][/php*] tags (without star) another time, will you?

**Moskva** · 07-04-2008

Originally Posted by shadesdude

Ultrapowa Said it more bluntly and clearly than me. "SESSION COOKIE WON'T BE INCLUDED" Your script would have to pass the headers and session info. Yes you can have you script pass this but as you said "That's only true if the form action is stored on your server." I highly doubt something as big as wow is gonna have unauthenticated forum posts. My reference to DDoS (Distributed denial of service so it's not just one person flooding the server) was just saying that this is a more realistic way to accomplish this. Also I'm sure loading a worm onto WoW's forums is just as illegal as DDoS. Just my thoughts on the matter.

edit: from what I understand he is doing this
forum browser clicks a link unwittingly which navigates them from the main wow site. (Session variables are scrapped)
The link takes them to his script that generates a post on wow's site with the same link as above.
It's just a MIM attack but the thing is you can pass the form info just fine but WOW's serverside script has no user name or session ID's to verify that it's a real post.

There's one flaw in that logic.

When you navigate away from a page, session variables are not destroyed. Session variables go away when you close your browser, not navigate away from a page.

And posting a worm would break some terms of use and whatnot, but it's not explicitly illegal - you aren't causing actual damage. DDoS, OTOH, if it succeeds, causes very real usage damage that is representable in a very real world form.

**shadesdude** · 07-04-2008

Ahhh you got me there I set my variables to go away after I navigate from the page forgot it wasn't standard. Giving you +rep for making me think.

**lothlogan** · 07-04-2008

Im pretty sure...thats pretty damn illegal

**~~Purple Sprite~~** · 07-04-2008

wow, incredible worm haha

**thaer** · 07-05-2008

Nice one, would be cool to see.

Shout-Out

User Tag List

Thread: Create a worm that will infect the official forums

Thread Tools

Search Thread

Similar Threads

I need something that will get me permanently banned, working with the current patch

[Misc] I need a website that will work with the Skyfire core.

[REQUEST]The model edit that doesn't exist or most likely will in the near future

How to create an item that will teleport!

[REQUEST]New Mall vendors that will work with the lastest NCDB

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino