Discussion in 'Photo.net Site Help' started by bens, Feb 3, 2005.
is this for real? if it is, what's the point of it?
That's just excellent...!
<chuckling, tips hat to moderators, impressed>
actually, it smells fishy to me. there's only one photo in there, by someone who joined yesterday, and the photo cannot actually be rated. what's the deal, site administrators? real or fake? tongue in cheek? early april fools? has someone hacked into the site's setup?
What's the point if you can't even rate the damned thing! Clifford worked because he's highly visible for future generations.
but carl, don't you find the new category a little strange?
Has the site been hacked? Look at the top photo for the last 3 days or all the pics with perfect scores (all nudes) for the last week. Can't rate any of them, the rate option has been removed. Combine this with the mate raters critique catagory and it looks like the administrators will have their hands full. Too bad this sort of thing happens.
Does this have something to do with the strange "??" category that recently showed up? At first I thought it was a buffer overflow bug, but maybe it's a result of a sight hack. What's even odder is that the sole picture in the "??" category seems to be a legitimate one. The poster is Chinese, so its possible he entered a title in a Chinese character set and that somehow confused the database.
oh, this is very strange, cuz i looked at jim adams' portfolio yesterday and i am almost certain that some of his photos now in the top rating as described by ed did not have unqualified 7's. (i am not suggesting at all that jim has anything to do with anything.)
sorry, meant as described by jay above.
delighted to observe people with a creative sense of humor to share about some of the absurdity that goes on around here.
at the possibility that the site may be being hacked, particularly in light of the recent bot attacks. hope the administrators can provide clarification.
If the "mate raters" was indeed a hack I think I see how it was done. Admins contact me as I would rather aid copy-cat hackers by posting it here.
I mean "rather NOT help copy cats". Dr Freud, was that a slip?
It's a mini hack. Someone with HTML skills can modify the form that is used to enter the category to make it anything they want.
Sometimes you see a related problem where suddenly a new category appears with some kind of strange character in it. This is not caused by a hacked form -- just some kind of corruption of the category field on the way to the server. I have it on my list to fix this problem at some point, but the corruption thing rarely happens and is quickly fixed, so it isn't a very high priority.
As for someone taking advantage of the current design to hack, well that hasn't happened before. Someone just discovered a not-so-rapid "Ban Me!" technique. If your goal is to be banned, there are plenty of ways to do it faster. But this method works too for the time being.
thanks brian, appreciate the information.
but brian, your mini-hack does not explain how the hacker changed the ratings on jim atkins' photos. i distinctly recall looking at his portfolio yesterday, and at least a couple of the photos that now have 10 ratings of perfect 7's, i could swear had ratings in the 5s. you don't need to explain here, but please take a look at this too, as it looks like someone is actually finding a way to CHANGE ratings if my memory is correct, and i am 99% sure that it is.
Drat. I was all excited that they'd maybe flock there, or even better, get slid there by site admins.
You could fix it with an extra level of indirection in the database.
so you don't have a separate table for categories, with associated abstraction (e.g. categoryID CHAR(8) used in HTML form, corresponding to record in SELECT categoryName, categoryID FROM categories WHERE topicID=1481)? someone made a boo-boo a long time ago!
brian, sorry, moving to fast and made a mistake -- its "jim adams." poor jim has posted numerous photos that have somehow been hacked so that they are showing up in the top photos of the week as rated 7/7. if you click on the photos, they show no ratings. i remember looking at some of them yesterday and they had real ratings, so something strange IS going on, i think, worth investigating. sorry to be the bearer of bad news . . .
It's a mini hack.
Brian I guess that to modify the HTML code it is necessary to modify and save the code on the server. Now, if someone have been able to modify the code on the server I guess they should be able to modify almost everything. I hope this is not the situation but the question (that I am very sorry to ask) is ... what's the situation about security out of there?
No, Michele. Nobody has hacked the server. It is a trivial matter to send any data to a web server that you want to send. You don't have to use the form that the server sends you to format the data you send. It is a programming mistake on the server side to assume that the data you are receiving is coming from the forms that you sent and to assume that it is valid. This particular script assumes that the category coming in on photo critique request is one of the categories that is in the selection list on the form. That is a mistake because someone doesn't have to use the form and can send any category string at all.
The person who did this, by the way, is probably the same person who is running the rating scripts. At some point, he is going to find that he isn't just writing "Ban Me!" scripts. He is going to discover that he is writing "I'd like a visit from the FBI" scripts.
Chris, yes it is a boo boo. photo.net has reasonable enough security but a lot of features would be different if the system were being coded today. For one thing, we would not have a system that allows anyone to submit HTML posts. That makes it fairly trivial to deface pages. The ease with which some parts of photo.net can be defaced may be a form of protection in itself. Since it isn't a challenge, all you prove by doing it is that you didn't deserve to be trusted. With the number of visitors that we have, it is amazing that we have so few problems. I guess that just shows that most people everywhere in the world are pretty decent. Apparently some kid thinks he is proving he is some kind of HTML/Web god with his antics. That isn't what he is proving at all.
Separate names with a comma.