FA admin account compromised (yet again)

[ProvincialTwit]

Along with the issue with multiple POST requests mentioned earlier, is there maybe an issue (judging by how many times you see "I meant to reply to the above poster") with posting replies being processed first in- first out, instead of properly linking to the parent post?

I cannot even imagine how poorly the whole thing would have to be written for that to happen.  Seriously, it's such a no-brainer to write something like that, that I am unable to conjure up a way to do it -that- wrong.

[Jim Demintia]

Along with the issue with multiple POST requests mentioned earlier, is there maybe an issue (judging by how many times you see "I meant to reply to the above poster") with posting replies being processed first in- first out, instead of properly linking to the parent post?

I cannot even imagine how poorly the whole thing would have to be written for that to happen.  Seriously, it's such a no-brainer to write something like that, that I am unable to conjure up a way to do it -that- wrong.

Pretty sure that's an issue on the client-side, because FA's style and presentation HTML still uses tables, the cutting edge technology of 1995. So instead of collapsing deeply-nested threads a'la LiveJournal, or whatever, the HTML sent to the browser just offsets a child reply table cell a little more to the right than its parent. At some point this scheme quits working (you run out of screen space) and even though (as far as I know) the replies are properly structured in the DB, you simply can't tell from the client-side HTML that is sent, either visually or (IIRC) in the HTML source.

This, incidentally, makes Greasemonkey-style DOM manipulation of FurAffinity more or less impossible in most cases, which is how I know the above.

[Conan]

according to WikiFur

Yes, well, we all know how that scene works: if you're popular and/or liked by the furry royalty, you can write (or remove) whatever you want there and it will be accepted as WikiTruth. But otherwise, expect to have your page kept around (despite your wishes to the contrary) and filled with sections like "Criticism" and "Controversy".

(cue GreenReaper in 3...2...)

True, but I always find it reliable for their hardware specs, mostly because Dragoneer edits those in himself, and we all know how he likes to throw around hardware specs. I have noticed inconsistency in the server's descriptions, though. Like how "Novastorm" went from being the web front-end server to being the database server (and "Figment" became the front-end server), and the old database server ("Tiamat") went to having no use listed. I guess we can just chalk that one up as another unused server then, bringing their total of unused servers to 5 (4 if you're counting the graphing server as being "used").

[Eevee]

Pretty sure that's an issue on the client-side, because FA's style and presentation HTML still uses tables, the cutting edge technology of 1995. So instead of collapsing deeply-nested threads a'la LiveJournal, or whatever, the HTML sent to the browser just offsets a child reply table cell a little more to the right than its parent. At some point this scheme quits working (you run out of screen space) and even though (as far as I know) the replies are properly structured in the DB, you simply can't tell from the client-side HTML that is sent, either visually or (IIRC) in the HTML source.

Actually, the problem is...  well, see for yourself.

Code: [Select]

function _nest($newnestid,$nestswitch,$rowid,$table="df_comments") {
    Global $sql;

    //echo "GO_TO_NEST => ('$newnestid','$nestswitch','$rowid','$table')<br/>";

    if($table != "df_comments") $column = "journal"; else $column = "submissionid";

    switch ($nestswitch) {
        case 0:
            $nimax = $newnestid + 999000000000000000000000000;
            $nimin = $newnestid + 1000000000000000000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000000000000000000 * $multiplier);
            break;
        case 1:
            $nimax = $newnestid + 999000000000000000000000;
            $nimin = $newnestid + 1000000000000000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000000000000000 * $multiplier);
            break;
        case 2:
            $nimax = $newnestid + 999000000000000000000;
            $nimin = $newnestid + 1000000000000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000000000000 * $multiplier);
            break;
        case 3:
            $nimax = $newnestid + 999000000000000000;
            $nimin = $newnestid + 1000000000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000000000 * $multiplier);
            break;
        case 4:
            $nimax = $newnestid + 999000000000000;
            $nimin = $newnestid + 1000000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000000 * $multiplier);
            break;
        case 5:
            $nimax = $newnestid + 999000000000;
            $nimin = $newnestid + 1000000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000000 * $multiplier);
            break;
        case 6:
            $nimax = $newnestid + 999000000;
            $nimin = $newnestid + 1000000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000000 * $multiplier);
            break;
        case 7:
            $nimax = $newnestid + 999000;
            $nimin = $newnestid + 1000;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1000 * $multiplier);
            break;
        case 8:
            $nimax = $newnestid + 999;
            $nimin = $newnestid + 1;
            $multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
            $newnestid = $newnestid + (1 * $multiplier);
            break;
    }

    return $newnestid;
}
Commenting fucks up after a certain depth merely because this horrifying algorithm runs out of digits.

The db does store parent comment ids, but they seem to be decorative at best.  I managed to use them to retroactively fix all comment nesting for Ferrox, but alas that code has never been used either.

[Jim Demintia]

Wow, that code is awesome(ly hilarious). That is the code of someone who failed a PHP course at their local community college and doesn't have the good sense to never write another line of code ever again.

[Pi]

Back to the original topic (though that particular piece of code always makes me laugh, seriously):

Sean Piche, have we learned the lesson that when your site is clearly being actively compromised, you PULL THE FUCKING PLUG? This way, you avoid having to pull shit like this: fatfingering a DB restore, dealing with the unknown effects of an attacker running amok, having to post another "oops we fucked up" notice, and the corresponding need to save face

No? You haven't learned that lesson? Welp

[Fiz]

Haha I showed that coding to my boyfriend (professional programmer), he just sat there and said "This makes me physically ill." and "If I wrote code like this, I'd be fired."

It's sad that Eevee's fix for that was never implemented.

And the fact that they fucked up the comment tables while trying to do a db restore is just fucking retarded.

Sean Piche, have we learned the lesson that when your site is clearly being actively compromised, you PULL THE FUCKING PLUG?

Naw. He'll live by his decision and say it was the proper thing to do! With furries, there are no mistakes, because you'll always get someone telling you that it wasn't your fault.

[Conan]

So someone on Lulz is now reporting they're getting notifications for replies to comments they never made and don't exist.

I'm guessing Yak didn't go ahead and delete any data that was related to the data he erased?

[Jim Demintia]

Maybe IDs are somehow getting reused? Eevee? What would happen in this situation that would explain this?

[GreenReaper]

If the comment ID is a foreign key in the messages table, and the old comments were deleted but the messages referring to them weren't, then yes - they should show up as people start making comments again.

It might be fixed by figuring out the datetimes affected and then wiping those comment entries, assuming that information is recorded in the messages table.

If it's not . . . hmm. You could be kinda screwed because people have also been making valid comments that should show up with those IDs. Maybe check whether they have any involvement whatsoever?

[Pi]

If the comment ID is a foreign key

AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.

[Jim Demintia]

If the comment ID is a foreign key

AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.

hahaohwow.gif

[loki]

So someone on Lulz is now reporting they're getting notifications for replies to comments they never made and don't exist.

I'm guessing Yak didn't go ahead and delete any data that was related to the data he erased?

Most likely they're doing joins on the two tables together somehow and a sequence number has been reset somewhere (related to journals) while the actual comments probably still exist in some sort of relational table. That's just pure speculation but I'm sure it's something retarded like that.

Eevee: I really, really, really liked that piece of PHP code. Also, you (possibly?) exposed one of the DB tables they have - so now some wacko can probably find somewhere to run SQL injection and delete the shit out of df_comments - assuming that's the real table name...

[Eevee]

Maybe IDs are somehow getting reused? Eevee? What would happen in this situation that would explain this?

Comments table had its auto_increment rolled back by the restore (remember, this is MySQL, where autoinc is a table property and not just "max of this column" or a first-class sequence), comment notification table still has its old data, new comments start being made with the ids that already had notifications sent.  "This comment has been deleted" suddenly turns into "oh this comment DOES exist".

AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.

I'm almost positive the various "this thing is deleted" errors, and the occasional comment made by nobody, are all due to rows pointing to other rows that don't exist.  (See above etc.)  Adding foreign keys would break the site's "functionality".

Eevee: I really, really, really liked that piece of PHP code. Also, you (possibly?) exposed one of the DB tables they have - so now some wacko can probably find somewhere to run SQL injection and delete the shit out of df_comments - assuming that's the real table name...

The tables have all been renamed at least once since this code was leaked.  And it doesn't matter anyway; I have a Ferrox importer script that quite clearly documents almost all of the schema, and Pi has it available publicly.

[xax]

re: that wonderful piece of code, that's was (IIRC) Arcturus' "fix" of Jheryn's code. I have no clue what was wrong with Jheryn's original code that this was considered an improvement.

From April 1st 2005, over a few days, presented without comment:

Arcturus has ChannelCat offering 'help'. Hmm. A ploy to destroy FA, maybe?
<Arcturus> He offered to fix the comments, if I sent him the comment script.
<Xax> On the one hand, Sheezy's comment script sucks too. On the other hand, FA's is really broken.
<Laios> shivers at hearing about annonomous help.
Lunch_Wolf changes nick to Schizo_Wolf
<CBee> Seems to be a fair request.
<Arcturus> Maybe, but he's not getting his hands on FA's comment code. Nope.
<CBee> Why for?
<Arcturus> Probably for the same reason that SheezyArt isn't giving out copies of it's code?
<CBee> Fair enough.
<Xax> Because everyone hates the open-source movement?
<Xax> I mean, server integrety etc, but I fial to see how something as small as the comment code could cause havoc if leaked.
<CBee> Arn't the comments handled using DevoyBB?

<Nitro> Arcturus, do you have any idea when correct comment-ordering will be implimented >?
<Arcturus> Soon, alright. Jeez.
<Nitro> XD
<Arcturus> just found out her little brother is really sick, nearly had to go to hospital, so right now, fixing comments isn't a priority.

<Arcturus> bounces.
<Lt_Havoc> What now?
<Arcturus> I just fixed comment sorting ^_^
<Arcturus> is happy.

<Arcturus> ponders working through the actual buglist now.

<Arcturus> grumbles and finds that the sorting isn't going as well as she hoped and has a glitch, says fuck it and goes to eat dinner and play a game, before working on anything more.
Arcturus changes nick to Arcturus[AFK]

(Sadly, I can't find the time Arcturus posted part of the comment code in the channel and people reacted to it.)

[Pi]

For some reason fathomable only to Eris, I have been talking to Dragoneer. Sort of.

<Pi> "hey, $dude, my site is being actively compromised! we an't seem to shut the attackers out with our ineffective 'read-only-mode' and 'admin-only-mode' actions!"
<Pi> "well it sounds like you ought to pull the plug"
<Dragoneer> We did pull the plug the first time.
<Dragoneer> I would have done it the second time, but was advised against it by the people who "know what the fuck they're doing".
<Pi> then you need to get better people :I
<Pi> i can't imagine any situation in which a production site currently being compromised with a massive data leak in progress should remain online

Now, there's the possibility that my imagination isn't what it used to be, right?

[Conan]

<Dragoneer> I would have done it the second time, but was advised against it by the people who "know what the fuck they're doing"

GROW SOME BALLS, SEAN.

It should be obvious by now no one on your "ops team" knows what the fuck they're doing.

[Jim Demintia]

Assuming someone actually told him that, I'd love to know what their rationale was. Assuming they had any.

[yak]

Assuming someone actually told him that, I'd love to know what their rationale was. Assuming they had any.

"They" had.
The notes leak took place before any visible modifications that made FA aware of the hack did. The site was initially shut down and re-opened only after an XSS hole in troubletickets was found, identified and fixed.
I didn't account for weak security in admins' personal emails, which allowed for the second hack to take place.

[Conan]

I didn't account for weak security in admins' personal emails, which allowed for the second hack to take place.

Well there's your problem.