FurPaws (currently offline, announcement by
its progenitor) is an FA competitor designed and implemented by Alkora, better known as Jheryn Lightfoot. Yes, this is the guy who originally wrote the first FA, and by consequence, most of its security holes. You'd hope he learned something from this, but you'd be wrong.
A couple of things to note before the money shot:
pi@bast-imret:~ 2026 π furpaws=`dnsip www.furpaws.net`; echo $furpaws `dnsname $furpaws`
66.41.28.232 c-66-41-28-232.hsd1.mn.comcast.net
Yes, he's hosting it off of his home cable line again.
While the site was up, it was fairly irritating to actually use; by no means am I a great web designer myself, but usability was just not really there. It looked flashy and web-2.0'y on the surface, but all of the controls kind of blended into one, and navigating between, say, the control panel and your user page was not a pleasant task.
BBcode quote tags just plain didn't work. I didn't get a chance to test comment nesting, but seeing as Alkora's original attempt to write a comment-threader came out like
this horrifying abomination i can't imagine that his new thing would work out well.
Now for the moment you've all been waiting for:
While my flailing on angle-brackets and quote-marks didn't reveal any obvious XSS holes, I have it on good authority that they were vulnerable to the same exploit that broke the original FA the first time (uploading files with specially-crafted names can allow you to execute
arbitrary commands on the server (no shit.)). This is apparently why they're offline now. For anyone who
understands this exploit, it's an easy fix. Hopefully they're offline for a more extensive audit, but more than likely they're just flailing around like the kind of people who'd host a site on a home cable connection.