Bypass 275 limit on AO Addicts forum.

[jared_c]

I believe I found a way to post to the AOAddicts forum with out having the required 275 posts. Unfortunately I can't confirm this because I cannot view the AOAddicts forum. However, my name is listed as the last poster to a few AOAddict threads. If someone can confirm that my posts were added to the restricted thread, I will be glad to share how to fix this bug with JP.

--------------------------

Note: Bug has now been fixed. Here is an explanation of how I was able to post in the AO Addicts area:

Terr was on the right track when he mentioned manipulating the form input. What I did was I copied the HTML form for the Quick Reply, and saved it into an HTML file on my computer. Had to make some small modifications to the form such as removing the onsubmit command in the form tag, and making the action value point to the whole URL instead of just the php file. The thread ID you are replying to is coded in a hidden input type named "threadid". I changed the thread ID to the AO Addicts thread ID I wanted to post to. Then I just typed in what message I wanted, and clicked submit. It would post the message to the restricted forum. I still couldn't view the message because there was a post check before you can view AO Addicts messages, but I could still see my user name listed as the last person to post to that thread.

Reasons why this would work would be that there was no post number check when submitting a reply to an AO Addicts forum, or there is no refer check to make sure the HTML form was being submitted from AO. I think in this case JP had the code there, but it wasn't working right for some reason. I'll leave that for him to go into details with, because I really don't know for sure what the code was on his end.

But for the guys who do web development, take note that you should always have a refer check on your forms to make sure they are only being submitted from your site. Otherwise someone may simply be able to copy the HTML code, save it locally, and edit the hidden input types to their hearts content.

Thanks to RCGreen for confirming that my posts did get added to the AO Addicts Forum. It was nice to see JP get right on this within minutes of me reporting the bug. Unlike some other companies that would wait weeks to fix it. ::: cough ::: microsoft ::: cough :::

So JP, how about you give me access to the AO Addicts forum since I found and reported this bug? Hey, I had to ask.

[rcgreen]

Now that's what I call hacking.

[rcgreen]

Yes, I'm an AOaddict and your posts are there.
That's cool.

[jared_c]

nice... thanks.

[3ntropy]

So, how did you do it?
Are you going to tell?

[JP]

Greetings All:

Well, I think that I have this fixed. Seems as though some dumb ass forgot to include a file in newthread.php and newreply.php.

jared_c, if you were doing what it looks like you were, can you confirm that I now have the problem fixed?

[jared_c]

I'm only going to tell JP until the bug is fixed. Reason why is because it seems like some more serious things on the site may be vulnerable to the tactic I used. Deleting PM's and entire Forums may be possible. I am not sure because I didn't want to go try that, but I'm going to keep it confidential until the bug is fixed just in case. After that though, I'll gladly share how it was done.

[jared_c]

It seems like it isn't fixed yet JP... I just posted to the Remark thread in the AO Addicts section. Would you like me to PM you exactly how I am doing this? It is an easy fix....

[s0nIc]

haha wow.. i like ur avatar jared.. lolz

[jared_c]

Thanks s0nic... I'm working with JP right now to fix the bug.