Thursday, 21 January 2021

sensibleendowment.com Open Redirect vulnerability OBB-187912 | Open Bug Bounty

quote [ Security Researcher RamaDhan found a Open Redirect vulnerability affecting sensibleendowment.com website and its users. ]

So was this every fixed?!

Or that why Reddit stopped mirroring 4 years ago?
[SFW] [Big Brother] [+2]
[by R1Xhard@12:04amGMT]

Comments

lilmookieesquire said @ 12:51am GMT on 21st Jan [Score:1 Funsightful]
God damn it Steele I have millions of dollars in BitPog keys stores in this site.
donnie said[1] @ 1:22am GMT on 21st Jan
Damn the BitPogs - what about my trade secrets and geopolitical kompromat?!
R1Xhard said[1] @ 9:34am GMT on 21st Jan
Awh pretty pogs, I'll trade you some tarzo's.
steele said @ 2:18am GMT on 21st Jan [Score:1 Good]
Oh, and i stopped the reddit mirror because we were getting too many nazis from there.
lilmookieesquire said @ 4:28am GMT on 22nd Jan
Probably after my BitPogs. Those bastards.
steele said @ 2:16am GMT on 21st Jan
Lol, i "fixed" it. Which is to say everyonce in a while i'll catch someone overexploiting it and i hijack their redirects towards whatever site i'm in the mood to send bot traffic to.
avid said @ 6:23am GMT on 21st Jan
So, settle a bet for me:

When I posted this, did the PHP/perl in the backend have to process all previous posts?
R1Xhard said @ 9:38am GMT on 21st Jan [Score:1 Underrated]
One would hope not, but with faster r processesing power "poor" code can be equated for.
steele said @ 11:40am GMT on 21st Jan
Long answer, there's a couple of checks it does. I can't remember if it checks the comment itself for duplicates, but it does check a randomized hash associated with your comment box for a duplicate to ensure that you didn't double smash the post button. But the short answer is yes.
avid said @ 1:54am GMT on 22nd Jan
So that's why it takes 15 seconds to post this reply?

If you want to prevent double-smash, just set a cookie "last-smash-time" and check it client side.
steele said @ 12:52pm GMT on 22nd Jan
One of the reasons.

Thanks, I'll look into it.
apomorph said @ 11:37am GMT on 22nd Jan
I mean, any chance this is related to our logins showing up in the Cit0day list?
steele said @ 12:52pm GMT on 22nd Jan
Nope. SE doesn't store your password in plaintext, nor has it ever been breached, as far as I'm aware.
donnie said @ 9:44pm GMT on 22nd Jan [Score:-1 Boring]
filtered comment under your threshold
ooo[......7 said @ 10:34pm GMT on 22nd Jan [Score:-1]
filtered comment under your threshold
donnie said @ 11:22pm GMT on 22nd Jan [Score:-1]
filtered comment under your threshold

Post a comment
[note: if you are replying to a specific comment, then click the reply link on that comment instead]

You must be logged in to comment on posts.



Posts of Import
Karma
SE v2 Closed BETA
First Post
Subscriptions and Things

Karma Rankings
ScoobySnacks
HoZay
Paracetamol
lilmookieesquire
Ankylosaur