Scratch

Wow, that's really good! Great job!

Btw- I have a mac and it works great - except I can't upload stuff.

fullmoon wrote:

coolstuff wrote:

Wow, that's really good! Great job!

Btw- I have a mac and it works great - except I can't upload stuff.

Just as I feared...I guess I really do need to switch hosts then. Does anyone have any suggestions for reliable hosting services?

000webhost seems to work well - very flexible, no ads, and quite reliable, IMHO. I'd reccomend them.

RHY3756547 wrote:

byethost is quite good.

My friend uses ByetHost, but I'm really looking for a place that uses cPanel.
@everyone I'm finally home, and I'm checking out your glitch reports now. Thanks for the feedback!

Last edited by fullmoon (2010-06-07 18:43:12)

fullmoon wrote:

RHY3756547 wrote:

byethost is quite good.

My friend uses ByetHost, but I'm really looking for a place that uses cPanel.
@everyone I'm finally home, and I'm checking out your glitch reports now. Thanks for the feedback!

000webhost uses cPanel. It's quite flexible, too, with quite a bit of support for pretty much every web programming language available - all for free!

Also, it may not be the host that's not allowing me to upload. I just click the "Upload" link and nothing happens, so it may be a problem with your scripting 

...and the HTML uploader glitch! 

what-the wrote:

fullmoon wrote:

Oh, are you using the HTML (non Flash) uploader? I haven't tried that in a while.

I am using firefox and I see nothing when I use the Flash uploader and I have flash.

Thanks so much for pointing that out! It's fixed now.

Last edited by fullmoon (2010-06-07 19:09:56)

fullmoon wrote:

coolstuff wrote:

fullmoon wrote:

My friend uses ByetHost, but I'm really looking for a place that uses cPanel.
@everyone I'm finally home, and I'm checking out your glitch reports now. Thanks for the feedback!

000webhost uses cPanel. It's quite flexible, too, with quite a bit of support for pretty much every web programming language available - all for free!

Also, it may not be the host that's not allowing me to upload. I just click the "Upload" link and nothing happens, so it may be a problem with your scripting 

Oh, so you can load the page? I've tried on various macs and they all seem to be reluctant to open anything from this domain at all. Well, the good news is then that it's just a problem with getting my flash file to load properly. It, er, worked great in Chrome. May I ask what browser you're using?

Apple Safari 4.0.5 on Mac OS X v10.6.3

Just pathetic in IE...it tells me there's an error on a line of code that does not exist.
http://www.scratch.mit.edu/ext/youtube/?v=vTTzwJsHpU8

I think Internet Explorer 7 should be banned.

fullmoon wrote:

Everyone who is having trouble uploading: what is your browser and OS? I have only extensively tested it on Chrome on Vista, and occasionally I can't even access the page from  my school's macs.

Safari on windows.

fullmoon wrote:

I think I'm going to move this service to its own domain at some point in the future. Unfortunately I'll have to do some creative domain hacking (not as evil as it sounds    ) to get a cheap domain that's not already registered by some Indian corporation. My options for short, Stuff-based domains are pretty limited. I'm thinking:

s.torage.net

or

st.uffit.net

or

s.tuff.it

For some reason (s).tuff.net redirects to Suicide.org 

  You can already get some really cheap domains for as little as $10 a year; that's what I do. It's cheap and easy!

You need to secure your site from code injections better. Using the firefox tool "tamper data" I was able to use the code injection user:’ or 1=1– to log into a user that doesn't exist. To do this go to the login page, then turn on tamper data, type in anything then press enter, then when the tamper window pops up put the password as blank and the user as user:’ or 1=1– .

You wanted some bug reports so there you go.

archmage wrote:

You need to secure your site from code injections better. Using the firefox tool "tamper data" I was able to use the code injection user:’ or 1=1– to log into a user that doesn't exist. To do this go to the login page, then turn on tamper data, type in anything then press enter, then when the tamper window pops up put the password as blank and the user as user:’ or 1=1– .

You wanted some bug reports so there you go.

Although I'd be interested to know where you made the injection. I've tried various "drop tables" style SQL injections without any success so I don't really know what page you're talking about.

fullmoon wrote:

archmage wrote:

You need to secure your site from code injections better. Using the firefox tool "tamper data" I was able to use the code injection user:’ or 1=1– to log into a user that doesn't exist. To do this go to the login page, then turn on tamper data, type in anything then press enter, then when the tamper window pops up put the password as blank and the user as user:’ or 1=1– .

You wanted some bug reports so there you go.

Always a critic 

This isn't really a security hole. There's really no advantage to be gained by injecting a username because that user will either not be validated, or will have access to...nothing. In fact, I seriously doubt that this injection really did anything, since I never refer to "user" in my code.

Its a code injection, its not supposed to be there even if it seems harmless. I couldn't access anything but there is a possibility that some better programmers would be able to do some damage. I know you put some security on it ( i tried to display your tables, no dice) but hackers can be sneaky. The blank user had access to its settings and could upload things.

The "user" part of the injection isn't important, its the or 1=1 part that does something. I don't think the word user in that injection does anything.

The injection was made on the login page, lemmie brake it down for you:

1. have firefox and tamper data installed
2. go to login page and enter anything in the text field
3. Press the start tamper button on tamper data
4. enter your fake pass
5. When the tamper data page pops up replace your fake pass with a blank and replace user with user:’ or 1=1–
6. Ok and submit the changes
7. You are logged in

I think you should remove non alpha-numeric characters where ever possible for things like usernames. That should make that injection impossible.

Last edited by archmage (2010-06-08 20:15:52)