puke, check my votes in the db. You can vote on your own entries.

Not that it matters a lot since you can make new accounts anyway...

Added extra checks; deleted your votes for current majors.

rude. I just voted 1 on one of my tracks. :(

what'd you expect when you bend over backwards to vote on yer own entry d;
asking to see if the check is in place works just as well as trying it yourself, except then puke wouldn't need to go into the db and florp around with the entries.

I am sorry that I am rude. First off, let me thank you for sharing a very sensitive exploit here publicly rather than a private message on IRC where we have spoken before. Secondly, (replete with passive aggressive sarcasm) let me thank you once again for your very detailed description of not only how you achieved said exploit, but also which track(s) you specifically voted on. Thirdly, (can I thank you a 3rd time?) thank you for openly campaigning to have everyone create voter accounts so they can cheat. How many accounts do you have again? failure_supreme, failure_vigorous and failure_moderate? Is this why you have 3 accounts? I, again, apologize that the database is setup to be efficient and I'm not quick at SQL statements. It was easiest to remove all your votes from current majors. It was 3 whole records.
https://www.youtube.com/watch?v=3D5tkAUNFa4

w o w, i was just kidding about the rudeness. hahaha no need to be so aggresive!
This isn't a sensitive exploit at all! :D

The reason I didn't tell you how to remove the votes and why I posted it publically is because of how easy it is to fix retroactively and in the future! It's just a missing check in php, and in sql you just need to remove all votes where voter id and author id is the same! :3

Since it's so basic both in php and sql, I thought that telling you the code to fix it would be patronizing; I assumed you just forgot the check.

And the new account thing is just the opposite: since we're pretty relaxed (well, apparently not :p) here at botb with multiple accounts (I even told you a couple of times on irc about them in case you needed to remove voting from them) and we just rely on not being dicks, this is not a real problem! :3

By the way, I have 3 accounts (and I'm going to make more) because I like submitting a lot of stuff to majors (and sometimes even ohbs!) :)

It is true. This is not a sensitive exploit in that you can't corrupt or delete site data with it. Showing off how to manipulate the out comes of battles must not be because you say so! :D

"how easy it is to fix retroactively and in the future!" I am glad you know more on this subject than I!!

It would be my guess that you created a POST request with the data needed to vote on your own track since the site itself doesn't present this form to users.

Votes are tied to user accounts, not botbr accounts. Things are setup so that users may manage multiple botbr accounts in the future. That level of abstraction is why I deleted all whopping whole count of 3 whole votes to the count of 3. Although, why would anyone want to manage multiple botbrs from a single login if they can simply create free emails and accounts and vote on themselves?

AND "rude. I just voted 1 on one of my tracks. :( " <-- how am I supposed to know this is a joke?

Software dev perspective: While this could've been reported better (more details, less public), the responses are leaning too closely to the "don't report bugs" side of the spectrum for comfort. I'm seeing no malicious intent on failure_supreme's part (and the alt accounts thing doesn't seem relevant? or did I miss a discussion somewhere?), and we really ought not be discouraging folks to find/report bugs. That just builds a culture in which exploits happen often and nobody reports them for fear of punishment.

Related: asking puke "Hey, does bug 'x' exist?" isn't a viable alternative to trying a thing because then he not only has to test it himself (or just assume it works without testing, which is how bugs proliferate in the first place), but also because it wastes his time in the case where things are A-OK (no bug).

The flipside: Adding extra bug details (e.g. "I made a manual POST request and it let me do 'y'") or theories (e.g. "I would guess the problem is 'z'") is exceptionally useful to dev-folk and not at all insulting... well, unless there's an actual insult in there ("oh my GOD i cannot BELIEVE this is broken, how do you let this happen you nincomflarp"). Vagueness isn't helpful.

Related idea: It might be worth adding some sort of note somewhere to report any security/exploit-related things to puke privately, or else build a private-submit system where only admins can read the messages, but that'd require coding effort.

Thought-dump: concludes.

I apologize for being both flippant and immature.


It's my last full day at home (leaving for Michigan tomorrow) before the kickstarter begins. I am under stress and doing my best. Yes, Xaser, if someone reports a bug I prefer having all pertinent information. Sometimes I get only a screen cap of something broken and no url of where the problem is. How was I supposed to know that post was a joke? It felt very patronizing.