(2016-01-05, 05:39 AM)martec Wrote: [ -> ] (2016-01-04, 08:26 PM)BasedLumi Wrote: [ -> ] (2016-01-03, 08:58 PM)martec Wrote: [ -> ] (2016-01-03, 08:41 PM)Predatorz Wrote: [ -> ]There is only so much I can explain to you, if we could chat on some random chatting service like skype or using xmpp protocol I would love to explain to you what I mean.
If you have a forum revolvant arround the shoutbox like mine You want all members to be able to join shoutbox.
Also people are using exploits and it is impossible to find out about who is doing it.. I have about 140 members online at anytime and It is hard to keep track, If you can implement an anti flood that isnot exploitable I would love to help you doing it.
Please consider chatting live with me somewhere else as there is only so much I can do on mybb forums and it becomes spam after a while.
what you want?
this shoutbox already using this http://stackoverflow.com/a/668327 to avoid abuse.
default value is below
rate = 5.0; // unit: messages
per = 8.0; // unit: seconds
so you can change to manually to
rate = 2.0; // unit: messages
per = 8.0; // unit: seconds
so will accept only 2 messages every 8 secounds. If has more will discart.
or
rate = 1.0; // unit: messages
per = 5.0; // unit: seconds
1 message every 5 secounds.
There is a javascript exploit that can be used to bypass this method. Invite me to a forum with your Shoutbox and I can demonstrate
if flood time feature is important for you, so use rin shoutbox.
i not has time for now to improvement this or change this part of code.
and probably exploit that you saying it something this?
![[Image: Ip9gcxB.png]](https://camo.mybb.com/89982a809a86d4c84dcac6b97160318868cae6cf/687474703a2f2f692e696d6775722e636f6d2f497039676378422e706e67)
if so not has any exploit.
And you tried change value in server files?
Bacause this feature not has any relation with flood time setting of ACP.
Okay, since you have no idea what im talking about I will send you a pm along with the exploit and what it does in a gif
(Also Rin shoutbox does not have a PM feature)
So it seems i cannot send you pms. I really do not want to post it on public forums.. if you send me a method of contact i would be happy to show you
@BasedLumi, @martec.
Well said Lumi.
I have been trying to explain to martec about this issue but he does not understand and I do not think he mildly cares about this issue even though he wields one of the best shoutboxes in MyBB if improved.
Martec keeps making his shoutbox more and more client sided, you could have made the "Edited By" message server sided for more security but what ever...
miunashout-server.js
function updateMessage(data, user) {
data.newmsg = trunc(escape(data.newmsg));
data.editby = ' <span style="font-size: 8px;font-style: italic;">Edited by ' + user.nick + '</span>';
db.updmsg(data);
io.emit('updmsg', data);
}
Martec, you have to make a server sided anti-flood... And as I said before this can be done by saving IP logs of users and then saving logs and using time to check this...
Here is a little code below on how to do this as you seem clueless of what we are even talking about.
miunashout-server.js
socket.on('message', function(data) {
data["created"] = Date.now();
data["ip"] = socket.client.conn.remoteAddress;;
var found = false;
var shouldSend = false;
for (var i = 0; i < ips.length; i++) {
var entry = ips[i];
if (entry !== null && entry.ip == data.ip) {
found = true;
if ((data.created - entry.date) > 2800) {
shouldSend = true;
entry.date = data.created;
break;
}
console.log('Blocking message. Threshold exceeded for ip ' + entry.ip);
}
}
if (!found) {
console.log(data.ip + ' not found. Adding to list.');
ips.push({
ip: data.ip,
date: data.created
});
shouldSend = true;
}
Anyways Martec, I do not think you care but if you made a couple of security changes I am sure all the users using this shoutbox would love it.
(2016-01-06, 09:09 AM)Predatorz Wrote: [ -> ]@BasedLumi, @martec.
Well said Lumi.
I have been trying to explain to martec about this issue but he does not understand and I do not think he mildly cares about this issue even though he wields one of the best shoutboxes in MyBB if improved.
Martec keeps making his shoutbox more and more client sided, you could have made the "Edited By" message server sided for more security but what ever...
miunashout-server.js
function updateMessage(data, user) {
data.newmsg = trunc(escape(data.newmsg));
data.editby = ' <span style="font-size: 8px;font-style: italic;">Edited by ' + user.nick + '</span>';
db.updmsg(data);
io.emit('updmsg', data);
}
Martec, you have to make a server sided anti-flood... And as I said before this can be done by saving IP logs of users and then saving logs and using time to check this...
Here is a little code below on how to do this as you seem clueless of what we are even talking about.
miunashout-server.js
socket.on('message', function(data) {
data["created"] = Date.now();
data["ip"] = socket.client.conn.remoteAddress;;
var found = false;
var shouldSend = false;
for (var i = 0; i < ips.length; i++) {
var entry = ips[i];
if (entry !== null && entry.ip == data.ip) {
found = true;
if ((data.created - entry.date) > 2800) {
shouldSend = true;
entry.date = data.created;
break;
}
console.log('Blocking message. Threshold exceeded for ip ' + entry.ip);
}
}
if (!found) {
console.log(data.ip + ' not found. Adding to list.');
ips.push({
ip: data.ip,
date: data.created
});
shouldSend = true;
}
Anyways Martec, I do not think you care but if you made a couple of security changes I am sure all the users using this shoutbox would love it.
for me BasedLumi and Predatorz it's same user...
i will realase 7.2 but i refuse use IP...
i finishing 7.2
https://github.com/martec/miuna-shoutbox...-7.2-alpha
and edited by that you saying not make any sense... not has any secure issue in this.
(2016-01-05, 04:20 AM)Vanissery Wrote: [ -> ]So just a question.
Can your shoutbox be used on different themes at once?
I plan on letting users change themes and I'm wondering if I can
Yes it is possible. Just open your "index" template and copy the "{$miunashout}". Then open "index" from other theme and paste the "{$miunashout}".
Miuna ShoutBox works even on mobile theme.
v 7.2.0 released:
Quote:This version not work with Miuna Shoutbox Server 7.0 or below, you need upgrade Miuna Shoutbox Server to 7.2. You need delete application in openshift and create again with 7.2.
Quote:Installation of Miuna Shoutbox Server 7.2 is different of 5.4 or below. So you need read first post again before install Miuna Shoutbox Server 7.2
Improvement Release:
- Improved flood time feature.
- Added expiration time to token.
Upgrade from 7.0.0:
Upgrade Miuna Shoutbox Server to 7.2.
Unistall old version, upload new version and install.
Demo of new version:
https://martyan.xyz/test/
User: test
pass: test123
Ps1. If you not use flood time feature, so you can skip this version. Not will change anything for you.
Ps2. New version now only in Q4 of 2016 ~ Q1 of 2017.
Please not insist. More detail here
http://community.mybb.com/thread-166773-...pid1201342
And i will not estress with this more. If not like this, so use other options.
I even thought about launching version without the flood time feature. It would have been the simplest solution. Thus would not be able to claim about feature saying it does not work, since it does not exist. I do not gain anything from it, not a penny. I made this is for because of request of one of small forum that i have, i only sharing. So not like this so use other options (mybb has many). If you using this or not, not make any difference for me.
Well thanks Martec for your work into Miuna Shoutbox.
We love using your shoutbox because if taken into consideration my forum size would take a lot of resources from my servers to run a shoutbox to 100 - 200 users using other shoutboxes thus why we use yours.
No, there is no problem with the Edited By its ok.
Anyways great job I am proud to see you fix this issue!
Now if you need any "ideas" for your next version I would say adding a little System user with commands would be fun such as /help /about /joke e.t.c simple things but not necessary.
v 7.2.1 released:
Quote:This version not work with Miuna Shoutbox Server 7.0 or below, you need upgrade Miuna Shoutbox Server to 7.2. You need delete application in openshift and create again with 7.2.
Quote:Installation of Miuna Shoutbox Server 7.2 is different of 5.4 or below. So you need read first post again before install Miuna Shoutbox Server 7.2
Bug fix:
-Fix small bug: Fix issue that need wait flood time in first message.
Upgrade from 7.2.0:
Unistall old version, upload new version and install.
Demo of new version:
https://martyan.xyz/test/
User: test
pass: test123
(2016-01-06, 11:34 AM)IdolwSzutrab7 Wrote: [ -> ] (2016-01-05, 04:20 AM)Vanissery Wrote: [ -> ]So just a question.
Can your shoutbox be used on different themes at once?
I plan on letting users change themes and I'm wondering if I can
Yes it is possible. Just open your "index" template and copy the "{$miunashout}". Then open "index" from other theme and paste the "{$miunashout}".
Miuna ShoutBox works even on mobile theme.
Thanks bud
. Now I won't need to reinstall it every time I want to add a new theme
Every time i join my forums i get this on the right top of my screen. "Expired Token. Refresh the page to obtain new Token." And it wont let me type anything in the shoutout box. I did the steps correctly.
(2016-01-07, 03:36 PM)Jake2015 Wrote: [ -> ]Every time i join my forums i get this on the right top of my screen. "Expired Token. Refresh the page to obtain new Token." And it wont let me type anything in the shoutout box. I did the steps correctly.
probably time of your server is incorrect.
try increase time of token expiration time in configuration of plugin in acp. Or contact your host and say to fix time of server.