I'm pretty sure that hypothetically speaking, while I couldn't pound someone else's pet, I could trick them into pounding their own. All I need is a PM (haven't checked images in PMs though) or shout (definitely would work there) and a little knowledge of how Mysidia and is set up.
Step 1. Get a pet I don't care about, to pound for the URL
Step 2. Set an image URL to the URL for confirming pounding + a little Mysidia Knowledge get their active pet's ID at the end
Step 3. Post in the Shoutbox, so anyone who visits has their active pounded.
Targeted version:
Step 1. Same
Step 2. Check around for the target pet, use their ID at the end of the URL.
Step 3. Set the URL to an image, either in the shoutbox, your avatar, or, if possible, a PM.
STEP 4. As the user would have to load it to even think about reporting it, they're not safe in PM, they'll get the target pet pounded. If it's an avatar or the shoutbox, everyone else who visits any page it appears on will get banned.
Or heck, do it on another site.
Not to mention the security holes caused by CKeditor happily allowing JavaScript.
Currently we're blocking the exploit on our site by disallowing anything as an avatar that isn't an image and has "pound" in the URL (because if it was just the former there's another exploit I found) using regular expressions, but there's got to be a better way.
|