2002/11/16 02:31:17 PST by Alex [0/0] |
Hehe, bug of the day! The Challenge string that the script should randomize for each page-load remains the same. Until this bug fixed, the following DHTML code can be used to log in automatically:
<html><head><script language="javascript" type="text/javascript" src="http://www.fateofio.org/v4/authenticate.js"></script><script language="javascript" type="text/javascript">function LogIn() {var Login = "Arnold";var Password = "Schwarzenegger";var Challenge = "4627a3b8d09dcbb95b88be483787fa40";var Response = hexMD5 (hexMD5 (Password) + Challenge);document.authForm.username.value = Login;document.authForm.response.value = Response;document.authForm.submit();}</script></head><body onLoad="LogIn();"><form name="authForm" method="post" action="http://www.fateofio.org/v4/v4.jsp?login"><input type="hidden" name="username" /><input type="hidden" name="response" /></form></body></html>
Just copy'n'paste the above code-mesh to a .html file, replace the Login / Password values as needed, save that file somewhere on your HD, and bookmark it as "Fate of Io".
Once Temporal fixes the static Challenge bug, a Java applet can be made for mining out the correct seed every time, while spoofing the referrer value. Even if the output content changes, a hex pattern in quotes is very easy to match.
This is, of course, just speculation of what could be done. No one would probably want to do that. The purpose of this post has been to propose changes / bug fixes to v4PM's authentication process.