| When [img]? |
 |
| I think people are getting impatient with these disabled codes; myself included. |
| I can deal with the disabled bbcode, but other changes are breaking updating clients. For some reason the site will no longer let me refresh my list in ANY mobile client. I can still update if the list is current (apparently that works through the API), but if I try refreshing it fails to load the new list. This is apparently IP based, if I disconnect from Wifi and refresh on cellular I can now load my list. This either needs to be fixed, or MAL needs to develop an actual usable mobile site. Updating lists are next to impossible from a mobile browser. Apparently I update too much, so it triggered additional protections and now it's blocking me. I"m getting really close to finding an alternative, because I'm not about to stop reading manga but I need a reliable site to update my list on. |
| horaaay! gambatte ne, Xinil! |
Virtual_BS said: I got that also. I was wondering if that was something MAL put up or someone is trying to slip in by a different way. Something like this needs to be broadcasted big time. Given the recent infiltration, I'm now leery of anything that shows up without notice.I noticed the login page is now blocked by a CAPTCHA. This would be great if it wasn't also blocking MAL Updater from connecting to my list :( And as someone said, I just refreshed my screen and it disappeared. |
| What if the Hokey Pokey is what it is all about? |
| i havent seen the captcha yet.. but is all this new stuff the reason why i cannot connect to my list on the MAL app on my phone? |
 |
| Never get captcha..but do we even need them?? o,o BTW...I can't wait for img BBcode alive again....want to update my signature. And! My anti-virus sometime say it detect a virus from this site. Currently I'm using ABP to minimum the risk, still it say..."Virus has been detect from MAL"..What??? |
AoiMizuOct 30, 2013 10:21 AM
 |
| its working just now.. |
 |
Dark_Messiah said: same man wowits working just now.. |
 |
| Yay [img] finally works <3 |
 |
| Are you sure??? |
 nope... doesn't look like it works... |
rodacNov 2, 2013 3:56 PM
| they're just re-enabling [ color] and [ url ] tags,well that's better than nothing |
 |
| Anyway it really is taking them too long to figure a way to re-enable [img] back. After so much time they can't find a way to solve the weakness they had? Maybe there is no solution to this specific little weakness or maybe they found a way but it needs a lot of process to get it working? It would be nice if Xinil told us which of these scenarios is currently occurring. |
| Can you at least enable images on blogs? I need to update mine and can't because everything is broken. |
 |
Veronin said: Can you at least enable images on blogs? I need to update mine and can't because everything is broken. I honestly do not know why Blog inserts are disabled if the About Me isn't. Doesn't make much sense but yeah, I agree. |
Sub said: Veronin said: Can you at least enable images on blogs? I need to update mine and can't because everything is broken. I honestly do not know why Blog inserts are disabled if the About Me isn't. Doesn't make much sense but yeah, I agree. Blogs open to comments can have the [img] tag exploited by other users. That's why profile comment [img] is disabled as well. "About me" is only able to be changed by the users themselves. Though I initially had no major complaints because I had no desire to change my sig at the time...I recently did some reorganizing in my photobucket (without thinking ahead) and broke the link... PRZ TURN ON ;_; |
Ntad said: You should be able to upload another picture with the same name into the same photobucket folder and it should work. I used to do that when I did small changes to my sig which has multiple parts.Though I initially had no major complaints because I had no desire to change my sig at the time...I recently did some reorganizing in my photobucket (without thinking ahead) and broke the link... PRZ TURN ON ;_; |
     Short of the day: Monotonous Purgatory(MAL) ✰Public Domain Club | One Piece Club✰ |
IntroverTurtle said: Ntad said: You should be able to upload another picture with the same name into the same photobucket folder and it should work. I used to do that when I did small changes to my sig which has multiple parts.Though I initially had no major complaints because I had no desire to change my sig at the time...I recently did some reorganizing in my photobucket (without thinking ahead) and broke the link... PRZ TURN ON ;_; Nah, that was my first thought and I tried it, but the url changed even though it was the same picture in the same album. Anyway, I wiped the code from my signature, so now I have no choice but to wait. I wanted to update it anyway so I'll just work on designing something new in the meantime. |
NTADNov 3, 2013 9:50 AM
| The staff could at least update us on what's currently being done to fix this issue.. Or if they've even found a way to fix it. |
| Well...it's been 2 months now... |
| Last I heard... The problem is a PEBCAK issue. The "hacker" is using a password-protected folder on his web server to cause embedded images to pop-up login dialogs. These login dialogs look nothing like MAL's, yet some less than intelligent users are typing their MAL passwords into them, giving them straight to the "hacker". If he really wanted to, he could just put his code in the about me, make a few posts on the forum, and these PEBCAKs will give him passwords every time they open his profile page, so allowing BBCode on profiles and not elsewhere doesn't eliminate the risk entirely. Since Crave are cheap on resources, they won't give us servers powerful enough to allow for a reliable solution, so the staff are stuck with having to develop a workaround that can protect the users from their own stupidity. |
 |
| its been a month since the last update. it would be nice if they would let us know whats going on. =/ and if there even has been any progress in solving this issue. i think if nothing has progressed then they should just turn everything back on. sure that leaves those areas back open for hackers but how long do they plan on making the users wait? till they figure things out? its been two months already. and it kind of starting to seem like they wont be back for who knows how long at this rate |
|
| Is Xinil still the only coder working on this? Is Crave really that stingy/poor as to not hire more? |
| There was idea of whitelist image hosts, why it wasnt realised yet? I know other forum which had similar problem and they made whitelist for image hosts. |
 |
Keise-chan said: Are you sure??? Lol, my post was a gag. It should've been obvious that [img] still did not work from my signature. |
|
Xinil said: Before I mention anything, I want to apologize to everyone for the extended crippling of our bbcode. If you're not aware, [ img ], [ color ], [ url ], and [ yt ] tags have been disabled for some time. Today we're re-enabling [ color] and [ url ] tags. There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains. We apologize for the inconvenience and hope to have this issue resolved in the near future. Any help we can get will surely enable us to get a fix out faster. Xinil - is there a way that you could enable some sort of token authentication with images. I know that it could impede performance, but then anything malicious could potentially be blocked. |
 |
| I actually tested and this so-called HTTP Auth Injection only comes up if the img src points to the same domain as page. If the url is external, the http auth dialog does not pop up. EDIT: according to the article this vulnerability only affects old versions of IE. The question now is, how old? If it's like IE5.5 then the whole MAL site probably wouldn't even render anyway :D The article: http://tghc.co/hotlinks/ |
amcsiNov 7, 2013 10:08 AM
  |
| I would donate. Although pls, rewrite the code for easier innovation. |
|
| You can count my donate in for that. |
| I would not donate. This site barely works as is, so I'm not sure it would be put to good use. If they made this site more dynamic and efficient, I may consider it. |
|
DarkMorpher said: I don't think people would donate for a forumVirtual_BS said: Last I heard... The problem is a PEBCAK issue. The "hacker" is using a password-protected folder on his web server to cause embedded images to pop-up login dialogs. These login dialogs look nothing like MAL's, yet some less than intelligent users are typing their MAL passwords into them, giving them straight to the "hacker". If he really wanted to, he could just put his code in the about me, make a few posts on the forum, and these PEBCAKs will give him passwords every time they open his profile page, so allowing BBCode on profiles and not elsewhere doesn't eliminate the risk entirely. Since Crave are cheap on resources, they won't give us servers powerful enough to allow for a reliable solution, so the staff are stuck with having to develop a workaround that can protect the users from their own stupidity. Why not raise fund by donation. With so many users, MAL is bound to raise more than enough money to cover new server+other costs each month easily. |
 |
| I would donate if they were to rewrite the entire site. I'm pretty sure the code is currently horrible, hence hardly any innovations are happening to the site. This is still the website with the best community I think, and of course the very useful anime list that I still use even though I'm not so active on the forums anymore. |
|
| Can't we really get back the whole bb code enabled for the Blogs ? I don't have any idea about the issues encountred by the staff but it'd be nice however ! Good luck :D |
lupadim said: DarkMorpher said: I don't think people would donate for a forumVirtual_BS said: Last I heard... The problem is a PEBCAK issue. The "hacker" is using a password-protected folder on his web server to cause embedded images to pop-up login dialogs. These login dialogs look nothing like MAL's, yet some less than intelligent users are typing their MAL passwords into them, giving them straight to the "hacker". If he really wanted to, he could just put his code in the about me, make a few posts on the forum, and these PEBCAKs will give him passwords every time they open his profile page, so allowing BBCode on profiles and not elsewhere doesn't eliminate the risk entirely. Since Crave are cheap on resources, they won't give us servers powerful enough to allow for a reliable solution, so the staff are stuck with having to develop a workaround that can protect the users from their own stupidity. Why not raise fund by donation. With so many users, MAL is bound to raise more than enough money to cover new server+other costs each month easily. Not everyone comes to MAL for your nonsense the forums... The site probably generates enough income for maintenance from the posted ads, even if you include the people using adblock. I'm sure that the real issue is the workload. And if it isn't enough (which I doubt), I wouldn't donate unless the ads were removed or reduced. Most websites that host advertisements do it as a trade-off so that the users can use the services the site provides free of charge. If donations are necessary to keep this ship tidy, then I wouldn't want to be plagued by adds all over my MAL anymore. And seeing as how the site is owned by Crave, the ads more than likely won't be going anywhere. So that pretty much sums it up for me. |
amcsi said: I would donate if they were to rewrite the entire site. I'm pretty sure the code is currently horrible, hence hardly any innovations are happening to the site. I spend a lot of time on MAL so if they ever decided to make donating an option, I would definitely help! |
funkotakuNov 10, 2013 8:27 PM
 |
| We're owned by a private company (CraveOnline - see footer) so we do not accept donations. Thanks for caring about MAL though, guys :) Please expect an update on [img] bbcode in the next 24-48 hours. |
Kineta said: Please expect an update on [img] bbcode in the next 24-48 hours. Looking forward to it! |
|
Undim said: Ho ho, that's cute. I might be able to arrange that.I hope it's written on an embedded image. |
| That's whats up |
Kineta said: Oh awesome :DWe're owned by a private company (CraveOnline - see footer) so we do not accept donations. Thanks for caring about MAL though, guys :) Please expect an update on [img] bbcode in the next 24-48 hours. |
 |
Kineta said: We're owned by a private company (CraveOnline - see footer) so we do not accept donations. Thanks for caring about MAL though, guys :) Please expect an update on [img] bbcode in the next 24-48 hours. Sounds awesome. |
Kineta said: We're owned by a private company (CraveOnline - see footer) so we do not accept donations. Thanks for caring about MAL though, guys :) Please expect an update on [img] bbcode in the next 24-48 hours. I don't see the cause-and-effect. |
|
More topics from this board
» MAL Wrap-Up 2025: Coming Soon! ( 1 2 3 4 5 )Kineta - Dec 16 |
222 |
by penrhos
»»
2 hours ago |
|
» MAL Secret Santa 2025 ( 1 2 3 4 5 ... Last Page )Kineta - Nov 17 |
269 |
by AngelAngel124
»»
Yesterday, 1:58 PM |
|
» [Update May 24] Interest Stacks: New feature for custom theme lists and challenges ( 1 2 3 4 5 )Kineta - Apr 6, 2022 |
210 |
by NS2D
»»
Yesterday, 12:23 PM |
|
» New Club Feature: 3D Clubroom (beta) ( 1 2 )Kineta - Feb 16, 2023 |
97 |
by Shishio-kun
»»
Dec 16, 6:38 PM |
|
» MAL Game "Fantasy Anime League" Opens for Fall 2025 ( 1 2 )Kineta - Sep 10 |
91 |
by AMindJoke
»»
Dec 16, 3:38 AM |