

Ramarchy – a website anyone can edit - zq
http://edit.ramarchy.com

======
AnkhMorporkian
I would caution those with epilepsy to avoid the main page. It's being changed
fairly regularly to a very quickly flashing background of multiple colors and
flashing text.

------
tokenizerrr
You should probably do something to prefent CSRF. I just came up with this:

    
    
        <form id="lol" method="POST" action="http://edit.ramarchy.com/">
          <input type="hidden" name="route" value="/" />
          <input id="page" type="hidden" name="page" value="" />
          </form>
        <script>
        setTimeout(function() {
          document.getElementById('page').value = '<ht' + 'ml>' + document.documentElement.innerHTML + '</ht' + 'ml>';
          document.getElementById("lol").submit();
        }, 1000);
        </script>

------
jacquesm
At least put some basic protection in place. There was a time when you could
have launched this website without a problem, say 1995 or so. Today this is no
longer possible.

To the dumbass downvoting me: I just took a look with wget and the current
homepage will set you in a loop that starts up endless mailer windows until
your machine crashes. Good luck.

~~~
rot25
It looks like it intentionally didn't have any protections in place. The edit
page has the comment <!-- Feel free to take advantage of the lack of CSRF
protection -->

It also has <h1>What could possibly go wrong.</h1> go wrong in the default
editor source.

Was it irresponsible? Yes zq should have put a warning for sure. Still a cool
experiment. Twitch Plays Pokemon with bigger repercussions.

------
zuck9
Seems like someone who uses LastPass got XSRF'd: view-
source:[http://ramarchy.com/](http://ramarchy.com/)

~~~
sejit
The source has changed since your post. If I use LastPass and visited the
site, should I be worried? What did the script do?

~~~
tokenizerrr
The script grabbed document.documentElement.innerHTML and resubmitted it as
the new page contents. See my post above regarding CSRF.

------
feybay
This will be fun until 4chan/8chan find it.

~~~
zq
Ha yeah. It is an expriment I'm wondering how long it will last before someone
drops a XSRF or something. Will probably have to take it down within the hour.
I'm thinking about only letting users posts go through if their hash is lower
than the previous users hash submission.

Hopefully it is lega.

~~~
jacquesm
I'm not worried about you getting in trouble, I'm worried about those that
visit your site.

Shut it down until you understand the basics of operating a site that 'anyone
can edit', fix the problems and then re-launch. This is simply asking for
misery, and not just yours.

