| >> | Anonymous 15apr2025(tu)20:12 No.103599 OP P1| /f/ is down Will it come back, or did Hiroshimoot fuck up things for good this time?
In case you didn't already hear it all over the web, the 4chons server has been hacked because the software was literally years old. |
|
| >> | Anonymous 15apr2025(tu)21:29 No.103600 A P2R1| I hope it comes back tbqh I have more flash to post. |
|
| >> | Anonymous 16apr2025(we)00:19 No.103601 B P3R2| More importantly, were will you been in the mean time? In addition to actually playing videogames now I am trying out ourchan. It is slow right now, but such is life. |
|
| >> | Anonymous 16apr2025(we)01:28 No.103603 C P4R3| 4chan was hacked https://tech.slashdot.org/story/25/04/16/0012230/ 4chan-has-been-down-since-monday-night-after-prett y-comprehensive-own Someone in the comments describes the method as such:
>4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/)
>They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing commands, can be uploaded.
>Said PostScript file will be passed into Ghostscript to generate a thumbnail image.
>The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit.
>From there, we exploit a mistaken suid binary to elevate to the global user.
I don't know whether this is true or not. |
|
| >> | Anonymous 16apr2025(we)01:34 No.103604 C P5A lot more comments here: https://news.ycombinator.com/item?id=43691334
>Apparently some boards allowed uploading PDF files, but the site never checked if the PDF file was an actual PDF file. Once a PDF file was uploaded it was passed to a version of Ghostscript from 2012 which would generate a thumbnail. So the attacker found an exploit where uploading a PDF with the right PostScript commands could give the attacker shell access. |
|
| >> | Anonymous 16apr2025(we)05:09 No.103605 D P6R4 |
| >> | Anonymous 16apr2025(we)10:01 No.103607 B P7R5>>103605
>you could also look at the thread from the actual hacker
kill yourself onions faggot |
|
| >> | Anonymous 16apr2025(we)12:29 No.103608 C P8R6>>103607
Going to the origin that everybody is quoting is usually the best idea to know what's going on. If you don't want to give a page view you can look at the thread via https://archive.ph/
Use Tor browser if you want to see the most recent version and not log your IP. Only 8 out of currently 8329 posts are from the hacker though. |
|
| >> | Anonymous 16apr2025(we)12:59 No.103609 OP P9R7>>103601
O/f/ficial bunker? If not here, where the fuck is everybody?? |
|
| >> | Anonymous 16apr2025(we)13:25 No.103610 E P10R8>>103609
I thought everyone would be here but I guess not. Also apparently /f/ really is built on completely different code from the rest of the site. It is badly hacked together too lmao. |
|
| >> | kaguya 16apr2025(we)16:37 No.103611 F P11R9 |
| >> | male poon 16apr2025(we)21:24 No.103612 G P12R10| This reminds me that I still want to know where the swfchan spider crawls, because it certainly doesn't crawl heyuri's /f/ (and probably not its warota uploader either), any oldies like 7chan or any small sites with swf boards like hikari3. I started archiving heyuri's /f/ (pages, files, replies and reply files) on a whim when its latest incarnation went up in case Ants is interested, but it's unnecessary because the thread/page limit (if there is any) hasn't been hit so far. I mostly just want all the files to be covered by swfchan. |
|
| >> | Anonymous 17apr2025(th)00:40 No.103614 E P13R11>>103611
Holy shit I forgot about heyuri, thanks anon! |
|
| >> | Anonymous 17apr2025(th)01:58 No.103616 D P14R12 |
| >> | Anonymous 17apr2025(th)03:01 No.103617 B P15R13>>103608
>>103616
>Going to the origin
>going to a site based entirely around soy boy memes
go on ahead, I wont stop you faggots |
|
| >> | Anonymous 17apr2025(th)15:27 No.103621 H P16R14>>103609
I went to heyuri first thing lol. Didn't even remember /disc/ existed on swchan |
|
| >> | Anonymous 18apr2025(fr)08:57 No.103627 I P17R15>>103601
I will been here waiting for the shitstorm to calm down |
|
| >> | !///SWFAnts #ADMIN# 18apr2025(fr)10:45 No.103629 SWF P18R16>>103612
In the beginning it crawled multiple imageboards, then only 4chan and 7chan for a couple of years. Today it only looks at /f/. Been like that for the past 10+ years, maybe 15 years by now. Also crawling swfchan's own imageboard of course.
Because there were basically never any comments on small imageboards I didn't archive the empty threads, just the flash file and its name. The reason 7chan's threads stopped being archived was because they allow several flashes per thread, meaning big multi-swf threads would get attached for a bunch of flashes here on wiki pages even though nobody were talking about that flash. It created many irrelevant search results as well with a ton of keywords from several file names yet no discussion.
After the spider stopped looking at 7chan I did manual gets of the swf files from time to time. For non-imageboard sites I made a spider that could be tailored to suit the needs of different sites, then I ran it manually every now and then to pick up new swfs or new flash names for the search engine. |
|
| >> | Anonymous 24apr2025(th)16:21 No.103687 K P19R17 |
| >> | Anonymous 24apr2025(th)18:17 No.103688 L P20R18 |
| >> | Anonymous 24apr2025(th)18:17 No.103689 L P21apparently they are removing /f/ from 4chan
A travesty if true |
|
| >> | Anonymous 25apr2025(fr)00:10 No.103694 M P22R19>>103687
that's not surprising given from the source leak it seems /f/ was just a pile of hackjobs held together with superglue
probably easier to just nix the whole thing than to try and bring it up to par with the rest of the reworked site
godspeed /f/ags it's been an honor shitposting with you all |
|
| >> | Anonymous 25apr2025(fr)06:26 No.103696 N P23R20| it sucks but i had some good times in flash. hopefully a new wave of creators revive the trend, for better or worse |
|
| >> | Anonymous 25apr2025(fr)11:42 No.103702 O P24R21All 4/f/ users are welcome to use wapchan in the meantime (it has inline flash support)
https://wapchan.org |
|
| >> | Anonymous 25apr2025(fr)17:46 No.103707 P P25R22 |
| >> | Anonymous 25apr2025(fr)17:54 No.103708 P P26>>103707
Ok, nvm, you cannot post there right now. |
|
| >> | RapeApe 25apr2025(fr)19:58 No.103709 G P27R23| That's because it's a read-only archive. has also said that /f/ is not coming back |
|
| >> | Anonymous 26apr2025(sa)00:48 No.103710 Q P28R24| Yeah /f/ is dead because they're paranoid about people using .swf to create another exploit like what happened with .pdf I was going to wait for when /f/ returned, but since that isn't happening, does anyone know the filename for the JP Spelunker flash that used a dance song (Middle of it had a guy just go 'Ahhhhhhhhh! Come on!'?
I thought it would be under Spelunker or the moonrunes, but can't find anything. |
|
| >> | Anonymous 26apr2025(sa)00:53 No.103711 R P29R25Rest in Peace.
>One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files. |
|
| >> | Anonymous 26apr2025(sa)01:08 No.103712 E P30R26https://blog.4chan.org/
>One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files.Welp. Where do we go now? Heyuri or stay here on swfchan? swfchan has always been our second home but heyuri has a more 4/f/ like appearance/structure. |
|
| >> | Anonymous 26apr2025(sa)02:27 No.103713 R P31R27| If you guys wanna try out living in exile on Heyuri or Kissu or where-ever else go for it, but I can't help but think that without the small minimal activity that comes with being on 4chan it'll just die. |
|
| >> | Anonymous 26apr2025(sa)05:15 No.103714 S P32R28| I fucking hope they reconsider. I'll write them emails until they do. /f/ is the only place where 4chan's specific flash culture can be preserved. It's the only place on 4chan where the old culture is still reasonably alive. I am honestly, greatly pissed at this decision. All they have to do is serve swfs and the execution is most definitely handled client side. If they're worried about that, they can just include the link to the ruffle extension in a standard embed player and not serve it themselves. Anybody who wants to run them can just install ruffle and run it. And just sandbox /f/ from the rest of the infrastructure. It isn't very active so even if you had separate credentials for it and ran it in a VM, I doubt that'll hinder administration. If /f/ then gets hacked, it'll only be /f/ and we can wait out till they slowly restore it. |
|
| >> | Anonymous 26apr2025(sa)05:29 No.103715 S P33| Flash doesn't run on the local plugin anymore, how is it insecure even for the client?? All they need to do is to restrict filesystem access server side if they're paranoid, given they don't allow multifile swfs anyway. If they can't write a 10 line bash script to do that, they should just close the whole fucking site. |
|
| >> | Anonymous 26apr2025(sa)06:39 No.103716 T P34R29>>103714
There's a decent backup board over on 8ch
people are trying to wrangle up a userboard there
i suggest everyone migrate over there
https://8chan.moe/f/ |
|
| >> | Anonymous 26apr2025(sa)07:28 No.103717 U P35R30| fucked up reason to kill /f/ |
|
| >> | Anonymous 26apr2025(sa)07:51 No.103719 S P36R31ANTS!!
Can you tell us what steps you take to ensure that swfchan is safe and secure?
I'm trying to rally up support to build a new, more secure /f/ that the 4chan admin team can use without worry at https://boards.4chan.org/g/thread/105082557Can you tell us if flash really is that insecure that you have to protect against it and what all mitigations you take if that's true? |
|
| >> | Anonymous 26apr2025(sa)09:26 No.103720 C P37R32>>103707
>>103708
>Performing site maintenance. Try again in a little while.
Makes me hopeful that the board is there even if we can't post yet. As long as I don't look it up for sure there's a chance all these whispers about /f/ not returning are false. |
|
| >> | Anonymous 26apr2025(sa)13:32 No.103740 B P38R33 |
| >> | Anonymous 26apr2025(sa)14:56 No.103745 OP P39R34>>103709
Lol what a fate. Having like 10 thread up for all eternity as archived, how utterly meaningless. Must be legendary to be a OP on that page! |
|
| >> | !///SWFAnts #ADMIN# 26apr2025(sa)17:04 No.103750 SWF P40R35>>103719
I shouldn't talk about swfchan's security too much, we don't even have https. I also run a lot of old code but I try to update the things that can be updated. Perhaps I should consider stopping screenshotting flashes just to be on the safe side but I'd rather not.
When the only thing you do with a swf file is scan it for information like width/height it shouldn't be much more dangerous than scanning a jpg. If the server doesn't even have the flash plugin it's like hosting a zip file.
Concerning the PDF that took down 4chan, I wonder if a virus scan from any such service would have flagged it? Maybe they can't scan every upload on their site due to the incoming volume but it could be done selectively on for example pdf and swf. Could be worth it for additional peace of mind. |
|
| >> | Anonymous 27apr2025(su)02:25 No.103771 V P41R36| Hey admin, speaking of security /fap/ is being spammed with cp links again. |
|
| >> | Anonymous 27apr2025(su)16:35 No.103786 OP P42Best to keep all discussion about exile consolidated in one thread
>>>103721>>103715
Flash doesn't run on the local plugin anymore, how is it insecure even for the client??
It does still, but that doesn't matter it was just the usual OMG SECURITY excuse used since the EOL of flash.
A nice sandbox and flash plugin in browser would be no security issue to the server. |
|
| >> | Anonymous 27apr2025(su)17:07 No.103788 H P43R37>>103750
I guess that does run counter to my aim to affirm security by parsing more, with stringent security requirements but only confirms the fact that is the biggest swf archive is standing despite the years with so little protection, swf is not the disease the 4admins are making it out to be.>>103740
The big guy himself. Mr. Bossman admin legend of swfchan. |
|
| >> | Anonymous 27apr2025(su)17:47 No.103789 W P44R38>>103788
Random computer security guy here, how much parsing you need to do on the server side just depends on what you are trying to stop.
If all you want is to extract the width and height like 4chan seems to care about then it barely takes any parsing and would be really simple and safe to do server side.
If you are doing what Ants is doing like screenshotting the flashes then you open a whole can of worms because you actually have to run the thing. And I bet Ants currently runs them in the Adobe Flash player and not Ruffle which means it's probably legitimatly a server side security risk for him. (Yeah, it's unlikely someone would put the effort into actually doing that, still, leaving a hole that lets people take over your servers hanging out on the big bad Internet isn't great. You can be fine for years and then someone you don't know randomly decides they hate you and now they have a way in.)>>103750
Honestly Ants if you're reading this I would still recommend you go look at the low hanging fruit, at some point you probably wrote something on this site that sticks a swf filename into a command to run.
Have you triple checked that you are sanitizing it correctly?
Do you strip ../ and such? Do you run the command in a shell or execute the target binary directly? If doing it with a shell did you strip inline execution characters like `` and $() ?
If the target binary takes arguments are you making sure that you don't let the swf filename contain things like -- or - to set flags?
The Flash thumbnailing is probably a vulnerability but it would take someone a lot more effort than some of the low hanging fruit like that, this coming from someone who wrote Flash exploits against Adobe Flash player.
Do you support any other things on this site besides .swfs? I thought I remembered reading something about people uploading .rars.
Are those handled by you manually putting them in the archive or are they automatically parsed and if so have you checked the same things as above on this part of the system? etc... As for the anti virus stuff I wouldn't bother, that stuff mostly just catches stuff being spammed everywhere. Not stuff made buy someone trying things one at a time against your site. You time is better spent cleaning up tech debit on the backend. Also https would be nice, but that's just for our privacy. (I would still love if you could setup https though, this is I think the only site that I visit occasionally that doesn't support https) |
|
| >> | !///SWFAnts #ADMIN# 28apr2025(mo)12:55 No.103804 SWF P45R39>>103789
Thank you for the tips. I've always made sure to sanitize all inputs but have added a couple of extra paranoia functions that I don't think are necessary. Wish I had time to comb through everything but there shouldn't be any filenames touching a command line at the very least. |
|
| >> | Anonymous 28apr2025(mo)21:13 No.103811 X P46R40| What will you be doing from here on ANTs? I've been a fan of flash shit since the early days of newgrounds and this site is the single largest library of swf content in existence. Does swfchan scrape other sites than 4chan? Has anyone tried reaching out to the 4chan devs with info on sanitizing swf uploads and potentially reviving /f/? How big would a potential offline version be in the event the site does go down? |
|
| >> | Anonymous 28apr2025(mo)23:10 No.103812 F P47R41>Has anyone tried reaching out to the 4chan devs with info on sanitizing swf uploads and potentially reviving /f/?
Many tried. I don't think 4chan devs are unaware of sanitizing, I think Hiro himself ordered this |
|
| >> | Anonymous 29apr2025(tu)00:18 No.103813 W P48R42>>103804
No problem, I don't want to see swfchan die and honestly I'd love if https was a thing on this site so if you're up for implementing https on everything here I'll throw $150 USD at your BTC wallet. |
|
| >> | Anonymous 29apr2025(tu)22:41 No.103824 Y P49R43>>103789
He can also move the screenshotting inside a virtual machine. Have a network share in a host-only network with an input and an output directories, with some client side program (almost typed "TSR") watching the input dir for SWF files and putting screenshots into output. No server-side execution of anything but cp required. Validating and scaling down the pics will need some but that is a much better known area and scaling down has to be done already anyway.You could even just grab the draw surface of the VM program instead of waiting for whatever is running inside of it to grab and write a picture but that would need altering this part of the scripting more. |
|
