Deleting Kareha board posts

This is how post deletion passwords are generated in Kareha (anonymous board software used by some boards (but not this site)):

function make_password()
{
var chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
var pass='';

for(var i=0;i<8;i++)
{
var rnd=Math.floor(Math.random()*chars.length);
pass+=chars.substring(rnd,rnd+1);
}

return(pass);
}

Every post has a post deletion password. If you know it (or can guess/brute force it), you can delete the post.
I haven't looked over all of the source code, but I wouldn't be surprised if there isn't any form of rate limiting, considering how primitive and kind of broken the software is, as is the case for many alternative image and text boards, especially those run by people who merely install the board software instead of writing it themselves (and usually have poor coding and security knowledge).

Here's how to delete a post:
function delete_post(thread,post,file)
{
if(confirm("Are you sure you want to delete reply "+post+"?"))
{
var fileonly=false;
var script=document.forms[0].action;
var password=document.forms[0].password.value;

if(file) fileonly=confirm("Leave the reply text and delete the only file?");

document.location=script
+"?task=delete"
+"&delete="+thread+","+post
+"&password="+password
+"&fileonly="+(fileonly?"1":"0");
}
}

The way to call the function is like this (as an example):
javascript:delete_post(1534535341,1) to delete an OP.
Or
javascript:delete_post(1534480288,79) to delete the 79th post in a thread. (the post number is a 32-bit unix time stamp)
I found a certain board that adds style="display:none;" to the deletion span element, but doesn't actually modify the board software in order to really remove it.


The function takes 3 arguments, and isn't overloaded, yet I see it being used with just 2 on a text board (because there is no image file associated with the post).
I'm sure you could automate this. Not that I'd advocate doing that, but I'm just saying.

I remember someone on /g/ made a script that would delete random imgur posts, before they changed how post deletion worked.

Here is the URL for deleting a post:
example.com/kareha.pl?task=delete&delete=THREADNUMBER,POSTNUMBER&password=PASSWORD&fileonly=0
Replace the words with the actual values. Edited on 12/09/2018 02:46.

Here is the URL for deleting a post:
example.com/kareha.pl?task=delete&delete=THREADNUMBER,POSTNUMBER&password=PASSWORD
example.com/kareha.pl?task=delete&delete=THREADNUMBER,POSTNUMBER&password=PASSWORD&fileonly=0
Replace the words with the actual values.

Use this to see your current password for the board:
javascript:alert(document.forms[0].password.value);
Or even
javascript:console.log(document.forms[0].password.value);
I wonder if there's some sort of XSS or something that would let you see someone else's password if you got them to click on a link you sent them? Or you can always do the brute force idea I mentioned, or also try a null password, in case it somehow got messed up (or if they disabled javascript, which would leave the post with no password at all, I think!)

Brute-forcing an individual post might take some time, but what could be faster is just sending deletion requests with blank passwords to every pots you can scrape, since some users disable javascript, and I think that means there'd be no password associated with that post because the make_password() function is client-side javascript.

Don't misuse this knowledge though, or if you do, don't blame me. I am just interested in security, not doing mean things. Edited on 12/09/2018 02:55.

Use this to see the password: javascript:alert(document.forms[0].password.value);
Use this to see your current password for the board: ↵
javascript:alert(document.forms[0].password.value);
Or even
javascript:console.log(document.forms[0].password.value);
I wonder if there's some sort of XSS or something that would let you see someone else's password if you got them to click on a link you sent them? Or you can always do the brute force idea I mentioned, or also try a null password, in case it somehow got messed up (or if they disabled javascript, which would leave the post with no password at all, I think!)↵
↵
Brute-forcing an individual post might take some time, but what could be faster is just sending deletion requests with blank passwords to every pots you can scrape, since some users disable javascript, and I think that means there'd be no password associated with that post because the make_password() function is client-side javascript.↵
↵
Don't misuse this knowledge though, or if you do, don't blame me. I am just interested in security, not doing mean things.

read up on cloning RNGs and you'll be able to do it

Meh, HTML injection on Wakaba was a fun bug though.

bump

>>5
elaborate plz

You could encode arbitrary HTML as a series of Perl

chr()

. For example, I made one poast with an embeded VIPSTAR autoplay.

>>8
link?
you could also use this for evil purposes, like embedding a .swf that uses an EK to deliver ransomware, or using a script tag include a remote monero mining script