История изменений

Edit 2: Just found a post from the guy who did it which says: «Contrary to popular belief, it was not SQL injection. The exploit is such: 4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/) They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing commands, can be uploaded. Said PostScript file will be passed into Ghostscript to generate a thumbnail image. The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit. From there, we exploit a mistaken suid binary to elevate to the global user.» He also reaffirms that he didn’t even bother looking at user data while he access, so no passholder leaks.

Edit 2: Just found a post from the guy who did it which says: «Contrary to popular belief, it was not SQL injection. The exploit is such: 4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/) They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing commands, can be uploaded. Said PostScript file will be passed into Ghostscript to generate a thumbnail image. The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit. From there, we exploit a mistaken suid binary to elevate to the global user.» He also reaffirms that he didn’t even bother looking at user data while he access, so no passholder leaks.