aramshiva

WRITEUP.md

The following is a write up for after a series of several vulnerabilities found in the Hack Club Clubs Dashboard. These vulnerabilities were found on October 23rd 2025.

Background

I was looking through the Hack Clubs Club Dashboard code after reading a wonderful writeup of another vuln for Clubs by @NeonGamerBot-QK. I noticed that all the code was in a singular 16000+ line main.py file, so I looked through this and found several vulnerabilities.

Hack Club has a amazing security program lead by 3kh0. This allows teenagers to earn money for security vulnerabilities they find in Hack Club code. The vulnerabilities found were reported through the Hack Club Security program.

Vulnerabilities

reduz

During the past days, this great article by Sam Pruden has been making the rounds around the gamedev community. While the article provides an in-depth analysis, its a bit easy to miss the point and exert the wrong conclusions from it. As such, and in many cases, users unfamiliar with Godot internals have used it points such as following:

• Godot C# support is inefficient
• Godot API and binding system is designed around GDScript
• Godot is not production ready

In this brief article, I will shed a bit more light about how the Godot binding system works and some detail on the Godot

stevekrouse

declare global {
  const console: {
    log(...data: any[]): void;
    error(...data: any[]): void;
    debug(...data: any[]): void;
    info(...data: any[]): void;
    warn(...data: any[]): void;
    email(log: any, subject?: string | number): void;
  };

irazasyed

Using Gmail SMTP with Cloudflare Email Routing: Step-by-Step Guide

Learn how to send emails through Gmail SMTP with Cloudflare Email Routing in this comprehensive guide.

Step 1: Enable 2-Factor Authentication

To proceed with this method, ensure that you have enabled two-factor authentication for your Google account. If you haven't done so already, you can follow the link to set it up → Enable 2FA in your Google account.

Step 2: Create an App Password for Mail

robandpdx

Making a monorepo from multiple git repos using git subtree

You may have several git repos that you want to combine into a single git repo. Here is how you can accomplish this using git subtree...

1. Create a new empty git repo.

mkdir monorepo
cd monorepo
git init

eyecatchup

// Generates the SAPISIDHASH token Google uses in the Authorization header of some API requests
async function getSApiSidHash(SAPISID, origin) {
    function sha1(str) {
      return window.crypto.subtle.digest("SHA-1", new TextEncoder("utf-8").encode(str)).then(buf => {
        return Array.prototype.map.call(new Uint8Array(buf), x=>(('00'+x.toString(16)).slice(-2))).join('');
      });
    }
    
    const TIMESTAMP_MS = Date.now();
    const digest = await sha1(`${TIMESTAMP_MS} ${SAPISID} ${origin}`);

alexellis

From my blog post: The Internet is my computer

Equinix Metal is my computer

Run hosted VSCode on Equinix Metal's huge: AMD Epyc instances with 64GB RAM and 24 Cores, coupled with a bonded 2 x 10 Gbps uplink to the Internet.

• Provision your Ubuntu 20.04 LTS server using the dashboard and add your SSH key
• Once you have the public IP, log in over SSH

nurupo

How to close a channel on Freenode when migrating to Libera

Run /msg NickServ LISTCHANS to see what permissions you have in what channels.

For each channel you have +s, +R and either +o or +O or +t permissions in, run:

/msg ChanServ OP #channel
/msg ChanServ SET #channel TOPICLOCK OFF
/msg ChanServ TOPIC #channel We have moved to irc.libera.chat

shadowcat-mst

It appears that rasengan (Andrew Lee) of Private Internet Access believes that ownership of the company Freenode Ltd. gives him the right to unilaterally replace the current staff team.

We may have had our disagreements with staff, but freenode being run by a volunteer team, using servers provided by sponsors, is a key reason that we appreciate freenode.

As such, we do not believe that such a unilateral replacement by a corporate interest is appropriate.

If this attemped takeover by Andrew Lee continues, we will be advocating to move our communities elsewhere.

Context: Fuchs' leaked (not by him) draft resignation letter that caused Andrew Lee to come onto #freenode: https://fuchsnet.ch/privat/fn-resign-letter.txt

ajhalili2006

[
  "https://cdn.discordapp.com/emojis/777592308605386782.png?v=1",
  "https://cdn.discordapp.com/emojis/233832831652986880.png?v=1",
  "https://cdn.discordapp.com/emojis/792649412324622356.png?v=1",
  "https://cdn.discordapp.com/emojis/237080616917532672.png?v=1",
  "https://cdn.discordapp.com/emojis/560699081664626718.png?v=1",
  "https://cdn.discordapp.com/emojis/792649418641506306.png?v=1",
  "https://cdn.discordapp.com/emojis/668998774525394951.png?v=1",
  "https://cdn.discordapp.com/emojis/587127986478907392.png?v=1",
  "https://cdn.discordapp.com/emojis/777590482900353064.png?v=1",