4chan source code leaked (2010) (opens in new tab)

(pastebin.com)

126 pointsNotUncivil11y ago102 comments

102 comments

Not much to see here, folks. Someone took an old leak of the source code and commented out a few lines for a giggle. Only moot and the developers know what the site looks like now, but given the significant addition of functionality in the past few years, it's pretty much impossible that that would be the only difference in the source.

The original leak, from 2010 at least, possibly older: http://pastebin.com/4JVjS02b

4chan was hacked the other day, so the current source code could have been leaked, but if it was, this sure isn't it.

NotUncivilOP11y ago

Noted. I have added "(2010)" to the title.

A diff that compares the old leaked source to the "new" one: http://pastebin.com/KkeLzb6q.

brador11y ago

Wouldn't the ideal solution for 4Chan be an external data/processing server that dials in to the hosting server to dump out static files? That way the location of the external server remains, at least partially, a mystery, even after the main box is hacked?

pearjuice11y ago

Why? 4chan is not a high target. There is no reason to over engineer it. Mostly it will be prepubescent teenagers throwing a fit and bombarding the server with bandwidth.

The hack of earlier today was due to an obsession over a female 4chan moderator. That should say enough.

2 more replies

pessimizer11y ago

There's nothing static about 4Chan. My guess is that the performance issues would be terrifying.

treehau511y ago

I mean,

Yes I hate PHP more than the next guy,

Yes this code is terrible,

But you know what? I can read it, and follow along. And that's actually more to say than other "beautiful" code that was obfuscated behind 3 or 4 levels of unnecessary levels of abstraction or indirection.

wfn11y ago

  if ($sectrip != "") {
    $salt = "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL"; #this is ONLY used if the host doesn't have openssl
                                                #I don't know a better way to get random data

arb9911y ago

a few lines down:

  system("openssl rand 448 > '".SALTFILE."'",$err);
                if ($err === 0) {
                    chmod(SALTFILE,0400);
                    $salt = file_get_contents(SALTFILE);
                }

slipstream-11y ago

I saw that. "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL" was my reaction, too.

1 more reply

dewey11y ago

And yet, despite the horrible code, it's still powering an Alexa Top 500 page without any huge problems I've heard of.

forgottenpass11y ago

Why would bad code hold them back? The technical debt of quick and dirty code lets you get things out faster now at the cost of development time later on (and uptime if you're very slapdash).

I don't blame people for buying into the TDD and other perfectionist bandwagons, until very recently the zeal around the topics meant that you couldn't question the fervent push for very narrow and specific types of software quality. I mean, people were saying "tests are documentation" and I had to nod my head and smile just so I wouldn't get trounced by folks without the development experience to know why that wouldn't work, but had read a blog post saying it does.

billmalarky11y ago

4chan doesn't need good code. Of course it wouldn't hurt, but if the main point of good code is test-ability and organization for complicated projects... Well, 4chan just isn't a very complicated project. The simplicity is a design decision from what I've read moot say.

roryhughes11y ago

Crazy. I knew PHP was bad, but this is just terrible.

dewey11y ago

I know hating on PHP is en vogue but you could probably write the same ugly code with another language too.

2 more replies

roryhughes11y ago

Sorry to anyone who down voted me. I didn't mean PHP is a bad language. It has done amazing things for the web. I just didn't like the look of the many snippets of HTML in the code which is more common in PHP than in other languages in web development.

goshx11y ago

what if I told you PHP does not require you to write ugly code? You can do the same in any other language.

2 more replies

TheAceOfHearts11y ago

I think this just goes to show that you can have a lot of popularity even if your code is just sorta glued together.

Don't they get a few million users? I'd say it's definitely nothing to scoff at.

It makes me wonder how many big profile websites might look like this or worse.

wirelessest11y ago

Having worked at a couple, I think I wouldn't be too far off to say all of them.

I still remember a week into the first job fresh-from-college me marching into the VPs office to tell him the source code was terrible and they were only still running due to luck. It was not well received (or right)

philtar11y ago

I almost did the same thing. But then calmed down and said maybe I have no idea what I'm talking about. I was right. I had no idea what I was talking about.

camus211y ago

Users dont care what your code looks like,Early Facebook code was no better and look where they are now... it's about the product. Wordpress is a piece of shit from an engineering perspective yet it's the first blog engine in the world. Because its features are not that bad.

Things are different today though,people tend to use native apps, users want realtime features,hard to do that in pure PHP and scale.You often need 3rd party techs,mostly java based...

Grue311y ago

>I think this just goes to show that you can have a lot of popularity even if your code is just sorta glued together.

As if OpenSSL didn't prove this already.

marban11y ago

imgur might be a candidate.

roryhughes11y ago

I doubt it. At their scale (a million uploads daily, three billion monthly pageviews), crappy code is unlikely.

goshx11y ago

Ask HN: Would you rather have a beautiful source code with 1000 pageviews/month or an ugly source code with millions of pageviews/month?

NotUncivilOP11y ago

>millions of pageviews/month

That is technically correct but does not covey the scale at which 4chan operates. According to http://www.4chan.org/advertise,

    Page impressions per month: 575,000,000;
    Unique visitors per month: 25,000,000;
    Posts per day: 1,000,000; 
    Alexa Traffic Rank: 836 (Global) & 371 (US)
    Quantcast Rank: 305 (US)
    Google PageRank: 6

Makes me wonder if WebM will increase or reduce 4chan's total traffic (when measured in bytes, not clicks).

Igglyboo11y ago

I can't imagine WebM impacting 4chan anytime soon, it will probably reduce 4chan's load when(if) WebM takes off but I highly doubt more than a small fraction will choose WebM over a .gif in the immediate future.

Robadob11y ago

WebM has caused longer animated content to be posted that wouldn't have been so possible as gifs (the limit is at 2 minutes iirc), so there will still be people posting large files.

raverbashing11y ago

Ability to pay my bills

If the beautiful code with 1000 pageviews/month does that, good

If the ugly code does that, good as well. It may be harder to maintain (depending on the circumstances, some "beautiful" code is dreadful as well) which means less money in the bank

Code is usually beautiful until it meets reality with all the exceptions, corner cases, input sanitation, etc

egeozcan11y ago

If my business relies on it, option 1, because ugly code tends to be less maintainable and a business should not depend on magic numbers and "LOLOLO...".

If it is for personal satisfaction, option 2. I guess I don't need to explain this one.

pearjuice11y ago

This is not leaked recently but spread today which caused people to believe it was looted during the 4chan hack earlier today. The 4chan administration has been awkwardly silenced about the compromised 4chan website, but this isn't one of the reasons.

http://9ch.in/overscript/ http://9ch.in/overscript/files/yotsuba.txt

mr_vile11y ago

yes, I actually added that leaked code to overscript in 2012, previously there was another leak in 2010.

Villodre11y ago

It seems that it's too terrible to be the true code. "if($_COOKIE['4chan_auser']",

"extract($_POST); extract($_GET); extract($_COOKIE);"

phpnode11y ago

this makes it even more likely that it's the real code. Let's face it, no one is expecting a shining example of software design and architectural brilliance here

linuxydave11y ago

The original 4chan code was in Japanese and moot used Babelfish to try figure out what did what. From what I remember, the original Futaba code is just as bad (http://www.2chan.net/script/). It's no secret that 4chan is cobbled together with glue and string, moot has said this several times before.

3 more replies

lucb1e11y ago

Well I would not expect this big pile of shit, either.

MichaelGG11y ago

What's wrong with the if cookie check? Don't the following conditionals for the mode make sure they still cannot post, which is the point? And the rest of the code is still run so any other security checks are still performed.

extract is one of those moronic things though that only exists to create security holes and other bugs.

szatkus11y ago

http://pl1.php.net/extract

OMG, it's horrible :D

1 more reply

Villodre11y ago

Thanks everyone for your insightful comments: now I've learned that the leaked code is actually from a past leak when 4chan was in a more primitive state, but you're right that it is truly ingenious even then.

spoiler11y ago

> It seems that it's too terrible to be the true code.

1. It's written in PHP. Finding a good PHP developer is nigh impossible (there are exceptions, like always). 2. I expected worse, to be honest.

fest11y ago

In my experience great PHP developers tend to find a way out from developing anything in PHP.

1 more reply

ledneb11y ago

No serious, modern PHP developer writes code like this. If it were a code sample for any respectable PHP job, it would be a massive "do not hire" flag.

5 more replies

ialexpw11y ago

Huh, it isn't hard to find a good PHP developer at all.. (easy to find someone who can code better than that example)

blueskin_11y ago

>Finding a good PHP developer is nigh impossible

Yep. Worked as a sysadmin in a company who had a product in PHP before. That was not fun. The bug count grew with each release in my time there.

joshcrowder11y ago

Ha - I noticed that as well, wowza!

Vaskivo11y ago

I thought the *chan code was open.

Or is this some critical bit? (I noticed it handles cookies, but I'm too unexperienced with web, php or web-security to explore this wall of code)

rossy11y ago

4chan's code (Yotsuba) has always been a closed source fork of Futaba, though there are several open source Futaba clones, like Kusaba X.

kaivi11y ago

I wonder what is the site's infrastructure_cost/ad_revenue ratio, because I have long had a feeling that it could be greatly improved. Moot has always been skeptical about innovating the board, even the iOS layout is still incomprehensible since the CSS shim has been added.

Imageboard is dead easy in it's essence, so why not rebuild it from scratch, instead of feeding new bells and whistles to the existing spaghetti monster?

Fuxy11y ago

Well at least it's neatly organized into functions :P

lispm11y ago

My eyes, the goggles do nothing!!!

kevin81811y ago

How can code be "leaked"? Wouldn't this imply someone was able to terminal into one of their servers?

n1c11y ago

Any number of things could happen; maybe someone got access to a code repository, or a stray flash drive, or the web server was mis-configured and served the file as plain text (happened to fb once) etc.

Anderkent11y ago

Or they found a file read vulnerability, or a server was misconfigured for a period and allowed files to be read, or a multitude of other options.

mahkoh11y ago

4chan (or just moot's account) was hacked yesterday.

NewsReader4211y ago

if(isset($_COOKIE['4chan_auser'])&&isset($_COOKIE['4chan_apass'])){ $user = mysql_real_escape_string($_COOKIE['4chan_auser']); $pass = mysql_real_escape_string($_COOKIE['4chan_apass']); }

HAHAHAHAAHAHAHAHAA

Steal a cookie, gain access.. WTF

kawsper11y ago

Aren't you able to hijack sessions on most webpages if you stole session cookies?

odonnellryan11y ago

The real problem is: "extract($_POST); extract($_GET); extract($_COOKIE);"

For more information on extract: http://www.php.net/extract

1 more reply

mandalar1211y ago

Does it mean that the password is stored in the cookie or I am missing something ?

spoiler11y ago

It's probably a hashed version. It would be horrendous if it was actually stored in plain text.

Kiro11y ago

How do you "steal" a cookie?

aidos11y ago

The best bet is generally an xss attack. Though there are other ways, you could sniff one on a wireless network if no encryption is in use.

exDM6911y ago

Get on the same WiFi as your target, open up Wireshark and grab their HTTP communications.

To make this easier, there was/is a tool called Firesheep that can be used to hijack session cookies. The popularity of Firesheep caused many sites to enable HTTPS by default (e.g. Facebook did so).

1 more reply

freshyill11y ago

<font>? <table>?

Man, 4chan is worse than I thought.

TD-Linux11y ago

The HTML was totally redone a couple of years ago. Check out the source on a page now.

mkoryak11y ago

whats wrong with <table> ?

freshyill11y ago

<table> is for tables of information, not for layout.

But seeing as how I was downvoted, the important thing to remember is that any hint of levity strictly forbidden on Hacker News.

1 more reply

pan6911y ago

F* me. No wonder PHP has a bad rap..

onion2k11y ago

I think the fact that you can drive a multi million user website that was once valued at $1.2b (by a VC admittedly) on 2600 lines of pretty bad PHP code when most of the users are exactly the sort of people who'd try to hack it is actually a testament to how good PHP is.

Redeveloping the site in Go, Dart, Python or Node, or whatever language you like best, wouldn't increase 4Chan's value in any discernible way.

At the end of the day, it works.

userbinator11y ago

I wouldn't say it's "pretty bad PHP code" if it did what it needed to, and as you say, it was rather resistant to attack.

aaronem11y ago

Please, please tell me you're joking about 4chan having been valued at $1.2 billion dollars by anyone.

1 more reply

j / k navigate · click thread line to collapse

102 comments

ANTSANTS11y ago

The original leak, from 2010 at least, possibly older: http://pastebin.com/4JVjS02b

4chan was hacked the other day, so the current source code could have been leaked, but if it was, this sure isn't it.

NotUncivilOP11y ago

Noted. I have added "(2010)" to the title.

A diff that compares the old leaked source to the "new" one: http://pastebin.com/KkeLzb6q.

brador11y ago

pearjuice11y ago

Why? 4chan is not a high target. There is no reason to over engineer it. Mostly it will be prepubescent teenagers throwing a fit and bombarding the server with bandwidth.

The hack of earlier today was due to an obsession over a female 4chan moderator. That should say enough.

2 more replies

pessimizer11y ago

There's nothing static about 4Chan. My guess is that the performance issues would be terrifying.

treehau511y ago

I mean,

Yes I hate PHP more than the next guy,

Yes this code is terrible,

wfn11y ago

  if ($sectrip != "") {
    $salt = "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL"; #this is ONLY used if the host doesn't have openssl
                                                #I don't know a better way to get random data

arb9911y ago

a few lines down:

  system("openssl rand 448 > '".SALTFILE."'",$err);
                if ($err === 0) {
                    chmod(SALTFILE,0400);
                    $salt = file_get_contents(SALTFILE);
                }

slipstream-11y ago

I saw that. "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL" was my reaction, too.

1 more reply

dewey11y ago

And yet, despite the horrible code, it's still powering an Alexa Top 500 page without any huge problems I've heard of.

forgottenpass11y ago

Why would bad code hold them back? The technical debt of quick and dirty code lets you get things out faster now at the cost of development time later on (and uptime if you're very slapdash).

billmalarky11y ago

roryhughes11y ago

Crazy. I knew PHP was bad, but this is just terrible.

dewey11y ago

I know hating on PHP is en vogue but you could probably write the same ugly code with another language too.

2 more replies

roryhughes11y ago

goshx11y ago

what if I told you PHP does not require you to write ugly code? You can do the same in any other language.

2 more replies

TheAceOfHearts11y ago

I think this just goes to show that you can have a lot of popularity even if your code is just sorta glued together.

Don't they get a few million users? I'd say it's definitely nothing to scoff at.

It makes me wonder how many big profile websites might look like this or worse.

wirelessest11y ago

Having worked at a couple, I think I wouldn't be too far off to say all of them.

philtar11y ago

I almost did the same thing. But then calmed down and said maybe I have no idea what I'm talking about. I was right. I had no idea what I was talking about.

camus211y ago

Things are different today though,people tend to use native apps, users want realtime features,hard to do that in pure PHP and scale.You often need 3rd party techs,mostly java based...

Grue311y ago

>I think this just goes to show that you can have a lot of popularity even if your code is just sorta glued together.

As if OpenSSL didn't prove this already.

marban11y ago

imgur might be a candidate.

roryhughes11y ago

I doubt it. At their scale (a million uploads daily, three billion monthly pageviews), crappy code is unlikely.

goshx11y ago

Ask HN: Would you rather have a beautiful source code with 1000 pageviews/month or an ugly source code with millions of pageviews/month?

NotUncivilOP11y ago

>millions of pageviews/month

That is technically correct but does not covey the scale at which 4chan operates. According to http://www.4chan.org/advertise,

    Page impressions per month: 575,000,000;
    Unique visitors per month: 25,000,000;
    Posts per day: 1,000,000; 
    Alexa Traffic Rank: 836 (Global) & 371 (US)
    Quantcast Rank: 305 (US)
    Google PageRank: 6

Makes me wonder if WebM will increase or reduce 4chan's total traffic (when measured in bytes, not clicks).

Igglyboo11y ago

Robadob11y ago

WebM has caused longer animated content to be posted that wouldn't have been so possible as gifs (the limit is at 2 minutes iirc), so there will still be people posting large files.

raverbashing11y ago

Ability to pay my bills

If the beautiful code with 1000 pageviews/month does that, good

If the ugly code does that, good as well. It may be harder to maintain (depending on the circumstances, some "beautiful" code is dreadful as well) which means less money in the bank

Code is usually beautiful until it meets reality with all the exceptions, corner cases, input sanitation, etc

egeozcan11y ago

If my business relies on it, option 1, because ugly code tends to be less maintainable and a business should not depend on magic numbers and "LOLOLO...".

If it is for personal satisfaction, option 2. I guess I don't need to explain this one.

pearjuice11y ago

http://9ch.in/overscript/ http://9ch.in/overscript/files/yotsuba.txt

mr_vile11y ago

yes, I actually added that leaked code to overscript in 2012, previously there was another leak in 2010.

Villodre11y ago

It seems that it's too terrible to be the true code. "if($_COOKIE['4chan_auser']",

"extract($_POST); extract($_GET); extract($_COOKIE);"

phpnode11y ago

this makes it even more likely that it's the real code. Let's face it, no one is expecting a shining example of software design and architectural brilliance here

linuxydave11y ago

3 more replies

lucb1e11y ago

Well I would not expect this big pile of shit, either.

MichaelGG11y ago

extract is one of those moronic things though that only exists to create security holes and other bugs.

szatkus11y ago

http://pl1.php.net/extract

OMG, it's horrible :D

1 more reply

Villodre11y ago

spoiler11y ago

> It seems that it's too terrible to be the true code.

1. It's written in PHP. Finding a good PHP developer is nigh impossible (there are exceptions, like always). 2. I expected worse, to be honest.

fest11y ago

In my experience great PHP developers tend to find a way out from developing anything in PHP.

1 more reply

ledneb11y ago

No serious, modern PHP developer writes code like this. If it were a code sample for any respectable PHP job, it would be a massive "do not hire" flag.

5 more replies

ialexpw11y ago

Huh, it isn't hard to find a good PHP developer at all.. (easy to find someone who can code better than that example)

blueskin_11y ago

>Finding a good PHP developer is nigh impossible

Yep. Worked as a sysadmin in a company who had a product in PHP before. That was not fun. The bug count grew with each release in my time there.

joshcrowder11y ago

Ha - I noticed that as well, wowza!

Vaskivo11y ago

I thought the *chan code was open.

Or is this some critical bit? (I noticed it handles cookies, but I'm too unexperienced with web, php or web-security to explore this wall of code)

rossy11y ago

4chan's code (Yotsuba) has always been a closed source fork of Futaba, though there are several open source Futaba clones, like Kusaba X.

kaivi11y ago

Imageboard is dead easy in it's essence, so why not rebuild it from scratch, instead of feeding new bells and whistles to the existing spaghetti monster?

Fuxy11y ago

Well at least it's neatly organized into functions :P

lispm11y ago

My eyes, the goggles do nothing!!!

kevin81811y ago

How can code be "leaked"? Wouldn't this imply someone was able to terminal into one of their servers?

n1c11y ago

Anderkent11y ago

Or they found a file read vulnerability, or a server was misconfigured for a period and allowed files to be read, or a multitude of other options.

mahkoh11y ago

4chan (or just moot's account) was hacked yesterday.

NewsReader4211y ago

if(isset($_COOKIE['4chan_auser'])&&isset($_COOKIE['4chan_apass'])){ $user = mysql_real_escape_string($_COOKIE['4chan_auser']); $pass = mysql_real_escape_string($_COOKIE['4chan_apass']); }

HAHAHAHAAHAHAHAHAA

Steal a cookie, gain access.. WTF

kawsper11y ago

Aren't you able to hijack sessions on most webpages if you stole session cookies?

odonnellryan11y ago

The real problem is: "extract($_POST); extract($_GET); extract($_COOKIE);"

For more information on extract: http://www.php.net/extract

1 more reply

mandalar1211y ago

Does it mean that the password is stored in the cookie or I am missing something ?

spoiler11y ago

It's probably a hashed version. It would be horrendous if it was actually stored in plain text.

Kiro11y ago

How do you "steal" a cookie?

aidos11y ago

The best bet is generally an xss attack. Though there are other ways, you could sniff one on a wireless network if no encryption is in use.

exDM6911y ago

Get on the same WiFi as your target, open up Wireshark and grab their HTTP communications.

To make this easier, there was/is a tool called Firesheep that can be used to hijack session cookies. The popularity of Firesheep caused many sites to enable HTTPS by default (e.g. Facebook did so).

1 more reply

freshyill11y ago

<font>? <table>?

Man, 4chan is worse than I thought.

TD-Linux11y ago

The HTML was totally redone a couple of years ago. Check out the source on a page now.

mkoryak11y ago

whats wrong with <table> ?

freshyill11y ago

<table> is for tables of information, not for layout.

But seeing as how I was downvoted, the important thing to remember is that any hint of levity strictly forbidden on Hacker News.

1 more reply

pan6911y ago

F* me. No wonder PHP has a bad rap..

onion2k11y ago

Redeveloping the site in Go, Dart, Python or Node, or whatever language you like best, wouldn't increase 4Chan's value in any discernible way.

At the end of the day, it works.

userbinator11y ago

I wouldn't say it's "pretty bad PHP code" if it did what it needed to, and as you say, it was rather resistant to attack.

aaronem11y ago

Please, please tell me you're joking about 4chan having been valued at $1.2 billion dollars by anyone.

1 more reply

j / k navigate · click thread line to collapse