/lynxchan/ - LynxChan

The best engine you will ever shitpost with.

Keep threads on-topic.
Installation video tutorial
Vichan migration script

New Thread:

Max Message Length: 4096
Don't show location
Make sure I have a block bypass
Spoiler Max File Size: 1.00 MB
File Limit Per Post: 3
Remember to follow the rules .

2.2 breaking api changes Stephen Lynx Board owner 12/07/2018 (Fri) 22:26:24 Id: 1101c6 Pinned No. 647 [Reply]
Open file ( 10.65 KB 215x212 logo.png )
On 2.2 the json api features were merged into the form api and removed afterwards.
So not only the json input was removed, bu also the json output of the form api was remade. The refactoring is finished and penumbra has been adapted.

2.2 is scheduled to be released on march of 2019.
Edited last time by StephenLynx on 12/07/2018 (Fri) 22:27:58.

Cat Board owner 01/03/2016 (Sun) 12:07:51 Id: 9ca3a6 Locked Pinned Bumplocked No. 219 [Reply]
Open file ( 3.93 MB 640x480 1451822329331.webm )

A GUI proposition Николай Кучумов 02/13/2019 (Wed) 17:45:42 Id: f0f324 No. 722 [Reply]
Open file ( 84.97 KB 811x647 cccp.jpg )
I noticed you're developing a "fast" backend for an imageboard.
I'm a developer of a general-purpose GUI for an abstract imageboard.
Have a look at 4chan.org integration:
The project is hosted on GitHub:
If you're interested I could add support for `lynxchan` in that GUI.

Cat 02/14/2019 (Thu) 00:57:08 Id: 9f2261 No. 723
Sure, go for it.
You can consult the documentation for the api on the doc directory.
There was a change on 2.2 that completely changed the api, tho, so take that in consideration.

Cat 02/19/2019 (Tue) 16:31:01 Id: 5ff398 No. 732
Open file ( 26.25 KB 300x100 1548688131725.gif )
>>722 Lynchan maker is a rude egotistical faggot who is too stupid to use ssl on lynxhub.com which puts everyone at risk of malicious injections. ON TOP of that is the fact that node.je is extremely unsafe in general, as is the mongo db. It is a honeypot and full of major security issues. Go ahead and work with the lynxchan maker... good luck with that. You will find out that he is a total faggot moron.

LYNXCHAN IS UNSAFE Cat 02/17/2019 (Sun) 13:07:39 Id: 456c94 No. 724 [Reply]
Prevent XSS ! Context Based Encoding
Cross Site Scripting (XSS) is one of the most common but ignored types of attacks. Since Node.js is implemented with JavaScript, there is high-risk of developers introducing XSS vulnerabilities in the code. Output encoding is one of the best ways to prevent XSS attacks. Most view engines such as Jade provides built-in encoding mechanisms. But most important thing is that you should use appropriate encoding to based on the context. Following are some situations that you should use context specific encoding.

URL encode parameters which are appended as url parameters. URL encoding can be done using encodeURI() and encodeURIComponent()javascript built-in methods.
HTML encode parameters which are displayed in HTML. HTML encoding is provided by view engines such as jade as well as frontend frameworks like Angularjs. You also can explicitly do it from server side using htmlencode npm module.
CSS encode parameters which are used in element styles

sTEPHEN C LYNX Cat 02/17/2019 (Sun) 13:09:19 Id: 456c94 No. 725
LYNXCHAN IS UNSAFE Prevent CSRF (Cross Site Request Forgery) with Anti-Forgery Tokens
Cross Site Request Forgery (CSRF) allows an attacker to execute a certain function on the web application on behalf of yourself. To prevent these kinds of attacks, we can implement Anti-CSRF tokens so that the server can validate whether the request is coming from intended sender. Anti-CSRF tokens are one time tokens which are sent along with the user’s request and used by the server to validate the authenticity of the request. Please refer to my previous blog post about what Anti-CSRF tokens are.

Express.js framework is a web framework for Node.js which has in-built support for CSRF prevention. Following example shows how to initialize CSRF protection with Express.js and Node.js. When this protection is added, express.js creates a secure token which is sent to the server via both request body and cookies. These two tokens are validated by the server for forgery. If server fails to validate these two tokens, server returns a 403 Forbiddenresponse to the client.

This mechanism prevents an attacker sending requests to the server on behalf of yourself since attacker has no access to the cookie for the domain in your browser. Even if he collects one token, he cannot replay it again since the token is one time.

Cat Board owner 02/17/2019 (Sun) 14:04:36 Id: ddc83d No. 727
If you find a vulnerability related to that, just let me know.

Cat 02/17/2019 (Sun) 14:32:37 Id: a1d8b2 No. 728
Open file ( 49.99 KB 800x800 6.jpg )
>>727 Fuck off, faggot. You use an UN-SECURE node.js base, an UN-SECURE mongo db and then you pretend you do not know anything about the tons of vulnerabilities that are inherent to such shit code. To prove my point, lynxhub.com will get a little surprise soon. We are anonymous. Stephen Lynx is a faggot. We are legion. We do not forget. We do not forgive. Expect us.

Cat 02/17/2019 (Sun) 21:23:24 Id: 03898f No. 730
I found several vulns in lynxchan…. it looks like they were coded in on purpose. That poster is right

Cat 02/18/2019 (Mon) 18:22:27 Id: 931cf5 No. 731
>To prove my point, lynxhub.com will get a little surprise soon.
I'll be waiting.

ssl Cat 02/07/2019 (Thu) 07:48:51 Id: 7bebf6 No. 711 [Reply]
So I got a ssl cert from godaddy. I put the two .ssl files in the src/be directory. I enabled ssl via admin panel and it is set to "1" in the general json I get the following error when starting lynxchan and ssl does not work. Is there another step or something im missing?

>>>Failed to listen to HTTPS.
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.createSecureContext (_tls_common.js:113:17)
at Server (_tls_wrap.js:870:27)
at new Server (https.js:62:14)
at Object.createServer (https.js:85:10)
at startSSL (/root/LynxChan/src/be/workerBoot.js:91:35)
at startListening (/root/LynxChan/src/be/workerBoot.js:148:5)
at dbBooted (/root/LynxChan/src/be/workerBoot.js:213:7)
at preIndexSet (/root/LynxChan/src/be/db.js:826:5)
at initBoardIndexedCollections (/root/LynxChan/src/be/db.js:842:3)
at initGlobalIndexedCollections (/root/LynxChan/src/be/db.js:858:3)
Worker 2 booted at Thu, 07 Feb 2019 07:41:23 GMT
Failed to listen to HTTPS.
Message too long. Click here to view full text.
4 posts omitted.

Cat 02/09/2019 (Sat) 17:09:53 Id: ca05bc No. 717
No, is because using self-signed certs makes browsers go apeshit and I am not in the mood with dealing with corporations that provide certs.

Lynxchan is gay Cat 02/10/2019 (Sun) 03:00:30 Id: 1306d9 No. 718
Open file ( 37.69 KB 530x325 cc.jpg )
>>716 You ALWAYS have an excuse or rude comment for everything that you do wrong but are too stupid to fix. There is a reason that lynxchan did not amount to anything... mostly because you are a fucking idiot. Lynxchan is not secure, has a shitty front end that no one uses, and all the lynxchan boards have no
real website or users. MEWCH was the only good lynxchan board and that failed because of the horrible security flaws. Lynxchan is a joke made to fool stupid people who are not aware of security.

Mega Milk 02/10/2019 (Sun) 04:47:02 Id: a1b069 No. 719
Mewch didn't fail due to security flaws. It didn't fail whatsoever. Any rumor you hear about mewch is simply untrue.

Cat 02/10/2019 (Sun) 13:51:08 Id: 5a7f3f No. 720
ok dude

Cat 02/11/2019 (Mon) 19:58:38 Id: c27a94 No. 721
bad anime girl, bad

Cat 02/05/2019 (Tue) 02:53:16 Id: 165e20 No. 709 [Reply]
What theme should I install?

Cat 02/05/2019 (Tue) 21:33:01 Id: 7b02e9 No. 710
whatever you like.

Cat 01/24/2019 (Thu) 16:44:26 Id: 11834c No. 695 [Reply]
Open file ( 72.81 KB 600x752 5.gif )
I like this placeholder fe- it is fast, looks nice, and is awesome. It just needs youtube support. Is there any way possible to have a youtube video show in a post? Even if i had to hard code it...that would be fine. It would be nice to be able to show a youtube video in a post. Thanks.

Cat 01/24/2019 (Thu) 20:34:10 Id: 1b3439 No. 698
never mind, thanks

Cat 01/24/2019 (Thu) 20:35:13 Id: 1b3439 No. 699
oah shit wait disregard the never mind, I forgot this question was about the default front end

Cat 01/24/2019 (Thu) 22:33:49 Id: ea55e8 No. 700
Yeah, you could implement it, but the default FE has been discontinued.

Cat 02/02/2019 (Sat) 10:08:35 Id: 4bc26b No. 707

Cat 02/02/2019 (Sat) 10:09:03 Id: 4bc26b No. 708

I.C.U.P Cat 01/24/2019 (Thu) 16:18:17 Id: 2341d0 No. 693 [Reply]
Open file ( 60.18 KB 1280x720 lynx.jpg )
Lets talk about IP's. Okay so where the fuck on lynxchan do you see someone's ip? Even logged in as root, i never see my ip or any posters ip. I notice settings about ip, but never seen an ip.
2 posts omitted.

Cat 01/24/2019 (Thu) 22:34:19 Id: 2f1a7c No. 701
I will keep that in mind if more people feel like it would be better.

Cat 01/26/2019 (Sat) 23:11:54 Id: 433754 No. 703
>>697 Like there is some great advantage to making people click on the embed link to see what the video title is? People learn to NEVER click on links for no reason as it could be something malicious. It would be so nice to see what the video is about without having to click in the embed link. Any kind of thumbnail would be cool so people have some idea of what the video is.

Cat 01/26/2019 (Sat) 23:14:23 Id: 433754 No. 704
>>697 also why are you so quick to discontinue the placeholder FE? The default is great for smaller sites or sites with lots of text. You should keep it going and as an option for people instead of totally getting rid of it.

Cat 01/27/2019 (Sun) 01:54:20 Id: f24907 No. 705
Because practically no one uses it and the work required to maintain it started to become more significiant. 90% of people pick up penumbra, so I decided to focus on a project that has much more relevance. Also mind you, I wasn't quick to discontinue it. This fe has been going on for over 3 years now.

Cat 01/27/2019 (Sun) 01:54:52 Id: f24907 No. 706
It makes pages cleaner.

Cat 12/31/2018 (Mon) 17:19:28 Id: 4300f5 No. 653 [Reply]
Open file ( 200.19 KB 476x640 1342226218199.png )
>install lynxchan in a test environemnt
>works fine
>try it in production
>suddenly get 404 errors on api calls
>isolate it to the api js files returning 404s
>wonder for two whole days how you managed to fuck up the install
>turns out they're not in the git anymore

Cat 12/31/2018 (Mon) 23:58:42 Id: 1af045 No. 654
Yeah, versions are important lmao

Cat 01/01/2019 (Tue) 00:03:09 Id: 1af045 No. 655
Cat 01/24/2019 (Thu) 16:31:15 Id: 1f2323 No. 694

Delete only files
Delete media (Actually removes the saved files from the server, standard file deletion only removes the reference to the selected posts)

Captcha(Used only for reporting): No cookies?

[ 12345 ]