MSIE's Cookies Are Public 241
Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.
Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.
Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.
Or, you could migrate to another browser or operating system...
We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.
After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."
Newsbytes and CNET have picked up this story and have good writeups.
And then there's this... (Score:1)
IE 5.5 beta is affected (Score:1)
1 click shopping (Re:And the paranoids...) (Score:1)
Of course it's funny.. you could use that _stupid_ "1 click shopping" with someone else's ID.. It'll be easy, fast, _and_ funny..
(of course, I think it's funny because I use Netscape..)
--
IE4 too (Score:1)
Re:ok, differentiate for me (Score:2)
What really matters is, how long until a fix is out, and what other problems will the fix introduce?
--
Who wants to make someone loose all their karma? (Score:1)
havent tried this though
Re:Has Peacefire reported this to MS? (Score:2)
This has been around for awhile (Score:1)
Apparently not true (Score:2)
The poster says that the demonstration script uses document.write to display the contents of a cookie in the browser window. Nowhere is it explained how the information might be transmitted back to the server.
I haven't investigated the code myself, just passing along the comments of others.
Re:Oh no!! (Score:1)
Mail it to your hotmail account. It will be perfectly safe there.
---
Re:uh, I think yes (Score:2)
step 1: get person's cookie file
step 2: sign onto ecommerce service as person
step 3: change the person's default email adress with the service to a hotmail account (so they won't notice the "item hasbeen shipped" thing)
step 4: mail something, as a "gift", to a P.O. box. they will let you do this.
If you get lucky no one will notice. Scarily enough, this would work.
Re:The other problem (Score:2)
Open-source webserver Apache fixed [apache.org] its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.
Coincidentally, I had just been reporting a bunch [mozilla.org] of bugs about bugzilla [mozilla.org] (mozilla [mozilla.org]'s bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.
--
DUH! (Score:1)
Good manuscript for a movie? (Score:1)
Microsofts style of inventing, copyrights, market domination, "care" for customers and all the other nice stories they give us would be a good manuscript for makin one of these bad Hollywood movies about internet, hackers and big bad companies and all the other "scary tings" things they are having in these movies. At least this movie will have som relevance, because it has really happened.
In 10 years everyone will be laughing at Microsfts infantile, stupid inventions and copyrights.
With so many bugs, security holes and stupid copyrights, Microsoft is making fools of themselves. How much can IT-managers take before they turn to someone else? If that happens ./ users can start doing something more useful than complaining about software they are not using (ARE YOU???), more than they have to. Maby it won't be that amusing though...
Re:Virtual hosting and other problems for Apache (Score:2)
This could indicate that Javascript (or ECMA-242 script as it's sometimes known) in general can cause a security leak. They better start testing this on Netscape Navigator 3.x and all Netscape Communicator versions NOW to see if Netscape is also vulnerable to this bug.
Re:uh, I think yes (Score:1)
You too can be a best selling author (Score:4)
1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).
2. Build a website to promote your book.
3. Scan for BN and Amazon cookies from those who visit your site.
4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.
5. Collect your royalties and move offshore.
Re:Uh Oh (Score:1)
However cookies are an integral part ("standard") of a browser. In fact did you know that the services at Hotmail, and Amazon (one click shop) wouldnt even work without the damn cookies?
I am sick of cookie bashers, however. Busting out all kinds of hysteria and privacy garbage. There is a bad side to every method. Including secure transactions. Why not just say it like it is for alot of crucial technologies on the net? why not state: "Did you know that every time you do a secure transaction you run a risk of a third party listening and taking your credit card number?" How about we just do a loud campaign that preaches to the world that there pocket book can be stolen if they use the web! Lets really shoot our foot boys!
If every one knew just how unsafe secure transactions are on the net, we would all be in alot of trouble, and possibly out of work in the long run.
Nothing is fail proof, or impossible to breach in our web medium... You should all know that by now.
Keep in mind As a developer sometimes there is only one way to go for a solution.. Technology will change and maybe get better but it wont ever stop the real "hardcore coder". Politics are at large and for now the powers that be are actually in our favor. So lets try and be "Nice" about what we do and say within our medium.
The Alienx
Call the repairman (Score:1)
Impossible (Score:1)
-Legion
This is Illegal. (Score:1)
:)
Re:WRONG! (Score:1)
This is not relevant to anything. If you built Slackware when it first appeared, and never installed any patches since then, then
1 - you have a 'default install of Slackware', and
2 - you've got more vulnerabilites than you've had hot dinners.
Failure to patch is not a failure of a given OS, it's a PEBCAK.
Go to www.microsoft.com, click on Subscribe from the blue bar near the top, and subscribe to the alerting services.
MS is far from perfect, but failure to automagically patch exploits that don't yet exist is not a valid line of attack against anyone
TomV
Re:And the paranoids rejoice!! (Score:1)
Re:UNIX _IS_ effected (Score:1)
I didn't know there was an IE 5 for Solaris - is it better than IE3 for Solaris was?
Re:A potential sploit (Score:1)
=P
Proxies protect? (Score:2)
When I tried the box and button on Securi ty space [securityspace.com], I get "www.slashdot.org's cookie is:".
I run IE 4.0 in NT and have Junkbuster set to allow cookies only to sites I trust.
I also have a company proxy to access the web.
__
ActiveCookie Technology (tm) ? (Score:1)
Just watch out, because in the distant future, you may bite down on a cookie and find a worm...
Paranoia (Score:1)
Sure, there could be some malicious code to steal cookies from me, but the chances are extremely small. First, the attacker would have to know what sites I have cookies from on my computer. Even if it did find those cookies, what is the worst it could do? Steal your hotmail account? (I'm sure they couldn't do THAT already). If you use cookies to keep track of really sensitive data, then its your own damn fault.
So, I'm not turning off javascript, and I'm sure MS will release some patch in a few days fixing this 'feature' of windows and ie.
-Mike Bell
No you don't :) (Score:2)
The "hidden" troll forum is currently up to about post #2100, and all of them are genuine posts rather than bot-generated. So you still come in second with about 800 posts :)
Re:And the paranoids rejoice!! (Score:1)
Really? (Score:1)
I am confused.
__
Configuration problem (Score:2)
http://somewhere.com/%2ftest.php3?q=8
replaces the %2f with a / on my apache server. That's all. I guess there is a problem with your apache configuration. Since you seem to be called Jonathan Clark and the URL apache returns for you contains
Re: (Score:2)
Re: (Score:2)
Re:Wish I could red the linked article (Score:2)
It's mostly to stop the idiots in sales from surfing for pr0n.
Comment removed (Score:4)
Just Wondering (Score:2)
... whether peacefire.org is going to get threatened by Microsoft under the DMCA for releasing these "trade secrets" ?
OK, here ends the simple "anti-MS" part of the post (fun though it was for me). Please, folks, let's just look at this as simply a data point and a public-service announcement. Yes, it's a hole in IE; it's a safe bet that every significant piece of software's got holes.
Let's see how fast MS is able to get a patch out; this one's big enough for them to really worry.
Hilarious! (Score:2)
OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'
It makes the Internet all that much closer to you, as well as your machine:in both directions.
Well, maybe the above thought is incorrect.
Anyway, I'm thinking something blasphemous. M$ complains that splitting it up will hinder it's ability to 'innovate' and 'compete'. Isn't that the point? If M$ can't expect to release a decent Office or X-Box or IE without access to the OS group, how is Netscape, or Corel, or anyone else expected to 'innovate' and 'compete' if M$ cannot?
There are people complaining about how breaking up M$ is bad, but I'm wondering, if M$ restructures itself in such a way that the OS department can still freely communicate with the Apps department, but in a way that is public and open, doesn't *everyone* win?
-AS
Look Ma! Another Microsoft Innovation! (Score:2)
Could a breakup help (Score:2)
Maybe a breakup is a good thing. Its about time that Micorosoft re-discovers the meaning of the words, pride.. integrity.. fun.. innovation.. excellence. Instead of of their usuall fair which consists of market capitialization, share value, PR, equity.
Microsoft has alot of good people working for them, and I have had the pleasure of working with some of them. To bad the company's sense of responsibility, and integrity is off smoking a $3 sack of crack.
My humble opinion.....
-Nathan
cookies were NEVER secure (Score:3)
With a policy like that, it really doesn't matter if the entire world looks at your cookies.
Ah, but you missed a big point... (Score:2)
Now anytime a boss visits a hostile web site, he may be giving away the keys to the company's proprietary data. Even if personal web sharing is not allowed, a hostile employee and and outside confederate could easily stir up a lot of trouble.
Slashdot Cookie (Score:2)
Test your for your Slash Dot Cookie [slashdot.org]
Mine was choclate chip Mmmmm
meaning? (Score:2)
So anyone can read the document and create an implementation without Microsoft's permission now? They don't have to illegally copy the document or anything. I'm curious to know how the situation stands right now.
Re:M$ caught in the cookie jar? again?! (Score:2)
The MS License ALLOWS posting on /. (Score:2)
Doesn't posting on Slashdot count as this????
Re:No big deal.. (Score:2)
numb
No big deal.. (Score:5)
Re:ok, differentiate for me (Score:2)
Besides, bashing M$ is fun. Bashing the under-dog would be seen as cruel!
Re:uh, I think yes (Score:3)
Re:A potential sploit (Score:2)
Well, yeah, but all the stuff will go to the poor sap whose cookies you stole. Hey, you could order him lots of pr0nography and stuff--let 'im explain that to his significant other.
unDees
OT MS & Kerberos (Re:This is pathetic.) (Score:2)
So its no longer a trade secret. Its still a copyrighted document and is still protected as such.
Re:Configuration problem (Score:2)
As the other poster commented this isn't really a problem with apache, it's IE's fault. IE thinks the hostname from the URL includes the %2f %3f characters - and it's passing this to apache in the request header. What I thought was interesting is the fact that apache unescaped the string. This means that there might be security holes in CGI scripts that expect hostname strings to be safe.
For example if the unescaped hostname looks like this:
somewhere.com;`mail s@s.com
and some CGI script does something like this:
nslookup $HOSTNAME
you've got a big problem!
Not if you use Opera web browser. (Score:2)
Rule of thumb: if you want security or privacy, do not use a Microsoft product.
--
You could have really abused this by... (Score:2)
===================
Subject: Can You Imagine...
Body:
...a Beowulf Cluster of these?
Thank you.
===================
You would have earned a place in the annals of Slashdot history.
Take care,
Steve
========
Stephen C. VanDahm
Re:Really? (Score:2)
It's totally configurable, you can design any filters you want - but I'm so happy with the default that I just leave it at that. (particularly I like the agent and referer masking.)
What drwiii is doing is... (Score:2)
Since search.pl echoes what you type in "Searching blahblahblah" without stripping the JavaScript, you'll get an alertbox when you view the page.
drwiii's page works like that. That page redirects to something like this URL:
(Actually, the "+" and perhaps the ";" would need to be changed to "%2B" and "%3B" in the URL.) EvilSite's CGI script receivesOriginally, drwiii's script used /.'s 404 page, which was optimized for people who accidentally made links like this [slashdot.org]. That loophole got closed after the server move.
--
New empires...began ebbing and flowing all over the place like Moon Pies on a hot sidewalk.
Re:You could have really abused this by... (Score:3)
That's OK. I now have the most active user-created sid in Slashdot history
numb
what do I think? (Score:2)
First of all, to the cookie issue: turn off Javascript, OR go into the security settings and disable cookies that are stored on your computer. OR wait a brief moment and Microsoft will have a patch out. OR use any number of 3rd party cookie filtering programs that are out there. Personally I think neither Netscape, nor IE provide sufficient cookie control and management capabilities.
Also, let's keep some perspective and remember that both IE and Netscape have had vulnerabilities uncovered. They both make mistakes, they both fix them. Let's move on.
As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the
I DO think Microsoft should not allow their script language to poke through your address book. Newbie computer users would be less likely to trust this type of trojan if it wasn't a friend of theirs in the From: field.
The rest of your rant about the trade secrets and UCITA is nothing more than mindless Slashdot karma whoring. *yawn*
Best regards,
SEAL
My worst nightmares may become reality! (Score:2)
ahhhhhhhhck.
The real security blunder here is sites storing sensitive information in cookies. Idiot moves by microsoft should be anticipated, and _no_ sensitive information should be stored in cookies.
makes you wonder how long microsoft has been collecting cookies from other web sites
g
Wish I could red the linked article (Score:5)
A bit offtopic...
While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.
So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.
Think of it as evolution in action.
WRONG! (Score:3)
Go read the article you posted the link to. All references to ILOVEYOU are *COMPARISONS*.
They quite clearly state: "Email viruses are now spreading WITHOUT THE USER OPENING ANY ATTACHMENT..... This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus." They make no claims about ILOVEYOU spreading in this manner. They simply use the havoc-level of ILOVEYOU as a baseline for destructiveness.
The virus they are referring to in this case is the Kak virus.
Eric
I am gonna... (Score:5)
That way they will be responsible for distributing their own trade secrets through their own security holes.
Then, they can sue themselves.
Re: (Score:2)
Proxomitron blocks with without killing JS (Score:4)
Re:Uh Oh (Score:2)
Also quoth the poster:
But you can choose methods that minimize the "bad side" and make it hard to exploit, rather than (as here) relatively easy.And yet more from the poster:
Does your personal code of ethics really say that you should keep quiet about known dangers because it might affect your earning potential? How ruthlessly pragmatic! Or... we can raise a ruckus over these sorts of too-simple exploits and, through the glare of publicity, perhaps encourage the people involved to design better products.Re:Uh Oh (Score:2)
Re:No big deal.. (Score:2)
Re:quick question (Score:2)
numb
Re:No big deal.. (Score:2)
Hey, /., there is no need at all to store my password in the cookie. A random number, stored in my user record, will work just as well, and (even better) /. can change it periodically -- thus, any replay attacks stop working after a day or so.
Please fix that. Now. Thank you.
MS Contradictions (Score:2)
Why is that interesting? Because, MS is arguing that consumers need MS to remain one company so the OS side and software side can work close together and provide us with more powerful software, and breaking them up would stiffle "innovations" in future products - resulting in less powerful and less user-friendly tools for consumers.
MS expects people to believe that, when they can't even effectively share algorithms, programming procedures, and code within the same software product?
MS = BS;
And the paranoids will survive (Score:3)
This hole depreciates the value of "Netscape" cookies which is a nice way to maintain session with a connectionless protocol.
Re:Hilarious! (Score:2)
If you really want to die of laughter, check out Time's latest piece [time.com], which includes a "viewpoint" by Mr. Gates, defending the very integration you speak of.
My personal favorite from Gates: "Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain."
43rd Law of Computing: Anything that can go wr
And the paranoids rejoice!! (Score:4)
Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!
I don't believe this... (Score:2)
This is pathetic. (Score:2)
If I were the Justice Department (or United Nations, or DoD, or CIA, or FBI, or ANYONE who gave a damn about security ) I would be seriously considering if Microsoft products have any place on my desk, in my office or in my life. The open cookie jar isn't so much what bothers me but this is the straw that brakes this camel's back.
Microsoft's attitude toward security and toward the end user in general is atrocious. I don't really care what you think, but it IS Microsoft's fault that the default install of Windows 98 using the default mail client simply by reading the ILOVEYOU message will be rendered useless. Now this???? I mean COME ON!
Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.
Oh, and another thing which is completely offtopic: I think that the UCTIA, Section 307, Subsection 2(e) invalidates the GPL!!! It is a description of what kinds of software licenses are valid. It reads "(e) Neither party is entitled to receive copies of source code, schematics, master copy, design material, or other information used by the other party in creating, developing, or implementing the information."
This would seem to mean that no one needs return code as the GPL demands. What do you guys think???
The other problem (Score:4)
WARNING: Clicking this link will cause an article to be posted on Slashdot in your name [sourceforge.net]
Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o
You can see the results in sid=numb [slashdot.org] and there is a link to the source in there too.
numb
Virtual hosting and other problems for Apache (Score:3)
when I specify a URL like this:
http://www.somewhere.com/test.php3?q=8
apache correctly reports:
"Host: www.somewhere.com"
but when I specify a URL like this:
http://www.somewhere.com%2ftest.php3%3fq=8
apache reports:
"Host: www.somewhere.com/jc/test.php3?q=8"
This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.
But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.
HOWTO Close up the scripting holes (Score:4)
HowTo turn-off scripting holes in outlook/IE.
------------------------------------------
In outlook/IE,
tools -> options -> Security -> Zone settings -> Custom level ->
under the scripting section disable
Active scripting,
Allow Paste operations, and
Scripting of Java applets.
Press ok till you are back in outlook/IE.
then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.
(Of course you all probably did this the first day you opened outlook, right.)
------------------------------------------
PS --
Here is very nice solution to the
(add
I'm not sure how to implement this in Exchange, though.
(from Rick Johnson off the saclug.org mailing list)
-- Andy
A potential sploit (Score:4)
yes (Score:5)
1. with my cookies, 1-click enabled.
2. close browser, remove amazon cookies.
3. open browser, amazon askes me to log in; no 1-click
4. close browser, put amazon cookies back
5. open browser, amazon recognizes me, 1-click enabled, no password required.
Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.
Re:How do you turn off Javascript in MSIE? (Score:2)
The power tools allow you to switch a site into the trusted zone just by clicking
Tools>Add to Trusted zone
and you can delete the site from your trusted list in the usual manner (Tools>InternetOptions...>security>trusted sites remove)
This makes it easier to allow cookies at Slashdot and not at Joe Website who hates all people and will screw them over any chance he gets.
Re:HOWTO Close up the scripting holes (Score:3)
Sorry but this does not stop the ILUVYOU virus. What you suggest disables scripts in HTML formatted email and that does stop viruses like Bubbleboy for example. It DOES NOT stop scripts sent as email attachments (ala ILUVYOU, Melissa etc) BIG DIFFERENCE. Many people seem to be having trouble understanding this. Scripts in HTML email are run by the IE script engine and are controlled by the settings in Internet Options. These are the kind of scripts that can run in the preview pane automatically. Email attachment scripts are run by the Windows Scripting Host and are run outside of Outlook (or any other emailer) and have to be run by the user. The way to fix this problem is to either remove the WSH or change the default association for VBS and JS script files.
Microsoft has known about this for months (Score:5)
However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.
Huh?! - Ridiculous Response (Score:2)
If a security hole is found next week, in something that can't be disabled, will your suggestion be: "what's the big deal don't surf for a while. I'm sure Microsoft will have a patch out soon."
While the post you're responding to did ramble, I think that a person is justified in being tired of the poor designs force fed to most of the world by Redmond.
And the idea that we shouldn't get upset, because there will *probably* be a patch to fix the problem makes me sad. With that kind of thinking out there things aren't going to get better any time soon.
UNIX _IS_ effected (Score:5)
Hmm.. I only have IE for Solaris installed on this box for just such occasions.
--
Re:No big deal.. (Score:2)
Ah, I'm sure he's trustworthy, but I changed my PW anyway
I had already, by coicidence, taken the step of linking my cookies file to
Javascript is now off too.
Java is still enabled over here, though. Until somebody demonstrates to me why that's a security risk too...
--
Asking for Trouble (Score:2)
Is this Slashdot slowdown just a coincidence? I think not. Slashdot is now the victim of an official Microsoft Denial of Service Attack.
Slashdot has crossed the line and is hurting our American Company's Freedom to Innovate.
Also, this temporary Explorer snafu makes it quite clear that Microsoft doesn't steal everything from open source!
blessings,
Master Bait
Re:HOWTO Close up the scripting holes (Score:2)
mkfs
-John
Is this really a threat? (Score:2)
But this bothers me and sounds similar to the bug reported at CookieCentral [cookiecentral.com] a long time ago. I'm trying to digest how this is different and what danger (and likelihood of appearance) this represents "in the wild".
Answers here or to me by email would be appreciated.
Re:what do I think? (Score:2)
You have to set an option to keep Outlook from automatically running .vbs files I believe. I don't think, for security's sake, that should even be an option.
carlos
Has Peacefire reported this to MS? (Score:3)
Hopefully, they do know Microsoft's address for reporting security issues: secure@microsoft.com. That address is monitored 24 hours a day and the MS security folks will try to replicate the problem ASAP.
fun with Amazon's One-Click Shopping (tm) (Score:3)
Fun with Amazon's One-Click Shopping, or "you mean you didn't order five hundred copies of Joy of Preteen Sex?"
Doesn't Amazon's proprietary exclusive patented HANDS OFF IT'S OURS AND YOU CAN'T HAVE IT One-Click Shopping system use cookies to save buyers those arduous extra clicks? And doesn't this mean that someone using this exploit can then get your personal buyer's information? ("Your," not "my", at least until Amazon stops suing people right and left.)
Gee, I guess it's a good thing that Amazon has defended their patent so vigorously, or else customers of other companies would be equally at risk.
By the way, this is off-topic, but I figure readers would be amused. Who is to blame for the "ILOVEYOU" worm? Those funloving Filipino folks who wrote it? Microsoft, for making their scripting language so insecure and so easy to subvert? Why no. According to those geniuses [nytimes.com] in Congress, the $15-billion dollars in damages (I wonder why they didn't say "$15-trillion" or $15-quadrillion" as long as they were pulling numbers out of thin air) are due to the slackness and irresponsibility of McAfee, the anti-virus vendor. I've got to be kidding, right? Well, check it out [nytimes.com].
Yours WDK - WKiernan@concentric.net
Re:uh, I think yes (Score:2)
Re:Has Peacefire reported this to MS? (Score:2)
Sure, I got a quick response saying they were looking into it. Sure, they said they had developed a patch. But releasing it? Well... that didn't quite happen. It is true that I did not pressure them on it since I was busy with more important things, but I shouldn't have to.
Re:The other problem (Score:2)
All it did was post a comment. Theres a link to the source at sid=numb. It could have done worse though if I had added the javascript thing (provided you use Windows and IE.) As for clicking links no one is safe (unless they have redirection disabled.) I could e-mail a similar link and have it look completely benign, yet have it post something incredibly embarrassing.
BTW, to find out more about it click here. [kuro5hin.org]
or just go to http://www.kuro5hin.org/?op=displaystory&sid=2000
One other thing, I used a PHP script because Slashdot's software recognizes duplicate posts and I needed to make the content dynamic. However, for a targeted attack plain old HTML on a geocities web page would do the trick.
numb
numb
Re:No big deal.. (Score:4)
It's actually en exploit discussed on CERT [cert.org] where a malicious web site can embed some script in a link to a cgi script, which in turn pastes it into the resulting page unaltered and the victim's browser executes it.
In this case the script is a bit of javascript that outputs your slashdot cookie via search.pl. All javascript enabled browsers are affected by this.
It's just a result of sloppy coding.
oh give me a break (Score:2)
If a security hole is found that can't be worked around, then yes, wait for a patch. Same thing you would do with Netscape.
Both Netscape and Microsoft IE have had security problems but Slashdot holds Microsoft to a different standard.
Witness an OLD OLD bug:
http://www.ciac.org/ciac/bulletins/i -040.shtml [ciac.org]
Sounds familiar, doesn't it? What happened? It got fixed. And this certainly is not the only Netscape bug that has ever surfaced.
Security problems are going to be discovered. Humans make mistakes. The key is to respond to the problems swiftly, and try not to rush products out the door without proper testing. I think both MS and Netscape were guilty of the latter for a long time.
Best regards,
SEAL
Re:WRONG! (Score:2)
Good for you. May I politely point out that scripting host is enabled by default - how is a clueless user going to know to turn it off? Second, I did hear that if you have the preview window open the script will execute without any further help from the user. Ugly. Caveat: I don't normally run Windows, so I didn't check this.
--
Re:The other problem (Score:2)
Think how mad someone would be if all those 300+ posts (so far) had been copies of a certain "trade secret" that has been mentioned here lately.
--