Domain: soundmethod.net
Stories and comments across the archive that link to soundmethod.net.
Comments · 9
-
Hmm
I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a
.bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.
Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.
- I have tried renaming an .exe file to .txt, that just spits binary data at you in Notepad.
- I tried a cgi (source is here).
Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.
3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.
Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other /.ers would have hit on it by now. -
Hmm
I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a
.bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.
Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.
- I have tried renaming an .exe file to .txt, that just spits binary data at you in Notepad.
- I tried a cgi (source is here).
Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.
3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.
Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other /.ers would have hit on it by now. -
Hmm
I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a
.bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.
Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.
- I have tried renaming an .exe file to .txt, that just spits binary data at you in Notepad.
- I tried a cgi (source is here).
Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.
3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.
Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other /.ers would have hit on it by now. -
nope
At a penny per page, I would be broke by the end of the week, just hanging out on
/.
Plus, the "huge expansion in online content" the article speaks of would never happen. Are you going to pay a penny just to see my homebrew site?
Seriously, most people go to a few select sites that they have found to be worth their *time*. Most other sites are just oddities, has-beens or will-have-beens. All this would do is increase the revenue of webhosting companies, while independent site operators use their new "income" to cover the bandwidth charges they incurred last month.
weeeee..... -
mirror
pr0n!
mirror here. -
Re:more bandwidth
True. I would buy a hell of alot more music if it wasn't so damn expensive. As it is now, I rarely download music off the net, most is crap ( I like vinyl)
and of poor quality. I can understand the reluctance of the companies to fight for their survival in the game, but they really need to wake up and see that this truly is a revolution in information.
Co-exist not compete.
-
Re:A Microsoft Certified Systems Engineer ...
Hey, underpaidISPtech here.
I have only 3 years experience with computers, use Linux, FreeBSD, amd am pretty familiar with
all versions of Windows. I run a small website that implements a streaming audio service, and my server is the host for this company.
I have *no* A+, Network+, MCSE (though I'm studying the win2k course) CCNA, Novell, or any certs at all. I have the opportunity to take this course (I was told by the Program Head that I am overqualified), but money is tight (I make CDN$12/hr).
I am stuck doing lousy helldesk in this shit economy, work the graveyard shift at a stupid company, and cannot afford to pay the ~$15,000 CDN to get certs at the colleges here (www.ubc.ca, www.bcit.ca, www.cdic.ca). And to top it all off, no one will touch me without certs. Some courses are full-time and I would qualify for a student loan, but most are part-time and I would not qualify for a loan.
So what the hell is a guy supposed to do? I'm 26 yrs old, how the hell am I supposed to get a challenging, well-paid job when the most overrated and useless cert (MSCE) is the first thing that employers check for?
You seem to have been around for a while, what do you suggest? Bite the bullet and swim in debt? What cert would you recommend above all else?
-
Re:Dumbass new techies...sigh.
I don't know what to say. My typing skills are crap and my knowledge of programming and Unix are pretty slim ( compared to the esteemed patrons of /. :)I can use Linux and FreeBSD, run Apache, POP, SMTP, trouble shoot x86, know a smidgen of perl, good on a command line, and generally get a boner over computers.
I dont' have any formal education or A+/MSCE or whatever. I've been studying the W2K MSCE courses and find them to be low on real content.
However, I, a lowly helpdesk tech at an ISP making 12/hr, regularly solve and tackle issues that the "network/systems admin" at every damn small business in my city can't solve.
Talking to secretaries and assistants who are either the "IT" person responsible, or the "admin" is in Malaysia on vacation, only to find out that the problem (80% of the time) is on their end. Usually an NT server that needs rebooting or some routine LAN/Systems config that needs attending.
A sample:
It is fscking frustrating to explain to an "senior admin" that the DNS cache on our end is NOT resonsible for their mail delivery problems, mainly because there is no MX defined for his domain, and we don't even host it.
How about explaining to another "admin" that the reason their LAN is down is not because our link to them is down, but simple troubleshooting revealing that their store bought DSL router is misconfigured.
Or even this gem. Client berrates me on their mail problem, I KNOW they have a screwed exhange server on the premises, I call the admin, he doesn't even know if the xchange is config'd to route outgoing mail directly or relayed through us first! He is painting a house right now, but he'll get his assistant to go over to the client's office and "have a look". Sure enough, damn echange server is backed up. Oh, and the secretary who called in the first place felt that it was my responsibilty to improve her computer's boot up time. Seems the admins had outfitted the office with P133's and the girls around the office had a penchant for bloatware(AIM/ICQ etc)
I'm getting sick of all these lousy part-time admins/contractors and office staff who register domains using their personal hotmail accounts. Too many companies bet their tech investments on having a staffer double as the IT person. So, to anybody out there who can't find a decent tech/junior admin to bust his ass for the love of it, why don't you try scouring the desperate pondscum of lowly ISP and helpdesk techs before wasting your time on a freshly graduated MCSE who heard the pay was good. -
prior art?Well, I'm cool too. Been doing this for 4 months now.