I would love to refactor chunks of the systems I maintain, but when you're given a specific bug to fix and an hour to fix it in, it gets very hard to make more than superficial changes and do small amounts of tidying up.
Wait. One of us must be missing something. For the purposes of the below, I'm excluding the JIFAR-alike vulnerability where a SWF looks like a valid JPEG; this is just regarding the renamed-SWF mentioned in the article:
To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a.swf extension or special content-type headers to execute.
Say we have two sites, one that the user is logged into (facenovel.com), and the attacker's site (mal.com). An attacker uploads a malicious SWF (containing a javascript call that steals the cookie or what have you), except uploads it as nasty.jpg to facenovel.com to get around simple file-extension filtering.
Accessing the file directly (facenovel.com/uploads/nasty.jpg) doesn't run it as a flash movie, it just gets interpreted as a stuffed JPEG.
As per the above, I instead have an HTML page hosted on mal.com that embeds facenovel.com/uploads/nasty.jpg and forces a content-type of "application-x-shockwave-flash". The javascript does not run; it does not have permission to access anything.
I can't think of a case where a simple rename presents a vulnerability (without the previously-mentioned JIFAR-like hackery). Help please.:S
So, user uploads a file - say, a picture for a forum avatar. Your image validation misses that malicious_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain." Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.
Also, from the article:
To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a.swf extension or special content-type headers to execute.
This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.
Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at http://example/foobar.jpg doesn't load it as flash. Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.
UPDATE 10/20/09 5:45pm Pacific Time: It appears the files were NOT VANDALIZED and will open in MS-SQL Server 2005. It also appears they did redact "code" to some degree. I'm still not clear on why there are thousands of lines of source code still left in there. I'm working on scoring a copy of SQL Server 2005 ASAP so I can look for myself. Check the discussion areas to follow along in realtime.
Don't force users to have javascript to fill forms. Yes, if it's enabled then use it to validate the form data and avoid page loads, but also let the form without it, you need to validate the form on the server anyway.
You need to have something that works with the bare minimum, then if you want you can enhance it with Javascript.
THIS. THIS, DAMNIT.
The <a href="javascript:validateForm();">Submit</a> thing I see all over the place makes me want to punch people in the mouth. Bind to the form's "submit" event and add a layer of validation; don't just completely stonewall anyone that doesn't have javascript enabled / capability.
Unfortunately they are usually extremely careless so my beautifully formatted resume becomes an unreadable mess in the process.
I've been hit by recruiters stuffing around with the formatting as well.
My current employer was sent an image of my resume via email, except with my details removed and the recruiter's logo slapped on it. Very classy. (Fortunately my employer figuratively shrugged their shoulders and waved it away as One Of Those Things Recruiters Sometimes Do.)
I believe it forces asking for the root account for run level 1.
Dear GP: If that's the case, try sticking a "2" on the end of your boot params (ie. select the line, hit e, edit the line with the mention of/boot on it, and add a " 2" to the end, then hit b to boot).
Australia has recently passed laws that make it possible to outlaw groups of people; that is, if you're deemed by the police to be a member of said group, you're breaking the law. It was used against a bikie gang to begin with, but no-one has any idea how this may... seep into other things.
How long until this group gets outlawed for Encouraging Rampant Copyright Infringement or something ridiculous?
(We have no constitutionally-upheld Free Speech law/clause/amendment/anything here, which doesn't help matters.)
Slashdot Mirror
If it's any consolation, "ikatako" is a word that's just "squid" and "octopus" stuck together (ika / tako).
I... What.
This can't be a troll. Has anyone *seen* opensourceg.com? Not even /b/ has this much free time.
And yet they promote it as if it's still theirs?
http://fox8.tv/shows/futurama
I am very confused.
(... I am also very confused that my first attempt at commenting showed up attached to a different parent. Err.)
And yet they promote it as if it's still theirs?
http://fox8.tv/shows/futurama
I am very confused.
The powertoy one is pretty terrible, falls over, loses windows, etc.
I thoroughly recommend using VirtuaWin instead.
(I'm currently stuck with Windows at work, and it does most things GNOME virtual desktops can do.)
There's at least one (ie. the Australian Christian Lobby).
Mark Newtown and Stilgherrian are good sources of info if you want to see what's happened in the last 24 hours.
Whimsy.
Holy shit. How did you get my password?
Steve Gibson, is that you?
Mod +1, Depressingly Accurate.
I would love to refactor chunks of the systems I maintain, but when you're given a specific bug to fix and an hour to fix it in, it gets very hard to make more than superficial changes and do small amounts of tidying up.
Wait. One of us must be missing something.
For the purposes of the below, I'm excluding the JIFAR-alike vulnerability where a SWF looks like a valid JPEG; this is just regarding the renamed-SWF mentioned in the article:
To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.
Say we have two sites, one that the user is logged into (facenovel.com), and the attacker's site (mal.com).
An attacker uploads a malicious SWF (containing a javascript call that steals the cookie or what have you), except uploads it as nasty.jpg to facenovel.com to get around simple file-extension filtering.
The javascript does not run; it does not have permission to access anything.
I can't think of a case where a simple rename presents a vulnerability (without the previously-mentioned JIFAR-like hackery). :S
Help please.
Oh.
Holy shit.
(Thank you. :-) )
So, user uploads a file - say, a picture for a forum avatar. Your image validation misses that malicious_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain." Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.
Also, from the article:
To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.
This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.
Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at http://example/foobar.jpg doesn't load it as flash. Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.
Can someone enlighten me, please? :-)
(Please.)
From the site:
UPDATE 10/20/09 5:45pm Pacific Time: It appears the files were NOT VANDALIZED and will open in MS-SQL Server 2005. It also appears they did redact "code" to some degree. I'm still not clear on why there are thousands of lines of source code still left in there. I'm working on scoring a copy of SQL Server 2005 ASAP so I can look for myself. Check the discussion areas to follow along in realtime.
Interesting.
Don't force users to have javascript to fill forms. Yes, if it's enabled then use it to validate the form data and avoid page loads, but also let the form without it, you need to validate the form on the server anyway.
You need to have something that works with the bare minimum, then if you want you can enhance it with Javascript.
THIS. THIS, DAMNIT.
The <a href="javascript:validateForm();">Submit</a> thing I see all over the place makes me want to punch people in the mouth. Bind to the form's "submit" event and add a layer of validation; don't just completely stonewall anyone that doesn't have javascript enabled / capability.
Unfortunately they are usually extremely careless so my beautifully formatted resume becomes an unreadable mess in the process.
I've been hit by recruiters stuffing around with the formatting as well.
My current employer was sent an image of my resume via email, except with my details removed and the recruiter's logo slapped on it. Very classy.
(Fortunately my employer figuratively shrugged their shoulders and waved it away as One Of Those Things Recruiters Sometimes Do.)
Well, almost. They started the case with a film clip of the robbery scene from The Dark Knight.
I believe it forces asking for the root account for run level 1.
Dear GP: If that's the case, try sticking a "2" on the end of your boot params (ie. select the line, hit e, edit the line with the mention of /boot on it, and add a " 2" to the end, then hit b to boot).
Australia has recently passed laws that make it possible to outlaw groups of people; that is, if you're deemed by the police to be a member of said group, you're breaking the law. It was used against a bikie gang to begin with, but no-one has any idea how this may... seep into other things.
How long until this group gets outlawed for Encouraging Rampant Copyright Infringement or something ridiculous?
(We have no constitutionally-upheld Free Speech law/clause/amendment/anything here, which doesn't help matters.)
Yep. Here's what it looked like yesterday:
http://upload.wikimedia.org/wikipedia/commons/1/1c/E_Aust_dust_storm_-_MODIS_Terra_1km_-_23_Sept_2009.jpg
The coast of Queensland is that as-yet-untouched bit up the top-right there. :-)
Well, no, they bought Inktomi in 2002 and used *its* search technology instead.
And in the mean time, there's always http://vendetta-online.com/
[Citation Needed]
Funniest response this story. :D