Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Filtering potentially dangerous URI schemas in <a href="...">

by @rocks (Scribe)
on Oct 21, 2002 at 03:38 UTC ( [id://206764]=note: print w/replies, xml ) Need Help??


in reply to Filtering potentially dangerous URI schemas in <a href="...">

Hey IlyaM,

Nice to meet you. I am a new user to this site but I have also discovered these things and have been alarmed by them. Such as Petruchio's home node. It steals your password hash (or used to at least) and then feeds back a java pop up saying pretty much, "I know what your password is now and I can crack the hash and mess with your mind." Also on some home nodes there are button that if you click them say obscene things in the CB under your name! This is very disturbing that people would trick other people to click on buttons just to chuckle at them when Nodereaper brings his wrath upon the unlucky user that clicked the evil button.

-@rocks

Replies are listed 'Best First'.
Re: Re: Filtering potentially dangerous URI schemas in <a href="...">
by hackmare (Pilgrim) on Oct 21, 2002 at 10:14 UTC

    I strongly agree that allowing users to post javascript is a reckless oversight that should be remedied as soon as possible. Like all other websites, Perlmonks is subject to the same security issues that affect public sites. You can not trust user input, and can not afford to allow users to acces programming APIs unless you clearly and prominently describe the risk to all users.

    That perlmonks allows JS in posts troubles me quite a bit. I am not comfortable being exposed to abuse by a users of a web application, no matter how good the intent is which brought about the exposure.

    Exposing perlmonks to cross-site scripting hacking by allowing javascript is a real oversight and it is incomprehensible to me that non-trusted users are allowed to post JS at all.

    The sad fact of the matter is that JS is a permanent part of most web browsing experiences.

    I would be very much happier if all user-generated JS was reaped from all pages, and JS candy was simply banned.

    Don't we routinely lambaste Microsoft for doing similar unfortunate things with their products?

    Why is it ok for us to put out features because they are cool without considering the consequences on the general population?

    About petrucio's password hash hack... It is not so bad because it only shows the encrypted pwd and can only access cookies related to Perlmonks. With current JS security, I believe that unless you send email messages, you can only talk to the server the page came from. But nevertheless, JS can really mess up pages (through DOM manipulations for example)

    I propose that it would be better if scriptign commands were reaped unless held within <code /> tags.

    hackmare.
    roasp.com

      About petrucio's password hash hack... It is not so bad because it only shows the encrypted pwd and can only access cookies related to Perlmonks. With current JS security, I believe that unless you send email messages, you can only talk to the server the page came from.
      If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.

      I'm not sure what is allowed nowadays in scripts on home nodes, and I didn't go check the script in question (I'm pretty sure Petruchio is *not* sending it anywhere anyways) but the above should be true unless someone actually took a lot of time parsing and allowing certain js commands and not others. :)


      You have moved into a dark place.
      It is pitch black. You are likely to be eaten by a grue.

        I think that you will find that while possible to break an encrypted cookie eventually, it is by no means a trivial task.

        If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.

        Most Javascript cookies are encrypted at the server using (most likely) an MD5 salt. The ones that are not usually end up serving as a lesson to others about security and web application architecture embarassement.

        Here is my password per Petrucio's site...

        userpass=hackmare%257ChaY8je3nfzM7s%257C

        I invite you to log into my account and send me a message telling me you did it.


        Update by Dog and Pony: I can do better than that. I am very sorry for this intrusion, but what better way to prove my point? After all, you invited me into your account. And no, I will not tell you how I did it. Just suffice to say that encryption does not matter in this case. I'd really advice you to change your password fast. I could do it for you, but that wouldn't really help, now would it? :)



        Update by hackmare: Very well done, dog_and_pony. I am clearly wrong and misinformed.
        I would very much appreciate a primer on where my understanding of cookie security is wrong.
        Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?

        Please reply in another post rather than in mine. And no offense taken for your demonstration.


        While not impossible, it is much too difficult to do for the vast majority of hackers. If it was not the case, there would be no such thing as cookies or secure web apps. I seriously doubt anyone without a crypto background can do it.

        But this does not change the fact that exposing all of us to the risks of cross-site scripting is a Very Bad Thing for us and for PerlMonks's reputation if there is any problem

        hackmare.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://206764]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (8)
As of 2024-03-28 11:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found