Check 9 MSDN search redirects to Linux.org
-
http://channel9.msdn.com CLick on search and it takes you to linux.org Is this a problem with my PC?? :)
“The thing for you is a burial permit. You have only to speak and I will see that you get it.”
Blumen wrote:
CLick on search and it takes you to linux.org Is this a problem with my PC??
I think you have been infected by the GPL virus ;P
xacc.ide - now with TabsToSpaces support
IronScheme - 1.0 beta 1 - out now!
((lambda (x) `((lambda (x) ,x) ',x)) '`((lambda (x) ,x) ',x)) -
Blumen wrote:
CLick on search and it takes you to linux.org Is this a problem with my PC??
I think you have been infected by the GPL virus ;P
xacc.ide - now with TabsToSpaces support
IronScheme - 1.0 beta 1 - out now!
((lambda (x) `((lambda (x) ,x) ',x)) '`((lambda (x) ,x) ',x)) -
http://channel9.msdn.com CLick on search and it takes you to linux.org Is this a problem with my PC?? :)
“The thing for you is a burial permit. You have only to speak and I will see that you get it.”
-
Yes, take me to linux.org also?????
Dave Who am I?: http://www.bebo.com/daveauld/
-
http://channel9.msdn.com CLick on search and it takes you to linux.org Is this a problem with my PC?? :)
“The thing for you is a burial permit. You have only to speak and I will see that you get it.”
I think it's a simple case of HTML-injection in a forum post title... If you stop the loading before it has time to redirect and look at the source you find this on line 255 (or at least it was for me...):
<div class="title"> <h1><a id="ctl00_MainPlaceHolder_ResultsEntryList_ctl03_EntryTemplate_TitleLink" href="/forums/TechOff/449976-script-typetextjavascriptwindowlocation--httpwwwlinuxorgscript/"><script type="text/javascript">window.location = "http://www.linux.org";</script></a></h1> </div>Why do as everyone else, When Everybody else does it.
-
I think it's a simple case of HTML-injection in a forum post title... If you stop the loading before it has time to redirect and look at the source you find this on line 255 (or at least it was for me...):
<div class="title"> <h1><a id="ctl00_MainPlaceHolder_ResultsEntryList_ctl03_EntryTemplate_TitleLink" href="/forums/TechOff/449976-script-typetextjavascriptwindowlocation--httpwwwlinuxorgscript/"><script type="text/javascript">window.location = "http://www.linux.org";</script></a></h1> </div>Why do as everyone else, When Everybody else does it.
-
so someone has done html injection on a MSDN website, ok :doh:
“The thing for you is a burial permit. You have only to speak and I will see that you get it.”
Yeah, it seams that, for some reason, they allow HTML in titles. For me the reason to this is not really clear, as titles/subject seldom need/should to contain HTML... It also seams that they've done some "CSS-injection": http://i42.tinypic.com/348qfep.png[^]
<a id="ctl00_MainPlaceHolder_ActiveForum_SidebarList_ctl02_EntryTemplate_TitleLink" href="/forums/Feedback/449993-style-typetextcssdivafter--content-echo-style/"><style type="text/css">div:after { content: "echo"; }</style></a> [...] Posted By: <a href="/Niners/Rowan/">Rowan</a> Today @ 5:04 AM <a href="/forums/Feedback/449993-style-typetextcssdivafter--content-echo-style/">0</a>both these should be fairly simple to avoid...Why do as everyone else, When Everybody else does it.
-
Yeah, it seams that, for some reason, they allow HTML in titles. For me the reason to this is not really clear, as titles/subject seldom need/should to contain HTML... It also seams that they've done some "CSS-injection": http://i42.tinypic.com/348qfep.png[^]
<a id="ctl00_MainPlaceHolder_ActiveForum_SidebarList_ctl02_EntryTemplate_TitleLink" href="/forums/Feedback/449993-style-typetextcssdivafter--content-echo-style/"><style type="text/css">div:after { content: "echo"; }</style></a> [...] Posted By: <a href="/Niners/Rowan/">Rowan</a> Today @ 5:04 AM <a href="/forums/Feedback/449993-style-typetextcssdivafter--content-echo-style/">0</a>both these should be fairly simple to avoid...Why do as everyone else, When Everybody else does it.
http://channel9.msdn.com/Niners/Rowan/[^] :D
Todd Smith
-
http://channel9.msdn.com/Niners/Rowan/[^] :D
Todd Smith
You guys are stuffed! Now I guess that someone will start yelling: "See?! SEE??!! Windows is insecure! IIS is crap!" :-D
If you truly believe you need to pick a mobile phone that "says something" about your personality, don't bother. You don't have a personality. A mental illness, maybe - but not a personality. - Charlie Brooker My Photos/CP Flickr Group - ScrewTurn Wiki
-
You guys are stuffed! Now I guess that someone will start yelling: "See?! SEE??!! Windows is insecure! IIS is crap!" :-D
If you truly believe you need to pick a mobile phone that "says something" about your personality, don't bother. You don't have a personality. A mental illness, maybe - but not a personality. - Charlie Brooker My Photos/CP Flickr Group - ScrewTurn Wiki
I'm not exactly a MS-fanboy, and absolutely not a fan of IIS.. I'm currently writing this on an ubuntu-machine (not exactly a fan of ubuntu, but linux in general). *hiding behind the table, waiting for flaming* But I don't think this is an problem with IIS/Windows Server, rather a problem with the ASP.NET-application. The problem is "simply" that the webdevelopers have neglected to deal with user-input in a "correct" way (either due to ignorance/lack of knowledge or laziness). This has nothing to do with the platform(**)... (**) One could argue that ASP.Net-developers are lazy in general, and so this is a problem that comes with ASP.Net... But that would be like throwing stone in a glasshouse. / Christopher H., Webdeveloper (PHP/MySQL, C#/ASP.Net), application programmer (C#/.Net/Mono etc).
Why do as everyone else, When Everybody else does it.
modified on Saturday, December 27, 2008 12:42 PM
-
I'm not exactly a MS-fanboy, and absolutely not a fan of IIS.. I'm currently writing this on an ubuntu-machine (not exactly a fan of ubuntu, but linux in general). *hiding behind the table, waiting for flaming* But I don't think this is an problem with IIS/Windows Server, rather a problem with the ASP.NET-application. The problem is "simply" that the webdevelopers have neglected to deal with user-input in a "correct" way (either due to ignorance/lack of knowledge or laziness). This has nothing to do with the platform(**)... (**) One could argue that ASP.Net-developers are lazy in general, and so this is a problem that comes with ASP.Net... But that would be like throwing stone in a glasshouse. / Christopher H., Webdeveloper (PHP/MySQL, C#/ASP.Net), application programmer (C#/.Net/Mono etc).
Why do as everyone else, When Everybody else does it.
modified on Saturday, December 27, 2008 12:42 PM
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications. I hope it turns out to have been a honey-pot trap, and the script-kiddies get a well deserved visit from the FBI. They deserve nothing but our scorn.
-
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications. I hope it turns out to have been a honey-pot trap, and the script-kiddies get a well deserved visit from the FBI. They deserve nothing but our scorn.
Rob Graham wrote:
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications.
Channel 9 isn't a trivial application, any more than CodeProject is. Playful defacing is a whole lot better than subtle, account-stealing script injection, especially on a site using Passport / Live ID (imagine if the defacement consisted of simply changing the "login" link such that it redirects users to a fake passport login page). As annoying as this Rowan kid's actions are, they serve a valuable purpose: i'll be thinking twice next time Channel9 asks for my credentials...
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
-
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications. I hope it turns out to have been a honey-pot trap, and the script-kiddies get a well deserved visit from the FBI. They deserve nothing but our scorn.
Personally I rather "do it right" (and maybe be over precautious in some cases) everytime, than forgot to do it when I really need it... I think that in most cases it's better to disallow "everything" (as HTML i inputs) and then add exceptions. That makes for a better and more secure result (as I've guarded me for things that I might have forgot otherwise...). And for the term "script-kiddies" (which don't need to be children...), those "attacks" can be part in probing for larger problems. (I'm not trying to turn this into a programming thread...)
Why do as everyone else, When Everybody else does it.
-
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications. I hope it turns out to have been a honey-pot trap, and the script-kiddies get a well deserved visit from the FBI. They deserve nothing but our scorn.
Rob Graham wrote:
They deserve nothing but our scorn.
They keep those of us who are web developers honest. This particular injection seems harmless enough to be considered beta testing and not larceny. Isn't it the M$ way to release software and let the user community debug it? X| I wonder how long it will take them to figure out that they have been hacked. I'm not telling. I don't work for them. ;P
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Rob Graham wrote:
I think it's a damn shame that there are children who see it as sport to deface others work, so that we have to defend against them in even the most trivial of applications.
Channel 9 isn't a trivial application, any more than CodeProject is. Playful defacing is a whole lot better than subtle, account-stealing script injection, especially on a site using Passport / Live ID (imagine if the defacement consisted of simply changing the "login" link such that it redirects users to a fake passport login page). As annoying as this Rowan kid's actions are, they serve a valuable purpose: i'll be thinking twice next time Channel9 asks for my credentials...
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
Fair enough.:rose:
-
Rob Graham wrote:
They deserve nothing but our scorn.
They keep those of us who are web developers honest. This particular injection seems harmless enough to be considered beta testing and not larceny. Isn't it the M$ way to release software and let the user community debug it? X| I wonder how long it will take them to figure out that they have been hacked. I'm not telling. I don't work for them. ;P
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesIn general I agree with what you said. My only reservation, however, is that I don't really think displaying the vulnerability to the rest of the world is the right way to get it fixed. An email via the contact link would have been more appropriate, and would not have loudly advertised the site's bug to those who would use it silently for a less noble purpose. Perhaps the hacker tried the email route first, but I somehow doubt it. As Shog9 pointed out, it is in all our interests to have the vulnerability repaired, before it becomes used as a phishing attack, or is exploited for direct theft of Passport/ Live ID credentials.
-
In general I agree with what you said. My only reservation, however, is that I don't really think displaying the vulnerability to the rest of the world is the right way to get it fixed. An email via the contact link would have been more appropriate, and would not have loudly advertised the site's bug to those who would use it silently for a less noble purpose. Perhaps the hacker tried the email route first, but I somehow doubt it. As Shog9 pointed out, it is in all our interests to have the vulnerability repaired, before it becomes used as a phishing attack, or is exploited for direct theft of Passport/ Live ID credentials.
Rob Graham wrote:
I don't really think displaying the vulnerability to the rest of the world is the right way to get it fixed
Possibly not the best way but it might be out of frustation. I have heard of people contacting M$ and never hearing a reply. That is rude at the least and can lead to their not reporting defects in the future. They are, after all, going out of their way to inform M$ of something that should have been caught in system test by a professional tester who is getting compensation for their efforts. I don't know if this is what actually happened in this case, and from the way some of the other links have been hijacked I suspect it wasn't done this way. In the end it is not the hackers resopnsibility to report the defect, it is the responsibility of the software manufacturer to throughly test their product before they release it. I have programmed many workarounds for defects that should have been caught in system test, and, no, I don't notify M$ because I don't have the time to make up proper test cases, without compensation, and deliver what I am resopnsible for to people who employ my services, and do compensate me for my efforts.
Rob Graham wrote:
An email via the contact link would have been more appropriate, and would not have loudly advertised the site's bug to those who would use it silently for a less noble purpose.
As I have mentioned above I know of people who did report defects only to be ignored by M$. This could possibly be on the advice of corporate attorneys who fear that admitting defects will set them up for legal remedies from people who paid for the software. I have been advised by corporate lairs lawyers to that effect when working for a very large corporation.
Rob Graham wrote:
Perhaps the hacker tried the email route first
That is not known but I doubt it. Nobody is saying that this hacker is noble.
Rob Graham wrote:
As Shog9 pointed out, it is in all our interests to have the vulnerability repaired, before it becomes used as a phishing attack, or is exploited for direct theft of Passport/ Live ID credentials.
No argument there. I just don't have the time or inclination to pursue the issue. As I have mentioned before the search menu item isn't the only one that is hijacked and others are h
-
Rob Graham wrote:
I don't really think displaying the vulnerability to the rest of the world is the right way to get it fixed
Possibly not the best way but it might be out of frustation. I have heard of people contacting M$ and never hearing a reply. That is rude at the least and can lead to their not reporting defects in the future. They are, after all, going out of their way to inform M$ of something that should have been caught in system test by a professional tester who is getting compensation for their efforts. I don't know if this is what actually happened in this case, and from the way some of the other links have been hijacked I suspect it wasn't done this way. In the end it is not the hackers resopnsibility to report the defect, it is the responsibility of the software manufacturer to throughly test their product before they release it. I have programmed many workarounds for defects that should have been caught in system test, and, no, I don't notify M$ because I don't have the time to make up proper test cases, without compensation, and deliver what I am resopnsible for to people who employ my services, and do compensate me for my efforts.
Rob Graham wrote:
An email via the contact link would have been more appropriate, and would not have loudly advertised the site's bug to those who would use it silently for a less noble purpose.
As I have mentioned above I know of people who did report defects only to be ignored by M$. This could possibly be on the advice of corporate attorneys who fear that admitting defects will set them up for legal remedies from people who paid for the software. I have been advised by corporate lairs lawyers to that effect when working for a very large corporation.
Rob Graham wrote:
Perhaps the hacker tried the email route first
That is not known but I doubt it. Nobody is saying that this hacker is noble.
Rob Graham wrote:
As Shog9 pointed out, it is in all our interests to have the vulnerability repaired, before it becomes used as a phishing attack, or is exploited for direct theft of Passport/ Live ID credentials.
No argument there. I just don't have the time or inclination to pursue the issue. As I have mentioned before the search menu item isn't the only one that is hijacked and others are h
:rose: I think we are on pretty much the same page. Microsoft has the responsibility to set a better example than this.
-
:rose: I think we are on pretty much the same page. Microsoft has the responsibility to set a better example than this.
I am currently reading "Programming Microsoft ASP.NET 3.5" written by Dino Esposito and published by Microsoft Press in February of this year. Perhaps this book should be a holiday present and required reading for all ASP.NET developers there. BTW my current contract is developing a web site in Perl, JavaScript and ColdFusion for Apache servers so I consider the ASP.NET book recreational reading. :-D
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes
