Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Slashdot cracked?

By krogoth in News
Thu Apr 20, 2000 at 01:36:23 AM EST
Tags: Security (all tags)
Security

Has Slashdot been cracked? I've looked at the 4 most recent stories:

#4: about 20-50 posts, then a title, with no name or any usual post stuff, says "now watch me kr45h j00r B0><or".

#3: 3 posts, then "Wonderful day!"

#2, #1: 1-4 posts, then "scrubbing my nuts".

It seems slashdot has been cracked...time to upgrade the security? Try a few of those articles from the last few weeks...... [editor's note, by rusty] It's behaving strangely, for sure. I get weird half-pages... Seems like this kind of thing is going around lately.

Update [2000-4-19 22:36:20 by rusty]: Ok, the problem was explained by nicktamm with great clarity and demonstrative persuasiveness ;-). Yes, it would seem that we too were vulnerable, although I'm still trying to figure out how, exactly... Anyway, see below for a clear explanation. And dammit, I *do* have filters for that sort of thing. And so does slash. Well, $pants_down = 1;


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Slashdot
o Slashdot [2]
o Also by krogoth


Display: Sort:
Slashdot cracked? | 25 comments (25 topical, editorial, 0 hidden)
And another thing... it's just cras... (none / 0) (#1)
by rusty on Wed Apr 19, 2000 at 08:14:16 PM EST

rusty voted 1 on this story.

And another thing... it's just crashed my netscape twice. Something's wrong...

____
Not the real rusty

What do you expect the site has bee... (1.00 / 1) (#9)
by Commienst on Wed Apr 19, 2000 at 08:15:49 PM EST

Commienst voted 1 on this story.

What do you expect the site has been neglected by its maintainers recently.

Have you been noticing the double posts recently. They do not even read the site they maintain.

I don't think it's cracked, just br... (none / 0) (#3)
by evro on Wed Apr 19, 2000 at 08:22:22 PM EST

evro voted -1 on this story.

I don't think it's cracked, just broken.
---
"Asking me who to follow -- don't ask me, I don't know!"

leave the security reports to the s... (none / 0) (#7)
by CyberPuppet on Wed Apr 19, 2000 at 09:16:01 PM EST

CyberPuppet voted -1 on this story.

leave the security reports to the security sites
--
The Teenage Computer Network

Weren't we just talking about writi... (none / 0) (#8)
by bgp4 on Wed Apr 19, 2000 at 09:31:22 PM EST

bgp4 voted 1 on this story.

Weren't we just talking about writing securecode in the IMAP post ;-) http://www.shmoo.com/securecode/ should have some pointers to help

When writing a piece of software like /. where 1,000's of users will be using and abusing input functions every hour, you need to really lock things down, or you'll get a black eye in a hurry... I'm sure rusty's thought about all this with scoop.. :)
May all your salads be eaten out of black hats

I can see any of this. Perhaps it's... (none / 0) (#11)
by Decklin Foster on Wed Apr 19, 2000 at 09:47:09 PM EST

Decklin Foster voted -1 on this story.

I can see any of this. Perhaps it's been fixed.

Somebody just figured out how to ge... (3.00 / 2) (#10)
by nicktamm on Wed Apr 19, 2000 at 09:49:10 PM EST

nicktamm voted -1 on this story.

Somebody just figured out how to get HTML tags into the titles of comment. On the article "Microsoft Pits Pocket PC Against Palm", somebody titled their comment "scrubbing my nuts <Script language=", and since the tag never ends, the rest of the page isn't displayed. This is just a bug in Slash, which has happened before, so I wouldn't really describe Slashdot as being cracked. What may become interesting about this post is whether or not Slashdot decides to delete the offending post...
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org

Indeed (none / 0) (#15)
by jetpack on Thu Apr 20, 2000 at 11:45:09 AM EST

Yes, this is hardly a new phenomenon, it's happened many times in the past. On the other hand, I don't know a whole lot about HTML, so maybe you can riddle me this: whenever this sort of nonesense happens, it foobars netscape, but lynx and w3m work just fine. Are the latter two smart enough to realize the tag never ends, decide it must therefore be broken, and then ignore it?

Or do they just not recognize the <script language=...> tag at all, and toss it out?
--
/* The beatings will continue until morale improves */
[ Parent ]

Re: Indeed (none / 0) (#19)
by rusty on Thu Apr 20, 2000 at 04:16:30 PM EST

It actually has nothing to do with the tag being "script language". That just happens to be the text people keep putting in there. The problem is that netscape is stupid, basically. When it sees an opening <, it assumes that we've started a tag, despite all evidence to the contrary, and interprets everything following as HTML. Closing carats (>) all by themselves don't cause any problems, oddly enough. So yes, it's because netscape is stupid and Evil, AFAICT.

____
Not the real rusty
[ Parent ]
Re: Somebody just figured out how to ge... (none / 0) (#17)
by soulhuntre on Thu Apr 20, 2000 at 02:10:33 PM EST

Of course, if this had happened to a closed source website then you would have
seen all the /.'ers talking about how stupid the authors were, and how if only
the source was open... blah blah blah.

Very funny :)

Ken


[ Parent ]
Were they cracked? ... (none / 0) (#5)
by gnuchris on Wed Apr 19, 2000 at 10:05:54 PM EST

gnuchris voted 0 on this story.

Were they cracked?
"He had alot to say, He had alot of nothing to say" -TOOL-

It's either a crack or an extremely... (none / 0) (#6)
by Pike on Wed Apr 19, 2000 at 10:31:23 PM EST

Pike voted 1 on this story.

It's either a crack or an extremely public coding blunder. I don't see the wierd comments, just that when I click on a story it only shows the top logo bar and icons. Of course, Navigator's notoriously picky about tables and things, so maybe the cracker is just a poor HTML coder (Are you listening out there?? Fix your tablez, m15t3r!)

-JD

Public Coding Blunder (nt) (none / 0) (#12)
by rusty on Thu Apr 20, 2000 at 02:07:17 AM EST



____
Not the real rusty
[ Parent ]
Not sure if it deserves a main page... (none / 0) (#4)
by analog on Wed Apr 19, 2000 at 10:35:00 PM EST

analog voted 0 on this story.

Not sure if it deserves a main page spot, but for those of you interested, a quick 'view source' on a /. comments page should prove instructive.

Too funny. POST POST POST! :)... (none / 0) (#2)
by skim123 on Thu Apr 20, 2000 at 01:05:29 AM EST

skim123 voted 1 on this story.

Too funny. POST POST POST! :)

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


HTMLEmbeddingintitle! (none / 0) (#13)
by hattig on Thu Apr 20, 2000 at 07:08:39 AM EST

<font color="#335588" face="Arial, Tahoma, Verdana" size="-1"> There is a problem with html tags and weblogs. I though that they were all filtered out unless they conformed exactly to the allowed tags, but I have proved that the preview comments are not filtered in any way.<p align="right"> There will always be somewhere where they get through though. Nothing you can do about it in the end, either you just hope that users are nice and kind and don't look for abuses of the system, or you realise the truth of the thing and spend hours and hours writing Perl to catch it all in every circumstance. <table border="2" bgcolor="#ffff00"><tr><td align="center"> <p align=center>I am just testing some tags when posting this, I hope they don't work :-)</font> </td</tr></table>

Re: HTMLEmbeddingintitle! (none / 0) (#14)
by hattig on Thu Apr 20, 2000 at 07:10:18 AM EST

Hmmm, halfway there Rusty!<p align="right">

Just need to remove the offending tags!</p>


[ Parent ]
Re: HTMLEmbeddingintitle! (none / 0) (#18)
by rusty on Thu Apr 20, 2000 at 04:10:16 PM EST

I saw your font thing in mod comments. I can't believe those aren't being filtered correctly. Trust me, though, it's way harder than it seems like it would be to get this right!

I think what I'm going to do is use the perl HTML parser libs to actually chew through and rewrite all thml tags for safety. Because there are still some tags that could house malicious code (<A HREF> for example, could be used to embed JS). Well, these are all inevitable results of more users and more testing. We can only get more secure. :-)

____
Not the real rusty
[ Parent ]

Re: HTMLEmbeddingintitle! (none / 0) (#23)
by Anonymous Hero on Thu Apr 20, 2000 at 10:25:01 PM EST

What stage in the process will you be filtering tags? Before they're submitted into the database or as they're pulled out for the page?

Everything2.net rather smartly did the later. Intitially they believed the PRE tag to be too much a risk but 6 months later they realised it damaged nodes/posts too much and chose to re-allow it.

[ Parent ]

Re: HTMLEmbeddingintitle! (none / 0) (#16)
by Anonymous Hero on Thu Apr 20, 2000 at 12:03:06 PM EST

I'm running into these same problems while coding up my discussion board. Right now, malicious users could put weird infinite loop javascript into their comments and that would be blindly displayed by the program.

It's interesting though, that these problems are coming from HTML tags in the -title- of comments. Right now, my code looks like:

$info=get_comment_from_db();
echo "Subject: $info['subject']
"; echo "Message: " + newline2br( $info['message'] );

<small>Hey rusty, your previewing could probably use a little work too :^)= </small>

...which is a gross oversimplification, but it shows that I'm only checking the message itself for any kind of malicious code.

My plans are to allow *anything* to be stored in the database- plain text, table tags, whatever. However, I want to "neuter" any HTML tags as they are being displayed by my program.

Cute, and an interesting thing to be aware of. :^)=

--Robert

[ Parent ]

Re: HTMLEmbeddingintitle! (none / 0) (#20)
by ramses0 on Thu Apr 20, 2000 at 05:25:20 PM EST

(ps ... hopefully "plain old text" will get this to display properly)...

the original message above looked a little like this:

<pre>
...[code snippet]...
echo "Subject: $subject<br>";
</pre>

...the 'pre' worked in preview mode, it got munged/munched in the comment
display, and my <small></small> tags worked while in the moderation
queue (on the penguin mints story), but not on the post which I'm responding
to.

I think i'd recommend a tactic similar to what i'm eventually gonna do for my
discussion board...

allow -anything- to be stored in the database, and filter everything out upon
display.  So...

$comment;  // contains malicious characters/html
$comment = neuter_html( $comment );  // turn -all- < and > to > and
<
$comment = allow_b_html( $comment ); // turn all <b> into <b>
$comment = allow_i_html( $comment ); // turn all <i> into <i>
// ...etc, allow tags as needed...
echo $comment;

encapsulate the whole damn thing so you can perform a "$comment = safe_html(
$comment );" function call, and make a separate function "show_message" which
takes an array of variables required to display a message, and prints it out
after doing all the mojo on it.

I'm sure you're doing parts of this, but you need to have a single point of
failure, so that if something fails in one place, after you fix it, it won't
fail for the same reason anywhere else ever again.

The above recommended functions are just super-simple regex's, and I think this
will effectively solve all HTML based attacks against comments.

Could somebody else who likes to think about security tell me where this could
be going wrong?

(and plain text looks like it's arial in the preview box, wtf?)

--Robert

[ rate all comments , for great justice | sell.com ]
[ Parent ]
Re: HTMLEmbeddingintitle! (none / 0) (#21)
by ramses0 on Thu Apr 20, 2000 at 05:27:58 PM EST

ok, yet another dumb input bug :^)=

the turn all < and > into ???? and ??? is supposed to be saying
"ampersand"lt;, and "ampersand"gt;, but it got munged by something.

blaeahaghed!!!	HTML and user input is a damned ugly programming problem!

--Robert

[ rate all comments , for great justice | sell.com ]
[ Parent ]
Re: HTMLEmbeddingintitle! (none / 0) (#22)
by rusty on Thu Apr 20, 2000 at 06:59:09 PM EST

HTML and user input is a damned ugly programming problem!

Yeah, it really really is. I think you might be on to something, with the "filter on output" scheme. Right now I do have a single-point scheme-- there's filter_subject() and filter_comment() methods that get called for all input filtering (except mod comments, which was just a dumb oversight that's fixed now). But the regexps that deal with all the problems of html are getting too damn hairy. I'm thinking about just plugging HTML::Parser in there and doing it that way.

____
Not the real rusty
[ Parent ]

Re: HTMLEmbeddingintitle! (none / 0) (#24)
by ramses0 on Fri Apr 21, 2000 at 02:41:15 AM EST

The only detriment which is coming to mind is that running several regex's on the same input stream could be pretty inefficient. Multiply this by 100 comments, and you could be crunched very quickly.

There is a certain elegance to "filtering on output", but it also seems to be less efficient. Elegance and efficiency are too often opposed in programming in my opinion. ;^)=

--Robert
[ rate all comments , for great justice | sell.com ]
[ Parent ]

Re: HTMLEmbeddingintitle! (none / 0) (#25)
by Marvin on Fri Apr 21, 2000 at 08:11:48 AM EST

Possible remedy: Once the filtered version of a comment is created, store it in the DB together with a version number of the filter applied. Next time someone wants to read that comment, the DB is checked for a filtered version, if the version of the filter applied is the most recent one, it is displayed, otherwise, a new filtered version is created and stored in the DB...

[ Parent ]
Slashdot cracked? | 25 comments (25 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!