Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Kuro5hin cracked?

By nicktamm in News
Fri Apr 21, 2000 at 06:06:52 AM EST
Tags: Security (all tags)
Security

While explaining what seems to be happening on Slashdot (re: the pending story "Slashdot cracked?"), I accidently did the same thing to the comments of other voters. Sorry.

[editor's note, by rusty] If there's still interest in this, I can write up what actually happened, and why this input filtering thing is so much harder than it seems like it should be. In fact, the timing of it is kind of an amusing story in itself. Please indicate your interest, or lack thereof, in the comments. :-)


I didn't mean to, I just assumed that Scoop would strip the HTML in my comment out, but it turns out that it didn't, so now the page of comments and votes (at least the ones underneath mine) are all hidden by everyone's browsers.

What I had tried to say was that all that had happened to Slashdot was that somebdy had found a way around having the HTML tags in the titles of comments striped out, and had but in a <Script language= as the title. I included that and pointed out that the rest of the comments were still there, they are just hidden by everyone's browsers.

Now the same thing is on Kuro5hin, and I really didn't mean to do it, its just that this was the first story I tried moderating, and I didn't see a "Allowed HTML" message, so I assumed it would throw out all of the HTML.

So I guess the main reason for this is just to say I'm sorry for messing it up, and at least I didn't do it to the main message board by accident and also, the ability to change comments or at least preview them before moderating on a story would be nice.

Sorry
Nick Tamm
nicktamm@thuntek.net
http://fisheater.n3.net

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Slashdot
o Scoop
o Kuro5hin
o Also by nicktamm


Display: Sort:
Kuro5hin cracked? | 33 comments (33 topical, editorial, 0 hidden)
I think you can preview comments. B... (none / 0) (#19)
by krogoth on Wed Apr 19, 2000 at 10:26:27 PM EST

krogoth voted 1 on this story.

I think you can preview comments. But since i can't reply to my story yet, i wanted to say this: the message "Now watch me kr45h j00r B0><0r.", and the consistency of the style, seemed to point to one person or organized group doing this, but it seems that slashdot wasn't cracked, just damaged intentionally multiple times. :). But this is still a security problem: if slashdot, and kuro5in, will let this happen, what's next?
--
"If you've never removed your pants and climbed into a tree to swear drunkenly at stuck-up rich kids, I highly recommend it."
:wq

hehehe.. I'm giggling my butt off..... (none / 0) (#24)
by bgp4 on Wed Apr 19, 2000 at 10:30:54 PM EST

bgp4 voted 1 on this story.

hehehe.. I'm giggling my butt off.. the UWLT exploit... Universal WebLog Terminator
May all your salads be eaten out of black hats

haw haw... (1.00 / 1) (#17)
by Pike on Wed Apr 19, 2000 at 10:32:52 PM EST

Pike voted 1 on this story.

haw haw

All seems okay now. Next time, mayb... (none / 0) (#11)
by analog on Wed Apr 19, 2000 at 10:41:07 PM EST

analog voted 0 on this story.

All seems okay now. Next time, maybe just alert people who care to 'view source'. ;)

Rusty.. I thought we had discussed ... (none / 0) (#4)
by Inoshiro on Wed Apr 19, 2000 at 11:35:01 PM EST

Inoshiro voted 1 on this story.

Rusty.. I thought we had discussed this ;-) Don't worry, I understand that you have to deal with the Slash code base, and that the filter routines are "broken by design"

--
[ イノシロ ]

Re: Rusty.. I thought we had discussed ... (none / 0) (#32)
by rusty on Fri Apr 21, 2000 at 01:20:09 PM EST

Don't worry, I understand that you have to deal with the Slash code base

If only I had the luxury of that excuse! But no, I don't have anything to do with the slash code base. You knew that. Basically, Rob and I just made the same mistake, is the problem. :-)

____
Not the real rusty
[ Parent ]

Appologies are good. So are explana... (none / 0) (#14)
by your_desired_username on Wed Apr 19, 2000 at 11:57:16 PM EST

your_desired_username voted 1 on this story.

Appologies are good. So are explanations.

Maybe this should be appended to th... (none / 0) (#27)
by ishbak on Thu Apr 20, 2000 at 02:01:28 AM EST

ishbak voted -1 on this story.

Maybe this should be appended to the original slashdot story. It does have something worthwhile to say but it is part of an earlier discussion. Not its own thread.

Well, it is hard to catch everythin... (5.00 / 1) (#3)
by hattig on Thu Apr 20, 2000 at 06:57:13 AM EST

hattig voted 0 on this story.

Well, it is hard to catch everything everywhere when writing Perl - you think you have everything caught but there is always a way round!

Most people never try to fiddle with html tags though, amazingly. Slashdot had html tag problems wide open for ages, and nobody noticed them until I (ho hum) embedded Freshmeat into a comment, as well as some other shenanigans.

Bet these tags don't work now though!

Oh, this should be appended to the bottom of the previous story!

... (none / 0) (#15)
by CodeWright on Thu Apr 20, 2000 at 07:15:16 AM EST

CodeWright voted 1 on this story.

Although the security issue that nicktamm raises is important, I'd like to note that this issue has raised another....

...namely, that it would be nice to have the "preview" capability for Voting the same as for Commenting. otherwise, the "line-editor" impaired amongst us *raises hand* can't be sure how stupid we'll look with our votes...



--
A: Because it destroys the flow of conversation.
Q: Why is top posting dumb? --clover_kicker

Re: ... (none / 0) (#30)
by Alorelith on Fri Apr 21, 2000 at 11:55:57 AM EST

I'm not so sure I agree. For example, one of the submissions. It was the one with IRC logs for that mafiaboy that somehow pointed to misleading evidence. Anyway, I had submitted a comment that was along the lines of "wow, that's pretty freaky. Someone's going to be in trouble," while everyone else said this story is stupid and shouldn't be posted and that it's not trustworthy, etc... I felt kind of stupid, but it's better that way. The idea is to think on your own, not read everyone elses comments then vote.



----
Convictions are more dangerous enemies of truth than lies. -- Nietzsche

[ Parent ]
Preview (none / 0) (#31)
by Eimi on Fri Apr 21, 2000 at 01:14:07 PM EST

That's a separate issue. The original issue was allowing a preview of what you've just typed, like the "Preview" button below the comment box I'm typing in now. I honestly can't see any reason *not* to include that. The issue of being able to see others comments before posting your own and your vote is one that's worthy of a lot more debate. I personally like the idea of two votes per person, one before and one after seeing other people's comments, but that's just me.

[ Parent ]
Re: Preview (none / 0) (#33)
by Alorelith on Fri Apr 21, 2000 at 03:57:41 PM EST

Ahh, ok I guess I misunderstood what you meant. I guess two votes per person is fine, and actually good; it allows for others to see how swayed by other's comments someone can be (not necessarily bad).

----
Convictions are more dangerous enemies of truth than lies. -- Nietzsche

[ Parent ]

Oh, it's a confessional now. Fantas... (none / 0) (#28)
by Gentry on Thu Apr 20, 2000 at 08:25:25 AM EST

Gentry voted -1 on this story.

Oh, it's a confessional now. Fantastic...

I think it would be good to post th... (none / 0) (#18)
by End on Thu Apr 20, 2000 at 09:09:39 AM EST

End voted 1 on this story.

I think it would be good to post this in order to increase rusty's motivation to fix the problem :)

-JD

-JD

Hmm both these so called CRACKS (is... (none / 0) (#13)
by gnuchris on Thu Apr 20, 2000 at 09:17:58 AM EST

gnuchris voted 1 on this story.

Hmm both these so called CRACKS (is that the right term in these cases), seem to bring up a problem in Perl Message Boards.. something GEEKY enough to make KURO5HIN for sure... time to discuss code
"He had alot to say, He had alot of nothing to say" -TOOL-

An explanation, not really a story.... (none / 0) (#21)
by dlc on Thu Apr 20, 2000 at 09:20:11 AM EST

dlc voted -1 on this story.

An explanation, not really a story.

(darren)

Enough with the [script language] b... (none / 0) (#16)
by inspire on Thu Apr 20, 2000 at 11:31:24 AM EST

inspire voted -1 on this story.

Enough with the [script language] bug already. It was a simple enough oversight, and takes about 5 minutes to fix. Its not as if it's a gigantic backdoor into e-commerce systems around the world (hint hint).
--
What is the helix?

we forgive you ,and it's fixed alre... (none / 0) (#2)
by ramses0 on Thu Apr 20, 2000 at 12:07:09 PM EST

ramses0 voted -1 on this story.

we forgive you ,and it's fixed already ;^)=
[ rate all comments , for great justice | sell.com ]

This info is hard to find in the ot... (none / 0) (#23)
by prevostjm on Thu Apr 20, 2000 at 01:05:01 PM EST

prevostjm voted 1 on this story.

This info is hard to find in the other thread, and it's good to know what happened.

Wow. ... (none / 0) (#26)
by Paradox on Thu Apr 20, 2000 at 01:44:15 PM EST

Paradox voted 1 on this story.

Wow. Gotta admire someone who honestly apologizes these days. It's a rare thing to find an honest person.
Dave "Paradox" Fayram

print print join q( ), split(q,q,,reverse qq;#qsti
qq)\;qlre;.q.pqevolqiqdog.);#1 reason to grin at Perl
print "\n";

Ruuuuuuuuuuuuuuuuuuuuuuuuuuuuuuusty... (none / 0) (#10)
by julian on Thu Apr 20, 2000 at 04:33:36 PM EST

julian voted 1 on this story.

Ruuuuuuuuuuuuuuuuuuuuuuuuuuuuuuusty!
-- Julian (x-virge)

Well, it's nice that you want to ap... (none / 0) (#9)
by raph on Thu Apr 20, 2000 at 04:50:27 PM EST

raph voted 0 on this story.

Well, it's nice that you want to apologize, but what I'd really like to see is a clear explanation of the issues. Is the problem here that /. and kuro5hin both have straightforward bugs in their escaping of < and > characters, or were the Slashdot attackers exploiting the (completely brain-damaged) feature of Netscape interpreting 0x8B and 0x9B as valid < and > characters, respectively, for the purpose of constructing tags, or perhaps something else entirely?

I've tried very, very hard to get this right in Advogato, and as far as I know the site is not vulnerable, but so far none of the information I've seen is specific enough to really answer my questions.

I was looking for the supposed expl... (none / 0) (#22)
by pvg on Thu Apr 20, 2000 at 05:45:06 PM EST

pvg voted 1 on this story.

I was looking for the supposed explanation of what happened to Slashdot in the comments and was confused as to why I couldn't find it. I think the exlanation is worthy of it's own followup article. The author should fix the spelling ('put' instead of 'but') and cut down on the apologizing :)

File this under Department of Redun... (none / 0) (#6)
by xah on Thu Apr 20, 2000 at 07:49:05 PM EST

xah voted -1 on this story.

File this under Department of Redundancy Department.

I'm a bit confused, because the sto... (none / 0) (#20)
by Notromda on Thu Apr 20, 2000 at 11:34:42 PM EST

Notromda voted 0 on this story.

I'm a bit confused, because the story looks fine to me. Did Rusty fix it or something?

> also, the ability to change comme... (none / 0) (#8)
by neonman on Thu Apr 20, 2000 at 11:45:49 PM EST

neonman voted 0 on this story.

> also, the ability to change comments or at least preview them before moderating on a story would be nice.

I have thought about this quite a bit myself. I'm not sure it is a good idea to let moderators see what other people are saying/voting before voting themselves. If they are allowed to see other votes, their decisions won’t entirely be their own. The mob mentality would start to control the moderation process.
_________________________
Aaron Grogan
aaron@stufflikethat.org
http://stufflikethat.org/

Re: > also, the ability to change comme... (none / 0) (#29)
by rongen on Fri Apr 21, 2000 at 09:05:46 AM EST

I think what people mean is they want the ability to preview a moderation comment in the same way that they preview a forum comment. This would allow proofreading, tag checking, etc... There is no reason why this would change the system from a user's point of view (they would still not be able to see other's comments until their own was posted).
read/write http://www.prosebush.com
[ Parent ]

Apologies are nice, but we discusse... (none / 0) (#1)
by lachoy on Thu Apr 20, 2000 at 11:49:33 PM EST

lachoy voted -1 on this story.

Apologies are nice, but we discussed this the other day.
M-x auto-bs-mode

I don't think it should be posted a... (none / 0) (#5)
by driph on Fri Apr 21, 2000 at 12:49:12 AM EST

Driph voted -1 on this story.

I don't think it should be posted as a story, but thanks for the note. One advantage of K5 is if something like that does happen and screws up the flow of the comment, it can be simply edited by the administration.

--
Vegas isn't a liberal stronghold. It's the place where the rich and powerful gamble away their company's pension fund and strangle call girls in their hotel rooms. - Psycho Dave

Not really much to talk about, is t... (none / 0) (#7)
by Alorelith on Fri Apr 21, 2000 at 01:09:33 AM EST

Alorelith voted 0 on this story.

Not really much to talk about, is there?

----
Convictions are more dangerous enemies of truth than lies. -- Nietzsche

I wonder if some code-validation sc... (none / 0) (#12)
by Ozymandias on Fri Apr 21, 2000 at 01:29:09 AM EST

Ozymandias voted 1 on this story.

I wonder if some code-validation script from W3C could be snaffled and embedded in the system; comments get checked before they are submitted. Oh, and the apology - s'alright. <G>
- Ozymandias

This kind of self reponsibility is ... (none / 0) (#25)
by h on Fri Apr 21, 2000 at 04:03:40 AM EST

h voted 1 on this story.

This kind of self reponsibility is what we need.

Kuro5hin cracked? | 33 comments (33 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!