Security Hole Lets Lycos Run Arbitrary JavaScript

JibbaJabba writes "Securiteam is reporting that a "security vulnerability has been confirmed in Lycos's Search Engine" which "allows malicious web site owners to cause JavaScript code (or any other HTML code) to get included in the search results displayed to the end user by Lycos". They also state that "other engines are suspected to be vulnerable as well". Anyone tried google yet? The original bugtraq report by Sentry Labs is available here." Proof once again that the jerks have more spare time then the people who actually do something worthwhile.

Praising security "investigators"

[by Anonymous Coward]

I don't think I'm buying into this "they are only showing you how bad your stupid code is." reasoning anymore. ALL code is flawed, so taking advantage of it is like pushing down someone you meet on the sidewalk and saying "I am only showing you how poor your center of gravity and sense of balance are!" No, that is not a reasonable line of thinking. If you want to make something better, show the makers what's wrong, and post publicly if it is not taken care of. all of the rest of this is some kind of ego-run-amuck b.s. about trying to _be_ "Neo" hacking "the man". and it is _very_ juvinile. I spend FAR too much of my time trying to make sure that my servers are pactched and my virus files are up to date and my users are not sending out company data to outside sources that don't need to know. It takes away from a sys. adim's time that _should_ be spent watching company information flow and user environments to look for ways to help it improve the company. NOT making sure that the 13 year old kid that just got out of school isn't making sure I know that IIS has a buffer overflow problem that gives him all of my customer's credit cards. Not ALL information was meant to be free. If you disagree please feel free to apply for wireless service from verizon or AT&T and learn all about how "helpfull" these "security advisors" really are.

Re:yes, Rob.

[Wakko Warner (324)]

The "juxtaposition" (or lack thereof) of "jerk" and "sysadmin" was meant to inspire humor.

- A.P.

--

yes, Rob.

[Wakko Warner (324)]

We should outlaw being a jerk.

Then I would feel much less nervous, as a sysadmin.

- A.P.

--

Re:This adds nothing to the original post

[Tim Macinta (1052)]

The first two things you mention are as harmless as the original poster said already, and additionally they're already possible to do now! By doing the same things people do to get their site to be in the first 10 hits.

I don't think there there is another means presently known to redirect the user directly from the list of results within a search engine before the user ever actually clicks on any of the results. Maybe you misunderstood what I wrote or I wasn't clear in what I meant - or maybe I'm misunderstanding you now. How can you go about redirecting users from the page within the search engine that shows the first few results without using this Javascript exploit?

How the things that I listed differ from the things listed by the original poster are that the original poster considered the most nefarious possibility of redirection to be an annoyance (in the same way that porn sites flood you with annoying popups [from what I've heard]) whereas I suggested that a much worse use of redirection would be to deceive the user. The key is that the user thinks he is still on Lycos when he is not and this opens up a whole can of worms. Perhaps you consider this "harmless" because you think people who don't look up at the URL location of each web page they visit are stupid, but when you click on the "Search" button of your favorite search engine how many times do you look up at the location to see that the results are indeed from where you expect?

The third possibility you mention is not likely at all to work as people don't have to login to use a search engine.

Lycos does have web based email, which quite a few people use, and I think they have some other services that require registration as well. I would wager (based on Bayes' theorom) that people using Lycos for searching are more likely to have Lycos webmail accounts than the average internet user.

Re:What Kinds of Malicious Code?

[Tim Macinta (1052)]

JavaScript is a relatively harmless language. While it could do something dramatic redirect the user to a porn site or display something obnoxious on the screen, I doubt that it would do anything like delete user's harddrives or give h@x0rs access to user's computers.

Redirection could be used for more than just annoying purposes. The thought can comes to my mind right away is that it could be used for deceptive purposes:

• Users could be automatically whisked away to one of the results without seeing any of the other results in the list. So as long as you can get your page in the top ten results for a particular keyword, you can force the user to choose your page.
• Users are (understandably) expecting a Lycos page, so if the Javascript were to redirect the user to a page that masqueraded as a search-results page the user would be likely to assume that the page was legitimate and not biased. As an example, the "Church" of Scientology could use this bug to redirect users to an apparent Lycos results page for a search on "scientology" and they could change all of the results to be pro-scientology. Worse yet, they could change the links to anti-scientology sites to copies of the original sites which have been changed to something along the lines of "We've changed our minds. We were wrong. Scientology is not evil. All hail L Ron."
• For users of other Lycos services, such as Lycos mail, the user could be redirected to an imposter Lycos page which would ask for a username and password. Users would be much less likely to be suspicious because they were expecting a Lycos page.

Re:This is an incredibly common problem

[Plutor (2994)]

Great job, you really addressed 90% of the issues with stupid CGI programmers. I have dealt with the same problem in CGI that I've "inherited", and it's a pain in the ass to see such a simple exploit go unpatched.

Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into , thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.

One thing to note, though, is that this bug probably would have been found months, if not years, ago if Lycos was OSS.

Re:Why don't they make JS secure

[valmont (3573)]

See comment #85 below, but keep in mind that most people do have javascript enabled, that javascript is a good thing to have enabled as it can often save a lot of unnecessary client-server requests and greatly improve a site's usability.

The danger comes from sites that base their authentication schemes on persistent cookies after the user has signed-on once.

Such cookie basically tells the server "hey i'm the right guy now gimme my personalized page".

You can use javascript to sniff the cookie via document.cookie and send that value to a cgi script that'll store it.

heh fun.

google is safe. Some WebMail sites affected

[valmont (3573)]

Some prominent web-based email sites like hotmail had a similar security-hole in their "dictionary" feature, which would allow a malicious user to paste an apparently harmless link in an email, because the link would be within the hotmail domain.

Once the user would click on that link, it would take them to the spell-checker interface of hotmail, but the 'word' passed to that CGI is actually HTMLcode that gets "echo'ed" as part of the "result page", just like any dictionary interface would do. That HTML code could be a SCRIPT tag downloading a .js javascript file from the perpetrator's server (to keep it clean) which could very well sniff a user's document.cookie and change the location of some hidden image on the page or pop a window by making an HTTP request to some evil CGI and passing the value of that document.cookie string as a parameter and store it in some text file.

The victim's cookie string most likely contains information that tells the server "hey i'm authenticated" so all it takes is for the evil person to reproduce that cookie.

As I browse the web, I find such vulnerabilities on member-driven sites all the time, some times I warn the webmaster, some times I don't bother, but it can potentially be pretty nasty. I even got a t-shirt from some mildly popular online community fedexed to me once after I rode their asses likes a madman so they'd finally plug a really *really* bad similar hole.

I found one in some remote feature of yahoo a few weeks ago, but its very small and I doubt anyone else would find it.

The rule of thumb to always follow as you design your web application, is "what is that HTML i'm sending to the user made of?". "is there any content in there that is taken from any kind of user input?". "if yes, am I filtering out all angled brackets?". "if i am allowing for user-input HTML content, am i filtering all unnecessary tags and among the tags i'm allowing am i filtering all unnecessary attributes (onload,onmouseover,onclick)?"

Re:Moderation

[unitron (5733)]

It's not an exact science by any means, but flamebait is generally designed to irk people and draw a lot of angry replies, i.e., start a flamewar.

A troll, on the other hand, is sometimes disguised as a somewhat coherent expression of opinion but doesn't really represent the poster's opinion, it's just designed to get a lot of people worked up replying to it so that the original poster can laugh at them wasting their time and tell himself how clever he is for having done so.

What they have in common is the level of maturity (low) and the lack of positive contribution to the discussion.

And then there are the 12 year olds who keep trying to sneak in links to stuff other than that to which the link appears to lead, and all the other posts associated with those posts, which are just another immature attempt to annoy people and waste their time. Off-topic covers these just fine.

None of this necessarily has anything to do with how posts actually get moderated.

Re:So?

[ewhac (5844)]

Anyone who enables javascript is asking for trouble.

That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).

Schwab

Re:yes, Rob.

[garcia (6573)]

yeah, and your users would be less pissed off too ;-)

Logical paradox.

[Lemmy Caution (8378)]

Ack.

Wait a sec. If girls only go out with jerks, and never with "nice guys," that would mean that sys admins would be getting all the girls. And I know that ain't so.

Re:javascript gripe

[Dr.Dubious DDQ (11968)]

you can't just disable javascript's ability to open new windows whilst leaving the rest of its abilities intact. grrrr.

That's it. End of story. If browsers let you do that, we'd all be happy.

What? I can't? Shoot, I'd better turn that off then! :-)

Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...

---

Two words....

[gatkinso (15975)]

"Search warrant."

Fly away, little BSA bird.

Re:Why don't they make JS secure

[cygnus (17101)]

I wouldn't call HTML a language

Hyper Text Markup Language

it's a stateless language, but a language nonetheless.

Re:What Kinds of Malicious Code?

[cygnus (17101)]

jeez, thank goodness you're on the good side, or at least it would seem..

Javascript once again

[Midnight Thunder (17205)]

This once again proof that running JavaScript on the client end is bad. I am one of those people who turn JavaScript off the most part, though there are one or two web-sites that I have to turn it on if I want to get beyond the first page. I would love it if Mozilla provided an option for only having JavaScript activated for certain sites.

I am a believer in the thin-client approach to web-pages and that is if you can't do it on the server and you can't use HTML for your web page then you are probably doing something wrong. This is my opinion and you don't have to share in it.

Jerks?

[rw2 (17419)]

Finding security holes is exactly why open source security works better than security through osbcurity for crying out loud! You should be thanking those guys instead of using your site as a soap box to bully them into thinking like a Taco.

And re-read Steven Levy's book Hackers while you're at it.

--
Poliglut [poliglut.com]

Re:So?

[macpeep (36699)]

How does *Microsoft* force you to enable cookies to view *Starbucks*?! Cookies were invented by Netscape anyway, you know, and there's absolutely nothing unsafe or strange about them despite all the FUD.

A cookie set by a server can only be read by that same server. The exact same effect can be done by URL rewriting (adding a token to each url.. as in.. /something.php3 becomes /something.php3?youAre=dude123 and every link adds that ?youAre=dude123 part to it. You can now be identified between link clicks. 99% of all cookies are simply used for session tracking. Only idiots programmers would actually store any DATA of relevance in them (like a credit card number, home address etc.)

[Off Topic] Re:What Kinds of Malicious Code?

[Lifewolf (41986)]

Everything on XP runs as Administrator.

What FUD is this?

Not all the facts were stated by the person to which you replied. Windows XP Home Edition does not feature different access levels. All users are Administrators. Windows XP Professional retains different access levels.

See: http://www.microsoft.com/windowsxp/guide/compariso n.asp [microsoft.com]

Re:This is an incredibly common problem

[jesser (77961)]

don't forget to change a quote (") into &quot;

And it might also be a good idea to turn & into &amp; while you're at it.

Btw, I don't think you need to do the &lt; and &gt; transformations for attributes, but it doesn't hurt.

Re:Lycos URL to hang IE5

[jesser (77961)]

This link is a fine example... difficult to get out of on Microsoft browsers.

Only on Microsoft browsers? I don't remember finding a browser where I could get out of that kind of loop.

See bug 59314 [mozilla.org], "Alerts should be content-modal, not window-modal", for fixing this in Mozilla.

How hard is it?

[Moonshadow (84117)]

Cmon, that's just sloppy.

<? $page_description = strip_tags($page_description);?>

Problem solved.

I love PHP :).

Re:How hard is it?

[Moonshadow (84117)]

You must be one of those masochistic people that likes to write web apps in assembler.

Sorry, I'll take productivity over intense pain anyday.

Re:This is an incredibly common problem

[kimihia (84738)]

You also forgot that you need to remove quotes as well.

When it helpfully fills in a text box, you have to escape the quotes. Take this example:

<input value="DATA">

Now we craft the malicious string ( " onfocus="alert('howdy'); ) and place it in the text box like so:

<input value="" onfocus="alert('howdy');">

See also my article on Accepting input and malicious script insertion [kimihia.org.nz].

Lots of sites are vulnerable. Lots of sites have lazy developers.

Re:yes, Rob.

[4of12 (97621)]

We should outlaw being a jerk.
Then I would feel much less nervous, as a sysadmin.

O, right, I am *so sure*.

Have you even thought about this for a minute?

Some of our ver best sysadmins are jerks!

Where would that leave us?

I'll tell you where: with clueless nice-guys running the computers, that's where!

Stoll's a jackass

[crucini (98210)]

and that quote illustrates why. If you live in a small town where nobody locks the doors, it's not reasonable to walk into someone's house uninvited. If you connect your computer to a global network and program it to accept TCP connections on certain ports, it is reasonable for people all over the world to connect to those ports.
I wonder if Stoll originated the nonsensical comparison between 'unauthorized access' of a corporate/governmental computer and breaking into someone's house. They're not the same at all, but this silly notion underpins a lot of bad thinking and bad law. Stoll was zealously protective of the 'computing resources' of a huge government lab at a time when 'real computers' were out of reach for ordinary people. He could be compared to a royal chef in the middle ages urinating on the excess food from the royal table lest a commoner eat it.
I don't agree that security problems have made the web 'experts only'. If you want to run your own web server and you're not an expert, run vanilla Apache and sshd and nothing else. Actual holes in Apache are pretty rare. Or am I missing your point?

Non-Existent Slashdot Article?

[zpengo (99887)]

This article [slashdot.org] was just posted, but then disappeared from the home page. Interesting.

What Kinds of Malicious Code?

[zpengo (99887)]

JavaScript is a relatively harmless language. While it could do something dramatic redirect the user to a porn site or display something obnoxious on the screen, I doubt that it would do anything like delete user's harddrives or give h@x0rs access to user's computers.

This isn't a serious security breech, just an annoying oversight by Lycos programmers which will probably be patched up in the next fifteen seconds.

Re:What Kinds of Malicious Code?

[slamb (119285)]

Lycos result contains Javascript. Javascript redirects you to some server. That server runs some ActiveX code.

Stop there. ActiveX code doesn't run without a confirmation dialog saying something to the effect of "This is untrusted/unsigned code; are you sure you want to run it?" The security implications are made quite clear to the user. Now if a Javascript program could automatically click "OK" on that dialog, then I'd be worried. (Knowing Microsoft, I wouldn't be too surprised to hear about that sort of security vulnerability.)

Does anyone else think it's sad that people are worried about Lycos's vulnerability of allowing other people's Javascript to get on their pages? It's a problem if any HTML/Javascript/whatever someone sends at you creates a problem. You shouldn't have to stay on trusted websites to be safe. Lycos's problem is minor. The real problem to be addressed is that people don't consider Javascript safe, probably with good reason.

I checked google

[Nastard (124180)]

The javascript hole doesn't work on google, but I found an even worse bug that allows you to pass along ASM [google.com] in a search string!

Re:Two things...

[jallen02 (124384)]

*sigh*

In the context of the browser VBScript executes with the same permissions as JavaScript... PERIOD!

You cant create a file system object using a VBScript in a browser. It takes more than most people think to damage a machine with just VB/JavaScript. You have to use "social" engieering more than anything and trick people more than you cna directly harm their systems.. think about it

Why don't you show me some VBScript runs from a web page that can do something malicious. Ill gladly run it on my machine and click NO if its an ActiveX object and simply laugh at anything else since it simply WONT work in the browser.

Outlook has totally different access privileges why do you think all of these worms are spread. Do you know the mayhem that would be caused if ever IE browser was exploitable via VBScript?

Stop and think before trashing something for an unfounded reason.

Jeremy

Re:Praising security "investigators"

[neoThoth (125081)]

I've seen a few posting in this same manner and I can see your point. One point that I think you are missing entirely is that whether or not these bugs are reported by these security advisors, they exist. And if they exist you can bet your last dollar someone is exploiting it somewhere. What these teams do is make it public so that someone has to fix the bug. Otherwise a group of very elite folks who figured it out in the first place are going to keep using it to intrude their way into someones servers.
People that claim to have found a bug are probobly the 10th or 11th person that found it. but at least they aren't of the mind to go find every server with that flaw and exploit the hell out of it.
the very fine line comes with the fact that once bugs are announced it's now a race called sysAdmins vs. script kiddies. This part I agree can suck for a lot of people. Keeping up with all of this is a tough job. Then again if you don't like the job go serve fries at McDonalds.
thothic
[ps. that whole Neo thing is not funny. (neoThoth.. shortened to neo) I had that handle way before that no talent ass monkey let the Matrix carry his career.

Re:What Kinds of Malicious Code?

[roman_mir (125474)]

I remember about two years ago one one of the CD/MP3 player web sites anounced a release of their new MP3/CD player. They asked their web guests to come up with a good name for the player. I came up with a name "Duet" which meant that the player could play both - audio and MP3 CDs. I wanted to win the first prize (which was anounced to be a portable MP3/CD player) So naturally I wanted as many people as possible to vote for me. However it appeared that no one could vote more than once a day (the site logged IP addresses) so I decided to get people to vote for me even without them knowing what they are doing. All I had to do was to open a new account on GeoCities and set up an HTML page with some javascript which would send a vote from the users computer to the MP3 player site. All I needed was a large number of people to go to my page. So I sent the link to my Geocities page to various news groups disguised as something else (the porn news groups were GOLD) I got thousands of hits per day. Unfortunately I did not win the MP3 player, it appeared that most competitors only got a few votes, I on the other hand received thousands. The contest organizers thought (not without merit) that I spoofed the IP address and though they liked the name, they decided to give it to the third person in the list (the second guy after me apparently was also doing something of the kind, he had just a bit fewer votes than I did) It did not matter anyway, since the contest organizers gave the winner a car MP3/CD player (which I did not care for) and not a portable one.

Re:Praising security "investigators"

[btellier (126120)]

So basically what you're saying is that you'd rather get hacked once a year than apply patches every few weeks?

People who do security research are smart enough to know that they're not the only smart ones out there. When they post an advisory they do it because they know that someone out there has already found the bug, exploited it, and kept it to themselves. Sure, your chances of getting hacked after it becomes public increase many fold *if you don't apply the patches*, but at least you have a chance of defending against a known enemy.

As far as the "let the makers know and then post publicly if action isn't taken" argument, let me give you an example: the recent Code Red worm was based on an IIS .ida extention overflow. If eEye had simply alerted MS about this issue and promised that they wouldn't post the information MS would've simply incorporated the fix into the next service pack, not wanting to raise any alarms about IIS security. In the meantime, someone else could've found the hole, written the worm and released it to the waiting internet. In that scenario no one would've been patched and the worm would've compromised ten times the servers that it did.

In the end, posting publicly gives sysadmins the opportunity to minimize the exposure to vulnerabilities. Don't forget: just because it isn't public doesn't mean it isn't there.

-brock

Uh-oh...

[Rimbo (139781)]

I think a lot of those of us who post to slashdot would be in trouble if jerks were outlawed.

I'd certainly flee to Canada if that happened.

But then Canada would be populated with jerks...

Perhaps we could all flee to Australia? Then Australia would have THREE social classes -- descendants of British "criminals," aborigines, AND jerks!

Bah, nevermind...

Re:So?

[marm (144733)]

That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers.

Actually that's not quite true. Konqueror very deliberately keeps JavaScript, Java and Netscape plugins off by default. If you need them, then it's a cinch to enable them (very obvious in the Konqui settings dialog, or, if you have the extra plugins that are in the kdenonbeta package, it's even simpler, select a menu item or a toolbar button).

If you're concerned about turning JavaScript on globally, then you can enable/disable JavaScript (and Java) on a per-site basis.

Sigh... If only every graphical browser put security first...

Re:Jerks?

[Fishstick (150821)]

>Finding security holes is exactly why open source security works better than

>>Are you stating that open source software is 100% secure?

Didn't sound like it to me. Sounded more like a rationale for making exploits public... so lots of people can think about a way to fix the problem. Calling people jerks for demonstrating an exploit of a security vulnerability seems counter to the prevailing attitude among those who think hiding security problems is an exercise in futility.

>Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".

Whoa... you might want to have that knee looked at. :-)

---
Hi! How are you?
I send you this .sig in order to have your advice

We love you anyway CT

[Zero__Kelvin (151819)]

"Proof once again that the jerks have more spare time then the people who actually do something worthwhile."

Don't be so hard on yourself there CmdrTaco! We read your drivelous comments just the same 8^}
And BTW - it's 'than' the people, not 'then' the people.

Re:This is an incredibly common problem

[_xeno_ (155264)]

How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with &lt; and > with &gt; - problem solved :)

And if you're putting the results in <INPUT TYPE="TEXT" VALUE="Something The Use Entered"> don't forget to change a quote (") into &quot;. Otherwise you can still get weird results, especially because you can insert new attributes (maybe do something even via onclick="something_nasty()" at that!)

--

Re:Why don't they make JS secure

[IronChef (164482)]

For the love of Jebus, with all the ways JavaScript can be abused, why don't the browsers come with a way to filter out the most obnoxious actions? I'd love to see checkboxes for the following.

Disallow new window creation
Disallow window moving and resizing
Disallow redirection
Disallow shortcut creation
[I nearly blew a gasket the first time I found that a site had placed porn and casino links in my Start menu.]
Disallow access to cookies

There are probably others, I'm no JavaScript whiz.

An ideal browser would let you toggle all that stuff, and then enable it for specific sites of your choosing.

I'll have to look at Web Washer again... maybe it lets you re-enable pops for the sites that need them.

Re:This is an incredibly common problem

[spongman (182339)]

here's a good one for all you IE5.5 users. search on lycos for:

<a href="friskit.com"> <img border=0 src="http://friskit.com/site/images/logo.gif"> </a> <script> document.body.style.filter= "progid:DXImageTransform.Microsoft.Blur (pixelradius=3)"; </script>

Re:Jerks?

[scott1853 (194884)]

Are you stating that open source software is 100% secure?

People find holes in proprietary systems all the time. Hell, I've gotten a couple hundred MS security bulletins over the last 2 years sitting in my inbox, none of which MS has discovered on their own. The holes in proprietary systems simply get more exposure because it's fuel for all the open source zealots and a large part of corporate america uses the closed systems.

Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".

Just to be an idiot and delve deeper into this arguement, are you stating that if it was open source, you'd do a line-by-line audit of the code to make sure it was something you felt was secure and you want to run? Let's face it, everybody that advocates open source just assumes everybody else is testing it. How many people have done a complete code audit of any Linux app before they installed it. None. This could also be due to the fact that most Linux apps haven't made it to that 1.0 mark yet and maybe the users expect what they get. It's a good argument that "it's still in BETA" when somebody points out a security hole in something.

Re:What Kinds of Malicious Code?

[cmpgn (200265)]

Unfortunately, due to a recent vulnerability in Outlook, the ability to redirect a user to a webpage of your choice could be used for malicious purposes. The text below is an extract from Microsoft Security Bulletin MS01-038 [microsoft.com] (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/MS01-038.asp):

The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine. Hostile web sites would pose the greatest threat with respect to this vulnerability. If a user could be enticed into visiting a web page controlled by an attacker, script or HTML on the page could invoke the control when the page was opened. The script or HTML could then use the control to take whatever action the attacker desired on the user's Outlook data.

Granted, the patch for this problem has long been available, but, as Code Red illustrates, that does little to reduce the overall vulnerability.

Re:Jerks?

[Deskpoet (215561)]

Yes, it was, but Taco's appelation of jerks--with the specification that they're not doing something worthwhile--is a bit specious, or perhaps more exactly, personally myopic.

I realize this is hairsplitting, but I'm sure the creators of such "malicious" acts have fully justified reasons for what they're doing, even if those reasons are only justifiable to themselves. They *ARE* doing something worthwhile, in this sense; their actions just aren't worthwhile to Taco.

Now, if one wishes to attack said individuals on a stictly moral basis, I think that is perfectly justified.

Re:Jerks?

[Chibi (232518)]

I believe the "jerks" reference is to the people writing the malicious JavaScript code, and not the people reporting it. :)

Re:What Kinds of Malicious Code?

[tim_maroney (239442)]

Yes, this does seem to be a rather minor problem. It doesn't do anything on the search engine page that the hacker couldn't do on his own page. It's arguable whether insertion of a popup window or an unbidden redirect is exactly a "security breach" at all. Although it's certainly annoying, none of the user's data is compromised.

This sort of thing could be used to break sites which use cookie security. It would be easy to use the JavaScript to return the session cookie to an intercept site by CGI communication with that site. However, since search engines don't usually have user accounts, this is unlikely to be important. Still, it should be tried on Yahoo! at least, and any other search engine sites that support login and use weak session security.

Tim

Re:Javascript once again

[tb3 (313150)]

That's one cool feature in Konqueror; it let's you turn of just the javascript window.opn function. So all of javascript works, but no pop-ups, pop-unders or whatever. It would be nice if the other browser manufacturers would let you turn off certain parts of javascript, but they're advertisers, too, so you know they won't.

Re:What Kinds of Malicious Code?

[Dr. Prakash Kothari (314326)]

Windows boxen don't have root access. But I guess it doesn't sound as leet to say "You can 4Dm1n157r470r a Windows box!"

This is an incredibly common problem

[skunkeh (410004)]

This one's been around for years, and is present on literally millions of sites. I read somewhere certain both AltaVista and Amazon have both suffered from this in the past. Here's how it works:

You have some kind of form input, with the next page displaying whatever the user typed into that form field (for a search engine this would be in the form of "You searched for..."). the golden rule of web development is NEVER TRUST input from your users. Most developers take great lengths to check anything that's going into a file or database, or erspecially code that will be executed on the command line.

However, if you're just going to display something to the user that typed it why bother checking the content? Surely only the user who typed the thing is going to see it again, and it's not like they're going to be able to affect any of your systems?

Therein lies the problem. If you allow a user to type anything into a form and then have it re-displayed, they can include HTML tags. And if they can include HTML tags, they can include <script> tags. And script tags can do weird stuff.

Still think it's not a problem thanks to the fact that only the user will see it? Think again - seeing as most applications like search engines use GET to pass parameters, you can fill in the form for the user by offering them a link to click:

http://yoursite.com/search?<b>Oooh+Bold+Text </b><script>alert('Ew ww nasty popup')</script>

All of a sudden you can cause your weird popup messages to appear on someone elses site.<p>

The biggest security problem is the fact that javascript can access cookies. Imagine sending someone to a website via a link containing javascript that reads their username/password cookie for that site then pops up a window feeding that username/password to a script page con your server (in the query string) - BANG, you've got their password.

How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with &lt; and > with &gt; - problem solved :)