Security Hole Lets Lycos Run Arbitrary JavaScript 141
JibbaJabba writes "Securiteam is reporting that a "security vulnerability has been confirmed in Lycos's Search Engine" which "allows malicious web site owners to cause JavaScript code (or any other HTML code) to get included in the search results displayed to the end user by Lycos". They also state that "other engines are suspected to be vulnerable as well". Anyone tried google yet? The original bugtraq report by Sentry Labs is available here." Proof once again that the jerks have more spare time then the people who actually do something worthwhile.
Re:What Kinds of Malicious Code? (Score:1)
Comment out results? (Score:1)
Re:yes, Rob. (Score:1)
Re:What Kinds of Malicious Code? (Score:1)
Praising security "investigators" (Score:3)
Re:yes, Rob. (Score:2)
- A.P.
--
yes, Rob. (Score:3)
Then I would feel much less nervous, as a sysadmin.
- A.P.
--
Re:This adds nothing to the original post (Score:2)
I don't think there there is another means presently known to redirect the user directly from the list of results within a search engine before the user ever actually clicks on any of the results. Maybe you misunderstood what I wrote or I wasn't clear in what I meant - or maybe I'm misunderstanding you now. How can you go about redirecting users from the page within the search engine that shows the first few results without using this Javascript exploit?
How the things that I listed differ from the things listed by the original poster are that the original poster considered the most nefarious possibility of redirection to be an annoyance (in the same way that porn sites flood you with annoying popups [from what I've heard]) whereas I suggested that a much worse use of redirection would be to deceive the user. The key is that the user thinks he is still on Lycos when he is not and this opens up a whole can of worms. Perhaps you consider this "harmless" because you think people who don't look up at the URL location of each web page they visit are stupid, but when you click on the "Search" button of your favorite search engine how many times do you look up at the location to see that the results are indeed from where you expect?
The third possibility you mention is not likely at all to work as people don't have to login to use a search engine.
Lycos does have web based email, which quite a few people use, and I think they have some other services that require registration as well. I would wager (based on Bayes' theorom) that people using Lycos for searching are more likely to have Lycos webmail accounts than the average internet user.
Re:What Kinds of Malicious Code? (Score:5)
Redirection could be used for more than just annoying purposes. The thought can comes to my mind right away is that it could be used for deceptive purposes:
Re:What Kinds of Malicious Code? (Score:1)
And more to the point, since JavaScript can read cookies, any active logins to the search engine site could be sent by the rouge JS to a third party.
--
Re:So? (Score:1)
When vendors ship operating systems that are inherently insecure, they're loudly blasted for doing such, and the administrators of those systems are often held responsible for "locking down" the default-insecure configuration. This is considered well, good, and normal by a great many folks, esp. here on /.
It may be that 90% of the people out there don't know what Javascript is, but I should hope that the percentage of /.ers that don't know anything about Javascript would be far, far, far less. I may be wrong (in fact, I probably am, considering that at least one person thought my original comment was a troll -- they're probably thinking "JAVASCRIPT RULZ DOODZ! U SUX!" when they read anything critical of Javscript or other client-side code), but I hope not.
You can't really blame the graphical browser vendors. Many sites require javascript to do trivial operations: to follow a link, to submit a form, etc. Many of the same end-users who don't know what Javascript is or that you CAN turn it off end up being those who shout for it loudest when it is disabled. It's scary when someone, in all apparent seriousness, claims that they use $BROWSER[A] because $BROWSER[B] allows Javascript to be disabled, and they don't think that's right.
A couple of times I've pushed further, and learned that "well, the web-developers wouldn't use it unless it was safe, so you're just full of it when you say that there are risks involved!" -- and I imagine that most of the folks who write Javascript do so because they need it to provide the behavior required by those same users.
So, yes, it's a bit much to expect any one newbie to know enough to disable Javascript. But that shouldn't apply here, right?
As I said, this isn't anything unexpected. Those who pay attention already disable Javscript and go around making sure the folks they care about know that Javascript can be disabled. So anyone that anyone on /. knows that has Javascript enabled either has (1) done so knowing the risks or (2) has really crappy friends/acquaintances.
Personally, I'd be happy to have a Javascript Guru devise a better resource-consumption script than what I currently have:
Re:This is an incredibly common problem (Score:1)
My middle paragraph should read:
Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking < and >s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into < and >, thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.
Re:Jerks, 80K? (Score:1)
Re:This is an incredibly common problem (Score:3)
Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into , thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.
One thing to note, though, is that this bug probably would have been found months, if not years, ago if Lycos was OSS.
Re:Two things... (Score:1)
Re:Javascript once again (Score:1)
just think.
Re:Why don't they make JS secure (Score:2)
The danger comes from sites that base their authentication schemes on persistent cookies after the user has signed-on once.
Such cookie basically tells the server "hey i'm the right guy now gimme my personalized page".
You can use javascript to sniff the cookie via document.cookie and send that value to a cgi script that'll store it.
heh fun.
google is safe. Some WebMail sites affected (Score:4)
Once the user would click on that link, it would take them to the spell-checker interface of hotmail, but the 'word' passed to that CGI is actually HTMLcode that gets "echo'ed" as part of the "result page", just like any dictionary interface would do. That HTML code could be a SCRIPT tag downloading a .js javascript file from the perpetrator's server (to keep it clean) which could very well sniff a user's document.cookie and change the location of some hidden image on the page or pop a window by making an HTTP request to some evil CGI and passing the value of that document.cookie string as a parameter and store it in some text file.
The victim's cookie string most likely contains information that tells the server "hey i'm authenticated" so all it takes is for the evil person to reproduce that cookie.
As I browse the web, I find such vulnerabilities on member-driven sites all the time, some times I warn the webmaster, some times I don't bother, but it can potentially be pretty nasty. I even got a t-shirt from some mildly popular online community fedexed to me once after I rode their asses likes a madman so they'd finally plug a really *really* bad similar hole.
I found one in some remote feature of yahoo a few weeks ago, but its very small and I doubt anyone else would find it.
The rule of thumb to always follow as you design your web application, is "what is that HTML i'm sending to the user made of?". "is there any content in there that is taken from any kind of user input?". "if yes, am I filtering out all angled brackets?". "if i am allowing for user-input HTML content, am i filtering all unnecessary tags and among the tags i'm allowing am i filtering all unnecessary attributes (onload,onmouseover,onclick)?"
Re:Moderation (Score:2)
A troll, on the other hand, is sometimes disguised as a somewhat coherent expression of opinion but doesn't really represent the poster's opinion, it's just designed to get a lot of people worked up replying to it so that the original poster can laugh at them wasting their time and tell himself how clever he is for having done so.
What they have in common is the level of maturity (low) and the lack of positive contribution to the discussion.
And then there are the 12 year olds who keep trying to sneak in links to stuff other than that to which the link appears to lead, and all the other posts associated with those posts, which are just another immature attempt to annoy people and waste their time. Off-topic covers these just fine.
None of this necessarily has anything to do with how posts actually get moderated.
Re:So? (Score:4)
That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).
Schwab
Re:yes, Rob. (Score:2)
Re:This adds nothing to the original post (Score:1)
à
This is a way to decide how to treat disease by knowing about the rate of the disease and how good your test is.
à
Diagnosis based on:
Prior Odds (or base rate of disease)
Characteristics of a diagnostic test (sensitivity and specificity)
à
Here is a scenario: You work in an area with a relatively high rate of Lyme disease. You have a test for Lyme disease and a patient you want to test. You could decide whether your patient has Lyme disease simply on how common Lyme disease is (prior odds). With the test as the diagnostic tool, you could only base your diagnosis on the outcome of the test and how good the test is. Using both pieces of information is a better approach.
à
Know Sensitivity and Specificity. (As defined in the basic experimentation lecture)
à
Bayes Theorom can also help you to update your decision-making when new info comes around.
Logical paradox. (Score:2)
Wait a sec. If girls only go out with jerks, and never with "nice guys," that would mean that sys admins would be getting all the girls. And I know that ain't so.
Re:What Kinds of Malicious Code? (Score:1)
Re:javascript gripe (Score:3)
That's it. End of story. If browsers let you do that, we'd all be happy.
What? I can't? Shoot, I'd better turn that off then! :-)
Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...
---
Two Better Words: (Score:1)
How about "wrong story" instead? How did this get moderated up, anyway?
Remember: it's a "Microsoft virus", not an "email virus",
Two words.... (Score:2)
"Search warrant."
Fly away, little BSA bird.
Re:Why don't they make JS secure (Score:2)
Hyper Text Markup Language
it's a stateless language, but a language nonetheless.
Re:What Kinds of Malicious Code? (Score:2)
Javascript once again (Score:3)
I am a believer in the thin-client approach to web-pages and that is if you can't do it on the server and you can't use HTML for your web page then you are probably doing something wrong. This is my opinion and you don't have to share in it.
Jerks? (Score:3)
And re-read Steven Levy's book Hackers while you're at it.
--
Poliglut [poliglut.com]
*sniff* I miss NS 3 (Score:1)
Plus, it's faster then NS4 rendering /. in nested mode!
Pope
What? Bear is driving car? How can that be?!
Taco can't spell? (Score:1)
Proof is a noun. Prove is a verb. Keep that in mind, will ya?
Re:So? (Score:1)
In IE, it's under Security, which is the obvious place to have it. Particularly if you don't know *what* Javascript is; all you have to do is set your security to high - you don't have to worry about the details.
Simon
Re:What Kinds of Malicious Code? (Score:1)
<IMG SRC="file:/c://con/con">
Re:So? (Score:2)
A cookie set by a server can only be read by that same server. The exact same effect can be done by URL rewriting (adding a token to each url.. as in..
Re:Jerks? (Score:1)
Personally, I surf with JavaScript disabled by default, which kills those pop-up windows (bonus!).
Re:Jerks? (Score:1)
http://www.google.com/search?num=100&lr=lang_en
[Off Topic] Re:What Kinds of Malicious Code? (Score:3)
Not all the facts were stated by the person to which you replied. Windows XP Home Edition does not feature different access levels. All users are Administrators. Windows XP Professional retains different access levels.
See: http://www.microsoft.com/windowsxp/guide/compariso n.asp [microsoft.com]
Re:javascript gripe (Score:1)
Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...
OmniWeb for OS X has it beat, with a setting to open the window only if it was requested by a user action. I can go to a site like the The Onion and have its left-hand bar popups like Horoscopes open just fine, but I have never, ever seen a popup ad.
javascript fun (Score:1)
Wow... simplest use would be popups on search (Score:1)
Imagine, you do a search, and while you're sitting there looking at the search results, you get popup ads being generated by the sites in your results list. Now imagine that the search hit a lot of porn sites. And they have exit traps.
Hopefully, the search engines get this remedied quickly. I imagine they'll just filter out javascript.
-Todd
---
Re:Javascript once again (Score:1)
So does Mozilla AFAIR. It just lacks a nice GUI and you need to edit your prefs.js.
Re:I want a button! (Score:1)
Automatic JavaScript on and off based on URL might be OK, but I want a button down in my tray where I can easily turn it on and off -- with, of course, indication of state.
Slashdot rumor [slashdot.org] has it that Microsoft toyed with this idea for a while and then dropped it when it internally became known as the "porn button". Vote for (or help us fix) one or both of these if you'd like to see the feature added to Mozilla:
bug 38521 [mozilla.org] Preferences Toolbar, for most commonly used prefs
bug 87538 [mozilla.org] [RFE] preferences buttons on status bar
Re:Why don't they make JS secure (Score:1)
Re:This is an incredibly common problem (Score:2)
And it might also be a good idea to turn & into & while you're at it.
Btw, I don't think you need to do the < and > transformations for attributes, but it doesn't hurt.
Re:Lycos URL to hang IE5 (Score:2)
Only on Microsoft browsers? I don't remember finding a browser where I could get out of that kind of loop.
See bug 59314 [mozilla.org], "Alerts should be content-modal, not window-modal", for fixing this in Mozilla.
How hard is it? (Score:2)
<? $page_description = strip_tags($page_description);?>
Problem solved.
I love PHP
Re:How hard is it? (Score:2)
Sorry, I'll take productivity over intense pain anyday.
Re:This is an incredibly common problem (Score:1)
Ya think? PHPLIB has been OSS for a long time and only recently programming problems of the above type were found in it.
OSS isn't the magic elixir. It's a step in the right direction.
Re:This is an incredibly common problem (Score:2)
You also forgot that you need to remove quotes as well.
When it helpfully fills in a text box, you have to escape the quotes. Take this example:
Now we craft the malicious string ( " onfocus="alert('howdy'); ) and place it in the text box like so:
See also my article on Accepting input and malicious script insertion [kimihia.org.nz].
Lots of sites are vulnerable. Lots of sites have lazy developers.
Re:Moderation (Score:1)
Re:I'm just shocked Taco posted a cross-platform h (Score:1)
--
Re:yes, Rob. (Score:2)
We should outlaw being a jerk.
Then I would feel much less nervous, as a sysadmin.
O, right, I am *so sure*.
Have you even thought about this for a minute?
Some of our ver best sysadmins are jerks!
Where would that leave us?
I'll tell you where: with clueless nice-guys running the computers, that's where!
Stoll's a jackass (Score:2)
I wonder if Stoll originated the nonsensical comparison between 'unauthorized access' of a corporate/governmental computer and breaking into someone's house. They're not the same at all, but this silly notion underpins a lot of bad thinking and bad law. Stoll was zealously protective of the 'computing resources' of a huge government lab at a time when 'real computers' were out of reach for ordinary people. He could be compared to a royal chef in the middle ages urinating on the excess food from the royal table lest a commoner eat it.
I don't agree that security problems have made the web 'experts only'. If you want to run your own web server and you're not an expert, run vanilla Apache and sshd and nothing else. Actual holes in Apache are pretty rare. Or am I missing your point?
Re:What Kinds of Malicious Code? (Score:1)
Rubbish.
1) Where was it getting the email address from? If the user typed it in it's their fault, and I fail to see where else it would get it from.
2) There's no such thing as a JS "applet". Applet refers to a client side embedded Java application, no relation to JS at all.
I was doing this back in 95! (Score:1)
Nowadays when I build forms I always set a max length. This keeps people from doing the things I did when I was 15
Non-Existent Slashdot Article? (Score:2)
What Kinds of Malicious Code? (Score:3)
This isn't a serious security breech, just an annoying oversight by Lycos programmers which will probably be patched up in the next fifteen seconds.
Re:What Kinds of Malicious Code? (Score:1)
Wait until they're all using WinXP. Everything on XP runs as Administrator. Be it Notepad, Word, IE, or (heaven help us) Outlook. Everything has full access to the system.
Maybe I'm just talking out my ass, but consider this: Lycos result contains Javascript. Javascript redirects you to some server. That server runs some ActiveX code. That code grabs your email password and login password and mails them encrypted with PGP/GPG to some mail box in some remote part of the world for later cracking.
Maybe I'm completely off my rocker - and tell me if I am - but giving people the ability to run arbitrary commands on someone elses PC isn't usually that good, especially when it's a hypertext link. People don't really think of links as programs, unless the link explicitely says "click here to run my javascript applet". And even then, the average user isn't going to understand the full implications of clicking on that link and giving a program 'root' access on their system.
kickin' science like no one else can,
my dick is twice as long as my attention span.
Re:What Kinds of Malicious Code? (Score:1)
The statement about WinXP running all things as Administrator came from a radio interview between GRC's Steve Gibson and TheRegister's Tom Greene. You can read a transcript [theregister.co.uk] (crap) or listen to the WMA [vpwsys.net] (could someone on a decent connection download Goldwave [goldwave.com] and reencode it as an mp3 or ogg?).
Another article [geek.com] supports my statement. In particular, the line that reads:
As it gets easier and easier to install and use, how many new Linux users even know the dangers of operating as root? Let alone Win2k/WinXP users.
So, we'll have all these boxes running out there in root mode while people are checking their mail and browsing the web. We've got enough problems as it is with Windows' limited (no raw sockets) TCP/IP stack.
Now, you could argue that anyone who wanted to run some random program could just as well install support for raw sockets for Win9x (winpcap, anyone?) and install a trojan that could make use of it and syn-flood some server with spoofed IPs. And you'd be absolutely correct..they could. However, have they? Not to my knowledge. However, with WinXP, they won't have to. WinXP (probably) includes a nice, powerful, BSD TCP/IP stack that can do all that raw sockets stuff without the user having to install it. Skript kiddies, rejoice! [datanerds.net]
kickin' science like no one else can,
my dick is twice as long as my attention span.
Re:What Kinds of Malicious Code? (Score:1)
At the same time, why don't you check and see how many people out there even run their computer with a default install of Windows and IE? Hopefully the results won't surprise you.
kickin' science like no one else can,
my dick is twice as long as my attention span.
Re:What Kinds of Malicious Code? (Score:2)
Lycos result contains Javascript. Javascript redirects you to some server. That server runs some ActiveX code.
Stop there. ActiveX code doesn't run without a confirmation dialog saying something to the effect of "This is untrusted/unsigned code; are you sure you want to run it?" The security implications are made quite clear to the user. Now if a Javascript program could automatically click "OK" on that dialog, then I'd be worried. (Knowing Microsoft, I wouldn't be too surprised to hear about that sort of security vulnerability.)
Does anyone else think it's sad that people are worried about Lycos's vulnerability of allowing other people's Javascript to get on their pages? It's a problem if any HTML/Javascript/whatever someone sends at you creates a problem. You shouldn't have to stay on trusted websites to be safe. Lycos's problem is minor. The real problem to be addressed is that people don't consider Javascript safe, probably with good reason.
This kind of malicious code! (Score:1)
I checked google (Score:5)
Re:What Kinds of Malicious Code? (Score:1)
Why even bother. You guys are just making claims that arent even true with no real basis for the claims. Why dont you test that and see how many machines with a default install of IE (Windows) that works on.. The results will suprise you
Jeremy
Re:No, no, no (Score:1)
Gotta love random
Jeremy
Re:Two things... (Score:1)
Dont confuse VBScript with an ActiveX control
THey are totally different.
And of course if you can get a VBScript to the windows script host its all over but the crying... doing that from a browser is something id like to see however
Jeremy
Re:Two things... (Score:2)
In the context of the browser VBScript executes with the same permissions as JavaScript... PERIOD!
You cant create a file system object using a VBScript in a browser. It takes more than most people think to damage a machine with just VB/JavaScript. You have to use "social" engieering more than anything and trick people more than you cna directly harm their systems.. think about it
Why don't you show me some VBScript runs from a web page that can do something malicious. Ill gladly run it on my machine and click NO if its an ActiveX object and simply laugh at anything else since it simply WONT work in the browser.
Outlook has totally different access privileges why do you think all of these worms are spread. Do you know the mayhem that would be caused if ever IE browser was exploitable via VBScript?
Stop and think before trashing something for an unfounded reason.
Jeremy
Re:Praising security "investigators" (Score:2)
People that claim to have found a bug are probobly the 10th or 11th person that found it. but at least they aren't of the mind to go find every server with that flaw and exploit the hell out of it.
the very fine line comes with the fact that once bugs are announced it's now a race called sysAdmins vs. script kiddies. This part I agree can suck for a lot of people. Keeping up with all of this is a tough job. Then again if you don't like the job go serve fries at McDonalds.
thothic
[ps. that whole Neo thing is not funny. (neoThoth.. shortened to neo) I had that handle way before that no talent ass monkey let the Matrix carry his career.
Re:What Kinds of Malicious Code? (Score:2)
Re:Praising security "investigators" (Score:2)
People who do security research are smart enough to know that they're not the only smart ones out there. When they post an advisory they do it because they know that someone out there has already found the bug, exploited it, and kept it to themselves. Sure, your chances of getting hacked after it becomes public increase many fold *if you don't apply the patches*, but at least you have a chance of defending against a known enemy.
As far as the "let the makers know and then post publicly if action isn't taken" argument, let me give you an example: the recent Code Red worm was based on an IIS .ida extention overflow. If eEye had simply alerted MS about this issue and promised that they wouldn't post the information MS would've simply incorporated the fix into the next service pack, not wanting to raise any alarms about IIS security. In the meantime, someone else could've found the hole, written the worm and released it to the waiting internet. In that scenario no one would've been patched and the worm would've compromised ten times the servers that it did.
In the end, posting publicly gives sysadmins the opportunity to minimize the exposure to vulnerabilities. Don't forget: just because it isn't public doesn't mean it isn't there.
-brock
Uh-oh... (Score:2)
I'd certainly flee to Canada if that happened.
But then Canada would be populated with jerks...
Perhaps we could all flee to Australia? Then Australia would have THREE social classes -- descendants of British "criminals," aborigines, AND jerks!
Bah, nevermind...
Re:So? (Score:2)
That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers.
Actually that's not quite true. Konqueror very deliberately keeps JavaScript, Java and Netscape plugins off by default. If you need them, then it's a cinch to enable them (very obvious in the Konqui settings dialog, or, if you have the extra plugins that are in the kdenonbeta package, it's even simpler, select a menu item or a toolbar button).
If you're concerned about turning JavaScript on globally, then you can enable/disable JavaScript (and Java) on a per-site basis.
Sigh... If only every graphical browser put security first...
Re:I'm just shocked Taco posted a cross-platform h (Score:1)
--
Re:Jerks? (Score:2)
>>Are you stating that open source software is 100% secure?
Didn't sound like it to me. Sounded more like a rationale for making exploits public... so lots of people can think about a way to fix the problem. Calling people jerks for demonstrating an exploit of a security vulnerability seems counter to the prevailing attitude among those who think hiding security problems is an exercise in futility.
>Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".
Whoa... you might want to have that knee looked at.
--- .sig in order to have your advice
Hi! How are you?
I send you this
We love you anyway CT (Score:5)
"Proof once again that the jerks have more spare time then the people who actually do something worthwhile."
Don't be so hard on yourself there CmdrTaco! We read your drivelous comments just the same 8^}
And BTW - it's 'than' the people, not 'then' the people.
Re:This is an incredibly common problem (Score:2)
And if you're putting the results in <INPUT TYPE="TEXT" VALUE="Something The Use Entered"> don't forget to change a quote (") into ". Otherwise you can still get weird results, especially because you can insert new attributes (maybe do something even via onclick="something_nasty()" at that!)
--
Re:Why don't they make JS secure (Score:2)
For the love of Jebus, with all the ways JavaScript can be abused, why don't the browsers come with a way to filter out the most obnoxious actions? I'd love to see checkboxes for the following.
Disallow new window creation
Disallow window moving and resizing
Disallow redirection
Disallow shortcut creation
[I nearly blew a gasket the first time I found that a site had placed porn and casino links in my Start menu.]
Disallow access to cookies
There are probably others, I'm no JavaScript whiz.
An ideal browser would let you toggle all that stuff, and then enable it for specific sites of your choosing.
I'll have to look at Web Washer again... maybe it lets you re-enable pops for the sites that need them.
What of VBSCRIPT? (Score:1)
Re:This is an incredibly common problem (Score:2)
<a href="friskit.com"> <img border=0 src="http://friskit.com/site/images/logo.gif"> </a> <script> document.body.style.filter= "progid:DXImageTransform.Microsoft.Blur (pixelradius=3)"; </script>
Re:Jerks? (Score:3)
People find holes in proprietary systems all the time. Hell, I've gotten a couple hundred MS security bulletins over the last 2 years sitting in my inbox, none of which MS has discovered on their own. The holes in proprietary systems simply get more exposure because it's fuel for all the open source zealots and a large part of corporate america uses the closed systems.
Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".
Just to be an idiot and delve deeper into this arguement, are you stating that if it was open source, you'd do a line-by-line audit of the code to make sure it was something you felt was secure and you want to run? Let's face it, everybody that advocates open source just assumes everybody else is testing it. How many people have done a complete code audit of any Linux app before they installed it. None. This could also be due to the fact that most Linux apps haven't made it to that 1.0 mark yet and maybe the users expect what they get. It's a good argument that "it's still in BETA" when somebody points out a security hole in something.
Re:What Kinds of Malicious Code? (Score:2)
Unfortunately, due to a recent vulnerability in Outlook, the ability to redirect a user to a webpage of your choice could be used for malicious purposes. The text below is an extract from Microsoft Security Bulletin MS01-038 [microsoft.com] (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/MS01-038.asp):
Granted, the patch for this problem has long been available, but, as Code Red illustrates, that does little to reduce the overall vulnerability.
Re:Jerks? (Score:2)
I realize this is hairsplitting, but I'm sure the creators of such "malicious" acts have fully justified reasons for what they're doing, even if those reasons are only justifiable to themselves. They *ARE* doing something worthwhile, in this sense; their actions just aren't worthwhile to Taco.
Now, if one wishes to attack said individuals on a stictly moral basis, I think that is perfectly justified.
Re:Jerks? (Score:2)
I believe the "jerks" reference is to the people writing the malicious JavaScript code, and not the people reporting it. :)
Re:What Kinds of Malicious Code? (Score:2)
This sort of thing could be used to break sites which use cookie security. It would be easy to use the JavaScript to return the session cookie to an intercept site by CGI communication with that site. However, since search engines don't usually have user accounts, this is unlikely to be important. Still, it should be tried on Yahoo! at least, and any other search engine sites that support login and use weak session security.
Tim
Porn surfers love Office Furniture (Score:2)
Knowing this, I could index all of our pages with porn keywords and redirect users to our page selling Office Furniture!!!
I'll be sure I send out OfficeFurniture.vbs just in case Lycos fixes this hole before I get a chance at a promotion.
Great... (Score:2)
Two things... (Score:2)
Second, for everyone who's saying how harmless JavaScript is, you're somewhat right, but it doesn't matter. Why? Because the person releasing the vulnerability was just using JavaScript as an example. It could also be VBScript, just as easily...and THAT is NOT harmless by any stretch of the imagination. Imagine doing a search on Lycos, and getting smacked with a new variant of KAK.
Re:Two things... (Score:2)
Are you actually attempting to state that nobody can do harm if they can get a user to run arbitrary VBS on their machine? Where have you been for the past few years, man? VBS has been the language of choice for some of the most notorious worms and viruses in the past couple of years, and not all of them merely spread from user to user.
Re:Two things... (Score:2)
What handles HTML in the web browser? What handles HTML in email? And finally, what are default permissions in Internet Explorer with respect to ActiveX controls? There a numerous viruses out there, (I mentioned KAK before, so I'll stick with it) that are able to do various things from either a web page or from an email. It just happens that web pages are not a good way to spread a virus, so HTML email is the method of choice. But underlying both HTML mail and web browsing is the same code, the same processing. And yes, KAK relies upon an activeX control. But so what? It didn't matter...KAK spread like wildfire, and did an enormous amount of damage. In penetration testing, I make use of this functionality to test clients...I send an email with HTML scripting that fires back an email to me, with a copy of a particular file off of their computer attached. (Does that behavior sound familiar??)
You, sir, are clearly not a professional security engineer, admin, consultant, or whatever. If you were, you would stand alone in a crowd that regularly and passionately avoids HTML that comes from untrusted sources. It is for this reason that BUGTRAQ, every mailing list at SecurityFocus, NTBUGTRAQ, and numerous other mailing lists do not want their subscribers sending HTML mail of any form to the list; they have gone so far as to automatically strip off the HTML and leave the messages as plain text. Why do you think there are only a very few HTML tags permitted in Slashdot posts? I don't see the SCRIPT tag in there...do you?
As for your earlier statements concerning "trashing" something, I have no idea what you think I was trashing. Lycos has a vulnerability...so what? Welcome to the planet, guys...everyone's had a problem sooner or later. Just fix it, and we'll move on. And I certainly wasn't trashing scripting...complaining that someone putting HTML on your site without your control is bad is like saying that someone installing software on your computer without your control is bad. Actually, if it involves scripting, the two are the same.
Re:Jerks? (Score:2)
OK, the Internet isn't a small town any more, but one has to wonder where it all ends? As black and gray hats keep upping the ante, just running a simple web site requires more and more vigilance. IMHO, they have already succeeded in making the web an experts-only club.
That said, this security hole does not seem to have been exploited by anyone. It appears that it was stumbled upon. So I don't know what Jerks Taco is referring to here. Did I over-look something?
Re:Why don't they make JS secure (Score:2)
JS on the other side, hasn't an easy way to access sensitive data or create malicious code. As someone noted before, you can redirect the user to a porn site or something, but its rather dificult (I'm not a JS programmer, just done a couple of hacks with it) to access to sensitive information, such as the hard drive
Re:Javascript once again (Score:3)
Re:What Kinds of Malicious Code? (Score:2)
Re:What Kinds of Malicious Code? (Score:4)
no different from lots of other problems (Score:2)
The simple fact is that content you get from the Internet, be it Slashdot, Lycos, Microsoft, or anything else, may have been altered or may be malicious in itself. If you care about it, you have to deal with it by picking your web client to protect you; trying to insist that every web site is secure and trustworthy is a losing battle.
BTW, from the description of the bug, JavaScript is the least you have to worry about. ActiveX controls would seem like a much bigger problem. And web sites that server user-supplied JavaScript through SSL are also a much bigger worry (since the user-supplied JavaScript is implicitly signed with the site certificate); at least Lycos doesn't serve its content through SSL.
This is an incredibly common problem (Score:5)
You have some kind of form input, with the next page displaying whatever the user typed into that form field (for a search engine this would be in the form of "You searched for..."). the golden rule of web development is NEVER TRUST input from your users. Most developers take great lengths to check anything that's going into a file or database, or erspecially code that will be executed on the command line.
However, if you're just going to display something to the user that typed it why bother checking the content? Surely only the user who typed the thing is going to see it again, and it's not like they're going to be able to affect any of your systems?
Therein lies the problem. If you allow a user to type anything into a form and then have it re-displayed, they can include HTML tags. And if they can include HTML tags, they can include <script> tags. And script tags can do weird stuff.
Still think it's not a problem thanks to the fact that only the user will see it? Think again - seeing as most applications like search engines use GET to pass parameters, you can fill in the form for the user by offering them a link to click:
http://yoursite.com/search?<b>Oooh+Bold+Text </b><script>alert('Ew ww nasty popup')</script>
All of a sudden you can cause your weird popup messages to appear on someone elses site.<p>
The biggest security problem is the fact that javascript can access cookies. Imagine sending someone to a website via a link containing javascript that reads their username/password cookie for that site then pops up a window feeding that username/password to a script page con your server (in the query string) - BANG, you've got their password.
How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with < and > with > - problem solved
Re:What Kinds of Malicious Code? (Score:2)
Re:Jerks? (Score:2)
What nonsense. The web has become SO easy to use (and to create webpages for) through such a plethora of tools (frontpage, dreamweaver, just to name a bunch of idiotproof tools). Who are the 'they' you talk about? 'black / gray hats' ? How in the world do they make the web something for 'experts'?
Listen, most people who want to create their own webpage as beginners go to geocities or something like that. If you get a bit more advanced, you go to a somewhat more advanced hosting provider. You get your own domain even, perhaps. If you get even more advanced, you may have your own DSL line or T1 line. But by the time you get there, you are SUPPOSED to know about security and be vigilant about it.