Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug

Security Hole Lets Lycos Run Arbitrary JavaScript 141

JibbaJabba writes "Securiteam is reporting that a "security vulnerability has been confirmed in Lycos's Search Engine" which "allows malicious web site owners to cause JavaScript code (or any other HTML code) to get included in the search results displayed to the end user by Lycos". They also state that "other engines are suspected to be vulnerable as well". Anyone tried google yet? The original bugtraq report by Sentry Labs is available here." Proof once again that the jerks have more spare time then the people who actually do something worthwhile.
This discussion has been archived. No new comments can be posted.

Security Hole Lets Lycos Run Arbitrary JavaScript

Comments Filter:
  • by Anonymous Coward
    Yeah, sure, Javascript is harmless. [comp-u-geek.net] Click here for proof you're wrong.
  • by Anonymous Coward
    Could someone use this to embed an HTML comment character in their description to prevent further search results from being displayed?
  • by Anonymous Coward
    If jerking is outlawed, only outlaws will have jerks!
  • by Anonymous Coward
    EMCAScript (formerly known as JavaScript) can in fact be used to propogate spam. It is widely deployed in freely downloadable browsers such as NetScape and Internet Explorer. It is turned on by default. Struggling eCommerce web sites use applets to gather valid email addresses. In one documented case a real estate agent presented a talk on how to use a JS applet to troll casual web site browsers for valid email addresses. The thought being that anyone who spends a fair amount of time browsing online real estate ads is probably looking for a house the return to the web site is valuable: pre-self-filtered valid email addresses. The next morning you wind up with mortgage spam, moving company spam, etc. It does not take much imagination to see where such marketing ploys will go if they fall into the wrong hands. Do you actually like spam? Do you want to see more of it clogging the 'net? Then be sure to surf without turning off JavaScript in your browser.
  • by Anonymous Coward on Monday July 30, 2001 @10:49AM (#2182469)
    I don't think I'm buying into this "they are only showing you how bad your stupid code is." reasoning anymore. ALL code is flawed, so taking advantage of it is like pushing down someone you meet on the sidewalk and saying "I am only showing you how poor your center of gravity and sense of balance are!" No, that is not a reasonable line of thinking. If you want to make something better, show the makers what's wrong, and post publicly if it is not taken care of. all of the rest of this is some kind of ego-run-amuck b.s. about trying to _be_ "Neo" hacking "the man". and it is _very_ juvinile. I spend FAR too much of my time trying to make sure that my servers are pactched and my virus files are up to date and my users are not sending out company data to outside sources that don't need to know. It takes away from a sys. adim's time that _should_ be spent watching company information flow and user environments to look for ways to help it improve the company. NOT making sure that the 13 year old kid that just got out of school isn't making sure I know that IIS has a buffer overflow problem that gives him all of my customer's credit cards. Not ALL information was meant to be free. If you disagree please feel free to apply for wireless service from verizon or AT&T and learn all about how "helpfull" these "security advisors" really are.
  • The "juxtaposition" (or lack thereof) of "jerk" and "sysadmin" was meant to inspire humor.

    - A.P.

    --

  • by Wakko Warner ( 324 ) on Monday July 30, 2001 @10:36AM (#2182471) Homepage Journal
    We should outlaw being a jerk.

    Then I would feel much less nervous, as a sysadmin.

    - A.P.

    --

  • The first two things you mention are as harmless as the original poster said already, and additionally they're already possible to do now! By doing the same things people do to get their site to be in the first 10 hits.

    I don't think there there is another means presently known to redirect the user directly from the list of results within a search engine before the user ever actually clicks on any of the results. Maybe you misunderstood what I wrote or I wasn't clear in what I meant - or maybe I'm misunderstanding you now. How can you go about redirecting users from the page within the search engine that shows the first few results without using this Javascript exploit?

    How the things that I listed differ from the things listed by the original poster are that the original poster considered the most nefarious possibility of redirection to be an annoyance (in the same way that porn sites flood you with annoying popups [from what I've heard]) whereas I suggested that a much worse use of redirection would be to deceive the user. The key is that the user thinks he is still on Lycos when he is not and this opens up a whole can of worms. Perhaps you consider this "harmless" because you think people who don't look up at the URL location of each web page they visit are stupid, but when you click on the "Search" button of your favorite search engine how many times do you look up at the location to see that the results are indeed from where you expect?

    The third possibility you mention is not likely at all to work as people don't have to login to use a search engine.

    Lycos does have web based email, which quite a few people use, and I think they have some other services that require registration as well. I would wager (based on Bayes' theorom) that people using Lycos for searching are more likely to have Lycos webmail accounts than the average internet user.

  • JavaScript is a relatively harmless language. While it could do something dramatic redirect the user to a porn site or display something obnoxious on the screen, I doubt that it would do anything like delete user's harddrives or give h@x0rs access to user's computers.

    Redirection could be used for more than just annoying purposes. The thought can comes to my mind right away is that it could be used for deceptive purposes:

    • Users could be automatically whisked away to one of the results without seeing any of the other results in the list. So as long as you can get your page in the top ten results for a particular keyword, you can force the user to choose your page.
    • Users are (understandably) expecting a Lycos page, so if the Javascript were to redirect the user to a page that masqueraded as a search-results page the user would be likely to assume that the page was legitimate and not biased. As an example, the "Church" of Scientology could use this bug to redirect users to an apparent Lycos results page for a search on "scientology" and they could change all of the results to be pro-scientology. Worse yet, they could change the links to anti-scientology sites to copies of the original sites which have been changed to something along the lines of "We've changed our minds. We were wrong. Scientology is not evil. All hail L Ron."
    • For users of other Lycos services, such as Lycos mail, the user could be redirected to an imposter Lycos page which would ask for a username and password. Users would be much less likely to be suspicious because they were expecting a Lycos page.
  • * For users of other Lycos services, such as Lycos mail, the user could be redirected to an imposter Lycos page which would ask for a username and password.

    And more to the point, since JavaScript can read cookies, any active logins to the search engine site could be sent by the rouge JS to a third party.

    --

  • by SJS ( 1851 )
    That's a bit disingenuous.
    Sorta. :)

    When vendors ship operating systems that are inherently insecure, they're loudly blasted for doing such, and the administrators of those systems are often held responsible for "locking down" the default-insecure configuration. This is considered well, good, and normal by a great many folks, esp. here on /.

    It may be that 90% of the people out there don't know what Javascript is, but I should hope that the percentage of /.ers that don't know anything about Javascript would be far, far, far less. I may be wrong (in fact, I probably am, considering that at least one person thought my original comment was a troll -- they're probably thinking "JAVASCRIPT RULZ DOODZ! U SUX!" when they read anything critical of Javscript or other client-side code), but I hope not.

    You can't really blame the graphical browser vendors. Many sites require javascript to do trivial operations: to follow a link, to submit a form, etc. Many of the same end-users who don't know what Javascript is or that you CAN turn it off end up being those who shout for it loudest when it is disabled. It's scary when someone, in all apparent seriousness, claims that they use $BROWSER[A] because $BROWSER[B] allows Javascript to be disabled, and they don't think that's right.

    A couple of times I've pushed further, and learned that "well, the web-developers wouldn't use it unless it was safe, so you're just full of it when you say that there are risks involved!" -- and I imagine that most of the folks who write Javascript do so because they need it to provide the behavior required by those same users.

    So, yes, it's a bit much to expect any one newbie to know enough to disable Javascript. But that shouldn't apply here, right?

    As I said, this isn't anything unexpected. Those who pay attention already disable Javscript and go around making sure the folks they care about know that Javascript can be disabled. So anyone that anyone on /. knows that has Javascript enabled either has (1) done so knowing the risks or (2) has really crappy friends/acquaintances.

    Personally, I'd be happy to have a Javascript Guru devise a better resource-consumption script than what I currently have:

    <script>s = "You asked for it"; while(1){ s = s + s; } </script>
  • Stupid Slashdot. I tell it i want "Plain Old Text", but it still thinks < and > surround tags, and that &lt; and &gt; are symbol codes. Sigh.

    My middle paragraph should read:
    Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking < and >s, and failing to turn them into &lt; and &gt;, the problem is that Lycos is finding web pages with &lt; and &gt;, and turning them into < and >, thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.
  • One could assume that you're not a grammar consultant.
  • by Plutor ( 2994 ) on Monday July 30, 2001 @12:44PM (#2182478) Homepage
    Great job, you really addressed 90% of the issues with stupid CGI programmers. I have dealt with the same problem in CGI that I've "inherited", and it's a pain in the ass to see such a simple exploit go unpatched.

    Unfortunately, the Lycos bug is exactly the opposite. Instead of them taking s, and failing to turn them into < and >, the problem is that Lycos is finding web pages with < and >, and turning them into , thus changing non-HTML into HTML. A much less common problem, and also one it seems like they have TRIED to create. Why parse the HTML symbol codes into the symbols they represent? It's a strange bug, and its obscurity is why it's taken so long to come to light.

    One thing to note, though, is that this bug probably would have been found months, if not years, ago if Lycos was OSS.
  • .... yup, i agree with you ... just make sure you don't "slip" on the wrong button when prompted ;] ....

  • user input validation is not the *only* thing you can do with javascript to minimize server-side processing and save precious CPU cycles. But i'd be revealing trade secrets if i told you what else.

    just think.

  • See comment #85 below, but keep in mind that most people do have javascript enabled, that javascript is a good thing to have enabled as it can often save a lot of unnecessary client-server requests and greatly improve a site's usability.

    The danger comes from sites that base their authentication schemes on persistent cookies after the user has signed-on once.

    Such cookie basically tells the server "hey i'm the right guy now gimme my personalized page".

    You can use javascript to sniff the cookie via document.cookie and send that value to a cgi script that'll store it.

    heh fun.

  • Some prominent web-based email sites like hotmail had a similar security-hole in their "dictionary" feature, which would allow a malicious user to paste an apparently harmless link in an email, because the link would be within the hotmail domain.

    Once the user would click on that link, it would take them to the spell-checker interface of hotmail, but the 'word' passed to that CGI is actually HTMLcode that gets "echo'ed" as part of the "result page", just like any dictionary interface would do. That HTML code could be a SCRIPT tag downloading a .js javascript file from the perpetrator's server (to keep it clean) which could very well sniff a user's document.cookie and change the location of some hidden image on the page or pop a window by making an HTTP request to some evil CGI and passing the value of that document.cookie string as a parameter and store it in some text file.

    The victim's cookie string most likely contains information that tells the server "hey i'm authenticated" so all it takes is for the evil person to reproduce that cookie.

    As I browse the web, I find such vulnerabilities on member-driven sites all the time, some times I warn the webmaster, some times I don't bother, but it can potentially be pretty nasty. I even got a t-shirt from some mildly popular online community fedexed to me once after I rode their asses likes a madman so they'd finally plug a really *really* bad similar hole.

    I found one in some remote feature of yahoo a few weeks ago, but its very small and I doubt anyone else would find it.

    The rule of thumb to always follow as you design your web application, is "what is that HTML i'm sending to the user made of?". "is there any content in there that is taken from any kind of user input?". "if yes, am I filtering out all angled brackets?". "if i am allowing for user-input HTML content, am i filtering all unnecessary tags and among the tags i'm allowing am i filtering all unnecessary attributes (onload,onmouseover,onclick)?"

  • It's not an exact science by any means, but flamebait is generally designed to irk people and draw a lot of angry replies, i.e., start a flamewar.

    A troll, on the other hand, is sometimes disguised as a somewhat coherent expression of opinion but doesn't really represent the poster's opinion, it's just designed to get a lot of people worked up replying to it so that the original poster can laugh at them wasting their time and tell himself how clever he is for having done so.

    What they have in common is the level of maturity (low) and the lack of positive contribution to the discussion.

    And then there are the 12 year olds who keep trying to sneak in links to stuff other than that to which the link appears to lead, and all the other posts associated with those posts, which are just another immature attempt to annoy people and waste their time. Off-topic covers these just fine.

    None of this necessarily has anything to do with how posts actually get moderated.

  • by ewhac ( 5844 ) on Monday July 30, 2001 @10:58AM (#2182484) Homepage Journal

    Anyone who enables javascript is asking for trouble.

    That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).

    Schwab

  • yeah, and your users would be less pissed off too ;-)
  • 3. Bayes Theorom. A probabilistic method of medical reasoning.

    à
    This is a way to decide how to treat disease by knowing about the rate of the disease and how good your test is.

    à
    Diagnosis based on:


    Prior Odds (or base rate of disease)

    .....This can tell you something about the probability of 1 person having a disease because it gives you the probability of the population having the disease.


    Characteristics of a diagnostic test (sensitivity and specificity)

    .....This can tell you how accurate a positive or negative test outcome is. (the sensitivity can tell you how often the test will positive in a person with disease; the specificity can tell you how often the test will be negative in a person without disease.)

    à
    Here is a scenario: You work in an area with a relatively high rate of Lyme disease. You have a test for Lyme disease and a patient you want to test. You could decide whether your patient has Lyme disease simply on how common Lyme disease is (prior odds). With the test as the diagnostic tool, you could only base your diagnosis on the outcome of the test and how good the test is. Using both pieces of information is a better approach.

    à
    Know Sensitivity and Specificity. (As defined in the basic experimentation lecture)

    à
    Bayes Theorom can also help you to update your decision-making when new info comes around.


  • Ack.

    Wait a sec. If girls only go out with jerks, and never with "nice guys," that would mean that sys admins would be getting all the girls. And I know that ain't so.

  • I dunno, I'm not sure that a little 69 really ever caused anyone harm.
  • by Dr.Dubious DDQ ( 11968 ) on Monday July 30, 2001 @02:18PM (#2182489) Homepage
    you can't just disable javascript's ability to open new windows whilst leaving the rest of its abilities intact. grrrr.

    That's it. End of story. If browsers let you do that, we'd all be happy.

    What? I can't? Shoot, I'd better turn that off then! :-)

    Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...


    ---
  • How about "wrong story" instead? How did this get moderated up, anyway?

    Remember: it's a "Microsoft virus", not an "email virus",


  • "Search warrant."

    Fly away, little BSA bird.
  • I wouldn't call HTML a language



    Hyper Text Markup Language

    it's a stateless language, but a language nonetheless.

  • jeez, thank goodness you're on the good side, or at least it would seem..
  • by Midnight Thunder ( 17205 ) on Monday July 30, 2001 @10:37AM (#2182494) Homepage Journal
    This once again proof that running JavaScript on the client end is bad. I am one of those people who turn JavaScript off the most part, though there are one or two web-sites that I have to turn it on if I want to get beyond the first page. I would love it if Mozilla provided an option for only having JavaScript activated for certain sites.

    I am a believer in the thin-client approach to web-pages and that is if you can't do it on the server and you can't use HTML for your web page then you are probably doing something wrong. This is my opinion and you don't have to share in it.

  • by rw2 ( 17419 ) on Monday July 30, 2001 @10:28AM (#2182495) Homepage
    Finding security holes is exactly why open source security works better than security through osbcurity for crying out loud! You should be thanking those guys instead of using your site as a soap box to bully them into thinking like a Taco.

    And re-read Steven Levy's book Hackers while you're at it.

    --
    Poliglut [poliglut.com]

  • You could turn on/off images and javascript from the freaking' menus! None of this "bury it in the preferences dialog" bull.

    Plus, it's faster then NS4 rendering /. in nested mode!

    Pope

    What? Bear is driving car? How can that be?!

  • Proof once again that the jerks have more spare time then the people who actually do something worthwhile

    Proof is a noun. Prove is a verb. Keep that in mind, will ya?

  • That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers. 90% of people out there don't even know what it is, much less how to turn it off (turning it off in Netscape is fairly easy, but turning it off in IE is extremely non-obvious, even if you know you're looking to kill JavaScript).

    In IE, it's under Security, which is the obvious place to have it. Particularly if you don't know *what* Javascript is; all you have to do is set your security to high - you don't have to worry about the details.

    Simon
  • That's correct. To really annoy Win9x users, just put an <IMG> tag in your websites with the SRC set to "file://c:/con/con" like this:
    <IMG SRC="file:/c://con/con">
  • How does *Microsoft* force you to enable cookies to view *Starbucks*?! Cookies were invented by Netscape anyway, you know, and there's absolutely nothing unsafe or strange about them despite all the FUD.

    A cookie set by a server can only be read by that same server. The exact same effect can be done by URL rewriting (adding a token to each url.. as in.. /something.php3 becomes /something.php3?youAre=dude123 and every link adds that ?youAre=dude123 part to it. You can now be identified between link clicks. 99% of all cookies are simply used for session tracking. Only idiots programmers would actually store any DATA of relevance in them (like a credit card number, home address etc.)
  • Running JavaScript on a web browser is like leaving the windows to your apartment open in the projects, not some small innocent country house. JavaScript has been exploited in the past, and will be in the future.

    Personally, I surf with JavaScript disabled by default, which kills those pop-up windows (bonus!).
  • Sandboxed. Heh.

    http://www.google.com/search?num=100&lr=lang_en& q= JavaScript+file+exploit
  • by Lifewolf ( 41986 ) on Monday July 30, 2001 @11:49AM (#2182503)
    Everything on XP runs as Administrator.
    What FUD is this?

    Not all the facts were stated by the person to which you replied. Windows XP Home Edition does not feature different access levels. All users are Administrators. Windows XP Professional retains different access levels.

    See: http://www.microsoft.com/windowsxp/guide/compariso n.asp [microsoft.com]

  • Konqueror has exactly this option - you can tell it to disallow opening new windows completely, to have it ask, or to allow javascript window.open() always. Handy little feature...

    OmniWeb for OS X has it beat, with a setting to open the window only if it was requested by a user action. I can go to a site like the The Onion and have its left-hand bar popups like Horoscopes open just fine, but I have never, ever seen a popup ad.

  • If you want to see javascript abuse in action, go to somethingawful.com and look for an awful link of the day. If there's a guestbook available, you'll see dancing goatse guys and everything. Er, wait, nevermind.

  • Imagine, you do a search, and while you're sitting there looking at the search results, you get popup ads being generated by the sites in your results list. Now imagine that the search hit a lot of porn sites. And they have exit traps.

    Hopefully, the search engines get this remedied quickly. I imagine they'll just filter out javascript.

    -Todd

    ---
  • That's one cool feature in Konqueror; it let's you turn of just the javascript window.opn function.

    So does Mozilla AFAIR. It just lacks a nice GUI and you need to edit your prefs.js.

  • Automatic JavaScript on and off based on URL might be OK, but I want a button down in my tray where I can easily turn it on and off -- with, of course, indication of state.

    Slashdot rumor [slashdot.org] has it that Microsoft toyed with this idea for a while and then dropped it when it internally became known as the "porn button". Vote for (or help us fix) one or both of these if you'd like to see the feature added to Mozilla:

    bug 38521 [mozilla.org] Preferences Toolbar, for most commonly used prefs
    bug 87538 [mozilla.org] [RFE] preferences buttons on status bar

  • Even if you did that, a web site that found a major security hole in your browser would be able to steal your Slashdot password...
  • don't forget to change a quote (") into &quot;

    And it might also be a good idea to turn & into &amp; while you're at it.

    Btw, I don't think you need to do the &lt; and &gt; transformations for attributes, but it doesn't hurt.
  • This link is a fine example... difficult to get out of on Microsoft browsers.

    Only on Microsoft browsers? I don't remember finding a browser where I could get out of that kind of loop.

    See bug 59314 [mozilla.org], "Alerts should be content-modal, not window-modal", for fixing this in Mozilla.
  • Cmon, that's just sloppy.

    <? $page_description = strip_tags($page_description);?>

    Problem solved.

    I love PHP :).
  • You must be one of those masochistic people that likes to write web apps in assembler.

    Sorry, I'll take productivity over intense pain anyday.
  • One thing to note, though, is that this bug probably would have been found months, if not years, ago if Lycos was OSS.

    Ya think? PHPLIB has been OSS for a long time and only recently programming problems of the above type were found in it.

    OSS isn't the magic elixir. It's a step in the right direction.

  • You also forgot that you need to remove quotes as well.

    When it helpfully fills in a text box, you have to escape the quotes. Take this example:

    <input value="DATA">

    Now we craft the malicious string ( " onfocus="alert('howdy'); ) and place it in the text box like so:

    <input value="" onfocus="alert('howdy');">

    See also my article on Accepting input and malicious script insertion [kimihia.org.nz].

    Lots of sites are vulnerable. Lots of sites have lazy developers.

  • I can't seem to find the relevant logical definendum and differentia in the Jargon File or elsewhere. What exactly is the difference between a flamebait and a troll?
  • as he nears 30, perhaps he'll even ditch the "cmdrtaco" moniker, a decidedly immature way to refer to oneself.
    Will you be emerging from behind the "Coward" moniker any time soon?


    --



  • We should outlaw being a jerk.
    Then I would feel much less nervous, as a sysadmin.

    O, right, I am *so sure*.

    Have you even thought about this for a minute?

    Some of our ver best sysadmins are jerks!

    Where would that leave us?

    I'll tell you where: with clueless nice-guys running the computers, that's where!

  • and that quote illustrates why. If you live in a small town where nobody locks the doors, it's not reasonable to walk into someone's house uninvited. If you connect your computer to a global network and program it to accept TCP connections on certain ports, it is reasonable for people all over the world to connect to those ports.
    I wonder if Stoll originated the nonsensical comparison between 'unauthorized access' of a corporate/governmental computer and breaking into someone's house. They're not the same at all, but this silly notion underpins a lot of bad thinking and bad law. Stoll was zealously protective of the 'computing resources' of a huge government lab at a time when 'real computers' were out of reach for ordinary people. He could be compared to a royal chef in the middle ages urinating on the excess food from the royal table lest a commoner eat it.
    I don't agree that security problems have made the web 'experts only'. If you want to run your own web server and you're not an expert, run vanilla Apache and sshd and nothing else. Actual holes in Apache are pretty rare. Or am I missing your point?

  • Rubbish.

    1) Where was it getting the email address from? If the user typed it in it's their fault, and I fail to see where else it would get it from.

    2) There's no such thing as a JS "applet". Applet refers to a client side embedded Java application, no relation to JS at all.
  • I used find out what chat rooms my sister was on. Most of them back then just reloaded the page with the newest responses toward the top. I would go and submit all kinds of stuff in to the text box. I had the most fun when I would submit older comments but edit what each person said.

    Nowadays when I build forms I always set a max length. This keeps people from doing the things I did when I was 15

  • This article [slashdot.org] was just posted, but then disappeared from the home page. Interesting.
  • by zpengo ( 99887 ) on Monday July 30, 2001 @10:28AM (#2182523) Homepage
    JavaScript is a relatively harmless language. While it could do something dramatic redirect the user to a porn site or display something obnoxious on the screen, I doubt that it would do anything like delete user's harddrives or give h@x0rs access to user's computers.

    This isn't a serious security breech, just an annoying oversight by Lycos programmers which will probably be patched up in the next fifteen seconds.

  • Windows boxen don't have root access.

    Wait until they're all using WinXP. Everything on XP runs as Administrator. Be it Notepad, Word, IE, or (heaven help us) Outlook. Everything has full access to the system.

    Maybe I'm just talking out my ass, but consider this: Lycos result contains Javascript. Javascript redirects you to some server. That server runs some ActiveX code. That code grabs your email password and login password and mails them encrypted with PGP/GPG to some mail box in some remote part of the world for later cracking.

    Maybe I'm completely off my rocker - and tell me if I am - but giving people the ability to run arbitrary commands on someone elses PC isn't usually that good, especially when it's a hypertext link. People don't really think of links as programs, unless the link explicitely says "click here to run my javascript applet". And even then, the average user isn't going to understand the full implications of clicking on that link and giving a program 'root' access on their system.


    kickin' science like no one else can,
    my dick is twice as long as my attention span.
  • Okay, I'm sorry, I spoke before researching a little.

    The statement about WinXP running all things as Administrator came from a radio interview between GRC's Steve Gibson and TheRegister's Tom Greene. You can read a transcript [theregister.co.uk] (crap) or listen to the WMA [vpwsys.net] (could someone on a decent connection download Goldwave [goldwave.com] and reencode it as an mp3 or ogg?).

    Another article [geek.com] supports my statement. In particular, the line that reads:
    Steve Gibson maintains that raw socket support should not be included in Windows XP because the consumer version of XP defaults at running you as administrator (a.k.a. root) mode.

    As it gets easier and easier to install and use, how many new Linux users even know the dangers of operating as root? Let alone Win2k/WinXP users.

    So, we'll have all these boxes running out there in root mode while people are checking their mail and browsing the web. We've got enough problems as it is with Windows' limited (no raw sockets) TCP/IP stack.
    Now, you could argue that anyone who wanted to run some random program could just as well install support for raw sockets for Win9x (winpcap, anyone?) and install a trojan that could make use of it and syn-flood some server with spoofed IPs. And you'd be absolutely correct..they could. However, have they? Not to my knowledge. However, with WinXP, they won't have to. WinXP (probably) includes a nice, powerful, BSD TCP/IP stack that can do all that raw sockets stuff without the user having to install it. Skript kiddies, rejoice! [datanerds.net]


    kickin' science like no one else can,
    my dick is twice as long as my attention span.
  • Why dont you test that and see how many machines with a default install of IE (Windows) that works on.. The results will suprise you.

    At the same time, why don't you check and see how many people out there even run their computer with a default install of Windows and IE? Hopefully the results won't surprise you.


    kickin' science like no one else can,
    my dick is twice as long as my attention span.
  • Lycos result contains Javascript. Javascript redirects you to some server. That server runs some ActiveX code.

    Stop there. ActiveX code doesn't run without a confirmation dialog saying something to the effect of "This is untrusted/unsigned code; are you sure you want to run it?" The security implications are made quite clear to the user. Now if a Javascript program could automatically click "OK" on that dialog, then I'd be worried. (Knowing Microsoft, I wouldn't be too surprised to hear about that sort of security vulnerability.)

    Does anyone else think it's sad that people are worried about Lycos's vulnerability of allowing other people's Javascript to get on their pages? It's a problem if any HTML/Javascript/whatever someone sends at you creates a problem. You shouldn't have to stay on trusted websites to be safe. Lycos's problem is minor. The real problem to be addressed is that people don't consider Javascript safe, probably with good reason.

  • I sent my friend to Yaromat's "Wanna be an apple? [yaromat.com]" when he was stoned and he damn near had a heart attack.
  • by Nastard ( 124180 ) on Monday July 30, 2001 @10:34AM (#2182529)
    The javascript hole doesn't work on google, but I found an even worse bug that allows you to pass along ASM [google.com] in a search string!
  • Good try. But wrong

    Why even bother. You guys are just making claims that arent even true with no real basis for the claims. Why dont you test that and see how many machines with a default install of IE (Windows) that works on.. The results will suprise you

    Jeremy

  • Sure cant. The most that can be done is the playing of sounds on a end users hardware. Beyond that nope..

    Gotta love random /think ;)

    Jeremy

  • In a browser, VBScript is harmless.

    Dont confuse VBScript with an ActiveX control

    THey are totally different.

    And of course if you can get a VBScript to the windows script host its all over but the crying... doing that from a browser is something id like to see however

    Jeremy

  • *sigh*

    In the context of the browser VBScript executes with the same permissions as JavaScript... PERIOD!

    You cant create a file system object using a VBScript in a browser. It takes more than most people think to damage a machine with just VB/JavaScript. You have to use "social" engieering more than anything and trick people more than you cna directly harm their systems.. think about it

    Why don't you show me some VBScript runs from a web page that can do something malicious. Ill gladly run it on my machine and click NO if its an ActiveX object and simply laugh at anything else since it simply WONT work in the browser.

    Outlook has totally different access privileges why do you think all of these worms are spread. Do you know the mayhem that would be caused if ever IE browser was exploitable via VBScript?

    Stop and think before trashing something for an unfounded reason.

    Jeremy

  • I've seen a few posting in this same manner and I can see your point. One point that I think you are missing entirely is that whether or not these bugs are reported by these security advisors, they exist. And if they exist you can bet your last dollar someone is exploiting it somewhere. What these teams do is make it public so that someone has to fix the bug. Otherwise a group of very elite folks who figured it out in the first place are going to keep using it to intrude their way into someones servers.
    People that claim to have found a bug are probobly the 10th or 11th person that found it. but at least they aren't of the mind to go find every server with that flaw and exploit the hell out of it.
    the very fine line comes with the fact that once bugs are announced it's now a race called sysAdmins vs. script kiddies. This part I agree can suck for a lot of people. Keeping up with all of this is a tough job. Then again if you don't like the job go serve fries at McDonalds.
    thothic
    [ps. that whole Neo thing is not funny. (neoThoth.. shortened to neo) I had that handle way before that no talent ass monkey let the Matrix carry his career.
  • I remember about two years ago one one of the CD/MP3 player web sites anounced a release of their new MP3/CD player. They asked their web guests to come up with a good name for the player. I came up with a name "Duet" which meant that the player could play both - audio and MP3 CDs. I wanted to win the first prize (which was anounced to be a portable MP3/CD player) So naturally I wanted as many people as possible to vote for me. However it appeared that no one could vote more than once a day (the site logged IP addresses) so I decided to get people to vote for me even without them knowing what they are doing. All I had to do was to open a new account on GeoCities and set up an HTML page with some javascript which would send a vote from the users computer to the MP3 player site. All I needed was a large number of people to go to my page. So I sent the link to my Geocities page to various news groups disguised as something else (the porn news groups were GOLD) I got thousands of hits per day. Unfortunately I did not win the MP3 player, it appeared that most competitors only got a few votes, I on the other hand received thousands. The contest organizers thought (not without merit) that I spoofed the IP address and though they liked the name, they decided to give it to the third person in the list (the second guy after me apparently was also doing something of the kind, he had just a bit fewer votes than I did) It did not matter anyway, since the contest organizers gave the winner a car MP3/CD player (which I did not care for) and not a portable one.
  • So basically what you're saying is that you'd rather get hacked once a year than apply patches every few weeks?

    People who do security research are smart enough to know that they're not the only smart ones out there. When they post an advisory they do it because they know that someone out there has already found the bug, exploited it, and kept it to themselves. Sure, your chances of getting hacked after it becomes public increase many fold *if you don't apply the patches*, but at least you have a chance of defending against a known enemy.

    As far as the "let the makers know and then post publicly if action isn't taken" argument, let me give you an example: the recent Code Red worm was based on an IIS .ida extention overflow. If eEye had simply alerted MS about this issue and promised that they wouldn't post the information MS would've simply incorporated the fix into the next service pack, not wanting to raise any alarms about IIS security. In the meantime, someone else could've found the hole, written the worm and released it to the waiting internet. In that scenario no one would've been patched and the worm would've compromised ten times the servers that it did.

    In the end, posting publicly gives sysadmins the opportunity to minimize the exposure to vulnerabilities. Don't forget: just because it isn't public doesn't mean it isn't there.

    -brock

  • I think a lot of those of us who post to slashdot would be in trouble if jerks were outlawed.

    I'd certainly flee to Canada if that happened.

    But then Canada would be populated with jerks...

    Perhaps we could all flee to Australia? Then Australia would have THREE social classes -- descendants of British "criminals," aborigines, AND jerks!

    Bah, nevermind...
  • by marm ( 144733 )

    That's a bit disingenuous. JavasCrypt is enabled by default in all graphical browsers.

    Actually that's not quite true. Konqueror very deliberately keeps JavaScript, Java and Netscape plugins off by default. If you need them, then it's a cinch to enable them (very obvious in the Konqui settings dialog, or, if you have the extra plugins that are in the kdenonbeta package, it's even simpler, select a menu item or a toolbar button).

    If you're concerned about turning JavaScript on globally, then you can enable/disable JavaScript (and Java) on a per-site basis.

    Sigh... If only every graphical browser put security first...

  • WHY META-MODERATE WHEN ALL IT DOES IS BURN KARMA?
    I bet you weasel out of jury duty too.

    --
  • >Finding security holes is exactly why open source security works better than

    >>Are you stating that open source software is 100% secure?

    Didn't sound like it to me. Sounded more like a rationale for making exploits public... so lots of people can think about a way to fix the problem. Calling people jerks for demonstrating an exploit of a security vulnerability seems counter to the prevailing attitude among those who think hiding security problems is an exercise in futility.

    >Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".

    Whoa... you might want to have that knee looked at. :-)


    ---
    Hi! How are you?
    I send you this .sig in order to have your advice

  • by Zero__Kelvin ( 151819 ) on Monday July 30, 2001 @10:56AM (#2182541) Homepage

    "Proof once again that the jerks have more spare time then the people who actually do something worthwhile."

    Don't be so hard on yourself there CmdrTaco! We read your drivelous comments just the same 8^}
    And BTW - it's 'than' the people, not 'then' the people.
  • How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with &lt; and > with &gt; - problem solved :)

    And if you're putting the results in <INPUT TYPE="TEXT" VALUE="Something The Use Entered"> don't forget to change a quote (") into &quot;. Otherwise you can still get weird results, especially because you can insert new attributes (maybe do something even via onclick="something_nasty()" at that!)

    --


  • For the love of Jebus, with all the ways JavaScript can be abused, why don't the browsers come with a way to filter out the most obnoxious actions? I'd love to see checkboxes for the following.

    Disallow new window creation
    Disallow window moving and resizing
    Disallow redirection
    Disallow shortcut creation
    [I nearly blew a gasket the first time I found that a site had placed porn and casino links in my Start menu.]
    Disallow access to cookies

    There are probably others, I'm no JavaScript whiz.

    An ideal browser would let you toggle all that stuff, and then enable it for specific sites of your choosing.

    I'll have to look at Web Washer again... maybe it lets you re-enable pops for the sites that need them.
  • Does "other HTML code" include ? If it does... poor IE users.
  • here's a good one for all you IE5.5 users. search on lycos for:

    <a href="friskit.com"> <img border=0 src="http://friskit.com/site/images/logo.gif"> </a> <script> document.body.style.filter= "progid:DXImageTransform.Microsoft.Blur (pixelradius=3)"; </script>

  • by scott1853 ( 194884 ) on Monday July 30, 2001 @12:04PM (#2182549)
    Are you stating that open source software is 100% secure?

    People find holes in proprietary systems all the time. Hell, I've gotten a couple hundred MS security bulletins over the last 2 years sitting in my inbox, none of which MS has discovered on their own. The holes in proprietary systems simply get more exposure because it's fuel for all the open source zealots and a large part of corporate america uses the closed systems.

    Moderators, can we please start marking messages that state "this wouldn't happen if it was open source" as "Troll".

    Just to be an idiot and delve deeper into this arguement, are you stating that if it was open source, you'd do a line-by-line audit of the code to make sure it was something you felt was secure and you want to run? Let's face it, everybody that advocates open source just assumes everybody else is testing it. How many people have done a complete code audit of any Linux app before they installed it. None. This could also be due to the fact that most Linux apps haven't made it to that 1.0 mark yet and maybe the users expect what they get. It's a good argument that "it's still in BETA" when somebody points out a security hole in something.
  • Unfortunately, due to a recent vulnerability in Outlook, the ability to redirect a user to a webpage of your choice could be used for malicious purposes. The text below is an extract from Microsoft Security Bulletin MS01-038 [microsoft.com] (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/MS01-038.asp):

    The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine. Hostile web sites would pose the greatest threat with respect to this vulnerability. If a user could be enticed into visiting a web page controlled by an attacker, script or HTML on the page could invoke the control when the page was opened. The script or HTML could then use the control to take whatever action the attacker desired on the user's Outlook data.

    Granted, the patch for this problem has long been available, but, as Code Red illustrates, that does little to reduce the overall vulnerability.

  • Yes, it was, but Taco's appelation of jerks--with the specification that they're not doing something worthwhile--is a bit specious, or perhaps more exactly, personally myopic.

    I realize this is hairsplitting, but I'm sure the creators of such "malicious" acts have fully justified reasons for what they're doing, even if those reasons are only justifiable to themselves. They *ARE* doing something worthwhile, in this sense; their actions just aren't worthwhile to Taco.

    Now, if one wishes to attack said individuals on a stictly moral basis, I think that is perfectly justified.

  • I believe the "jerks" reference is to the people writing the malicious JavaScript code, and not the people reporting it. :)

  • Yes, this does seem to be a rather minor problem. It doesn't do anything on the search engine page that the hacker couldn't do on his own page. It's arguable whether insertion of a popup window or an unbidden redirect is exactly a "security breach" at all. Although it's certainly annoying, none of the user's data is compromised.

    This sort of thing could be used to break sites which use cookie security. It would be easy to use the JavaScript to return the session cookie to an intercept site by CGI communication with that site. However, since search engines don't usually have user accounts, this is unlikely to be important. Still, it should be tried on Yahoo! at least, and any other search engine sites that support login and use weak session security.

    Tim

  • My boss just asked me if I could look into directing traffic to our website.

    Knowing this, I could index all of our pages with porn keywords and redirect users to our page selling Office Furniture!!!

    I'll be sure I send out OfficeFurniture.vbs just in case Lycos fixes this hole before I get a chance at a promotion.
  • Combine this with the payola that puts certain for-a-fee pr0n sites at the top of the list, and little Timmy doing a search for his latest book report on "naked singularity" is going to have 20 very confusing new windows pop up on his screen that make him have strange feelings faster than you can say "Tentpole".
  • First off, I wouldn't necessarily say that these guys are "jerks," especially not on the sliding scale of the security industry. If someone who would warn Lycos has enough time and talent to find this, so does someone who would exploit it. And I know first hand how quickly vendors move when they don't have the motivation that results from public disclosure.

    Second, for everyone who's saying how harmless JavaScript is, you're somewhat right, but it doesn't matter. Why? Because the person releasing the vulnerability was just using JavaScript as an example. It could also be VBScript, just as easily...and THAT is NOT harmless by any stretch of the imagination. Imagine doing a search on Lycos, and getting smacked with a new variant of KAK.

  • But the point here is not permissions. The permissions will be sufficient to cause whatever damage the user can cause, PROVIDED there are hooks into the proper system calls or objects. JavaScript is abstracted such that it cannot do many things that VBScript can do.

    Are you actually attempting to state that nobody can do harm if they can get a user to run arbitrary VBS on their machine? Where have you been for the past few years, man? VBS has been the language of choice for some of the most notorious worms and viruses in the past couple of years, and not all of them merely spread from user to user.

  • Pop quiz:

    What handles HTML in the web browser? What handles HTML in email? And finally, what are default permissions in Internet Explorer with respect to ActiveX controls? There a numerous viruses out there, (I mentioned KAK before, so I'll stick with it) that are able to do various things from either a web page or from an email. It just happens that web pages are not a good way to spread a virus, so HTML email is the method of choice. But underlying both HTML mail and web browsing is the same code, the same processing. And yes, KAK relies upon an activeX control. But so what? It didn't matter...KAK spread like wildfire, and did an enormous amount of damage. In penetration testing, I make use of this functionality to test clients...I send an email with HTML scripting that fires back an email to me, with a copy of a particular file off of their computer attached. (Does that behavior sound familiar??)

    You, sir, are clearly not a professional security engineer, admin, consultant, or whatever. If you were, you would stand alone in a crowd that regularly and passionately avoids HTML that comes from untrusted sources. It is for this reason that BUGTRAQ, every mailing list at SecurityFocus, NTBUGTRAQ, and numerous other mailing lists do not want their subscribers sending HTML mail of any form to the list; they have gone so far as to automatically strip off the HTML and leave the messages as plain text. Why do you think there are only a very few HTML tags permitted in Slashdot posts? I don't see the SCRIPT tag in there...do you?

    As for your earlier statements concerning "trashing" something, I have no idea what you think I was trashing. Lycos has a vulnerability...so what? Welcome to the planet, guys...everyone's had a problem sooner or later. Just fix it, and we'll move on. And I certainly wasn't trashing scripting...complaining that someone putting HTML on your site without your control is bad is like saying that someone installing software on your computer without your control is bad. Actually, if it involves scripting, the two are the same.

  • In The Cuckoo's Egg, Cliff Stoll asks (I paraphrase) "If you lived in a small town where nobody locked their doors, would you thank the first burglar?"

    OK, the Internet isn't a small town any more, but one has to wonder where it all ends? As black and gray hats keep upping the ante, just running a simple web site requires more and more vigilance. IMHO, they have already succeeded in making the web an experts-only club.

    That said, this security hole does not seem to have been exploited by anyone. It appears that it was stumbled upon. So I don't know what Jerks Taco is referring to here. Did I over-look something?


  • Because HTML is not a programming language. HTML does not allow things like loops, variables, test conditions, etc...It's just a way to represent the information - a format. I wouldn't call HTML a language

    JS on the other side, hasn't an easy way to access sensitive data or create malicious code. As someone noted before, you can redirect the user to a porn site or something, but its rather dificult (I'm not a JS programmer, just done a couple of hacks with it) to access to sensitive information, such as the hard drive

  • by tb3 ( 313150 ) on Monday July 30, 2001 @11:47AM (#2182579) Homepage
    That's one cool feature in Konqueror; it let's you turn of just the javascript window.opn function. So all of javascript works, but no pop-ups, pop-unders or whatever. It would be nice if the other browser manufacturers would let you turn off certain parts of javascript, but they're advertisers, too, so you know they won't.
  • I think he typed it wrong. If I recall correctly, typing "file://c:/con/con" would crash kernel32 on a Windows 9x box. Somebody running Windows try it and see if it works.
  • by Dr. Prakash Kothari ( 314326 ) on Monday July 30, 2001 @10:46AM (#2182581)
    Windows boxen don't have root access. But I guess it doesn't sound as leet to say "You can 4Dm1n157r470r a Windows box!"
  • If I misconfigure Apache or install an old version of IIS, is that a "security problem" for the rest of the Internet? Just like Lycos's bug, that lets people put arbitrary scripts into my content.

    The simple fact is that content you get from the Internet, be it Slashdot, Lycos, Microsoft, or anything else, may have been altered or may be malicious in itself. If you care about it, you have to deal with it by picking your web client to protect you; trying to insist that every web site is secure and trustworthy is a losing battle.

    BTW, from the description of the bug, JavaScript is the least you have to worry about. ActiveX controls would seem like a much bigger problem. And web sites that server user-supplied JavaScript through SSL are also a much bigger worry (since the user-supplied JavaScript is implicitly signed with the site certificate); at least Lycos doesn't serve its content through SSL.

  • by skunkeh ( 410004 ) on Monday July 30, 2001 @11:09AM (#2182584)
    This one's been around for years, and is present on literally millions of sites. I read somewhere certain both AltaVista and Amazon have both suffered from this in the past. Here's how it works:

    You have some kind of form input, with the next page displaying whatever the user typed into that form field (for a search engine this would be in the form of "You searched for..."). the golden rule of web development is NEVER TRUST input from your users. Most developers take great lengths to check anything that's going into a file or database, or erspecially code that will be executed on the command line.

    However, if you're just going to display something to the user that typed it why bother checking the content? Surely only the user who typed the thing is going to see it again, and it's not like they're going to be able to affect any of your systems?

    Therein lies the problem. If you allow a user to type anything into a form and then have it re-displayed, they can include HTML tags. And if they can include HTML tags, they can include <script> tags. And script tags can do weird stuff.

    Still think it's not a problem thanks to the fact that only the user will see it? Think again - seeing as most applications like search engines use GET to pass parameters, you can fill in the form for the user by offering them a link to click:

    http://yoursite.com/search?<b>Oooh+Bold+Text </b><script>alert('Ew ww nasty popup')</script>

    All of a sudden you can cause your weird popup messages to appear on someone elses site.<p>

    The biggest security problem is the fact that javascript can access cookies. Imagine sending someone to a website via a link containing javascript that reads their username/password cookie for that site then pops up a window feeding that username/password to a script page con your server (in the query string) - BANG, you've got their password.

    How do you stop this happening? Simple - deactivate HTML tags from user input by replacing < with &lt; and > with &gt; - problem solved :)
  • I believe it has been some security feature on slashdot once as well that a redirect can also redirect you to a PUT URL. Say you log in on your etrade.com account in the morning and you never log out... later you go search for something on Lycos, you *THINK* you found what you want, *click* and before you know it you've purchased some stock on etrade. Ofcourse this one is just an example.
    • Imagination is more important than knowledge.
  • IMHO, they have already succeeded in making the web an experts-only club.

    What nonsense. The web has become SO easy to use (and to create webpages for) through such a plethora of tools (frontpage, dreamweaver, just to name a bunch of idiotproof tools). Who are the 'they' you talk about? 'black / gray hats' ? How in the world do they make the web something for 'experts'?

    Listen, most people who want to create their own webpage as beginners go to geocities or something like that. If you get a bit more advanced, you go to a somewhat more advanced hosting provider. You get your own domain even, perhaps. If you get even more advanced, you may have your own DSL line or T1 line. But by the time you get there, you are SUPPOSED to know about security and be vigilant about it.

    • Imagination is more important than knowledge.

Behind every great computer sits a skinny little geek.

Working...