Announcement: Be excellent to each other.


Caravel Forum : Caravel Boards : The Site : About deleted topic.
Page 1 of 2
2
New Topic New Poll Post Reply
Poster Message
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon About deleted topic. (0)  
Those links looks like XSS vulnerability. They are extremely dangerous at this site because password is saved in cookies as open text. I think it is not hard to add escaping and fix them. Otherwise all peoples at this forum have to carefully investigate each internal link :( .
03-06-2007 at 01:16 PM
View Profile Send Private Message to User Show all user's posts Quote Reply
Schik
Level: Legendary Smitemaster
Avatar
Rank Points: 5381
Registered: 02-04-2003
IP: Logged
icon Re: About deleted topic. (0)  
The attack actually originated from the same city you are in. Maybe you could look around your neighborhood, and see if you can find anyone who would try to expose vulnerabilities here in a very anti-social way.

If you find somebody like that, let me know.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi
03-06-2007 at 01:36 PM
View Profile Send Private Message to User Send Email to User Show all user's posts High Scores Quote Reply
silver
Level: Smitemaster
Rank Points: 915
Registered: 01-18-2005
IP: Logged
icon Re: About deleted topic. (0)  
aha. I always suspected that the ultimate forum enforcement around here involved "accidents". now I know.



____________________________
:yinyang
03-06-2007 at 02:38 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon Re: About deleted topic. (-1)  
Schik wrote:
The attack actually originated from the same city you are in. Maybe you could look around your neighborhood, and see if you can find anyone who would try to expose vulnerabilities here in a very anti-social way.
Moscow is a big city, trust me :yes . And I don't think that is a very anti-social way to post bugs, at least for newbie.
If you find somebody like that, let me know.

I wonder what would change if you know the ones name? I don't know your name, but I am not going to hit you because this forum contains so serious vulnerabilities. Or you are among the persons who could kill in order to avoid critic ;) ?

Now anyone have to log out from caravelgames and erase the cookies in order to visit others sites (until you fix the bugs of course). Because any site can contain a JavaScript code which can force you follow the bad request to the forum.
03-06-2007 at 04:54 PM
View Profile Send Private Message to User Show all user's posts Quote Reply
Maurog
Level: Smitemaster
Avatar
Rank Points: 1501
Registered: 09-16-2004
IP: Logged
icon Re: About deleted topic. (+1)  
Latest weather reports from Glass of Water - stormy.

____________________________
Slay the living! Raise the dead!
Paint the sky in crimson red!
03-06-2007 at 05:04 PM
View Profile Send Private Message to User Send Email to User Show all user's posts Quote Reply
Schik
Level: Legendary Smitemaster
Avatar
Rank Points: 5381
Registered: 02-04-2003
IP: Logged
icon Re: About deleted topic. (+1)  
halyavin wrote:
And I don't think that is a very anti-social way to post bugs, at least for newbie.
Phishing for passwords isn't anti-social? Wow, that's an interesting take on things.
I wonder what would change if you know the ones name? I don't know your name, but I am not going to hit you because this forum contains so serious vulnerabilities. Or you are among the persons who could kill in order to avoid critic ;) ?
My name is Matt Schikore. Criticizing something is very different than attacking it. I have no problem with being criticized, but people who attack the forum will be banned. No questions. And phishing falls right in the middle of my definition of attacking.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi
03-06-2007 at 05:07 PM
View Profile Send Private Message to User Send Email to User Show all user's posts High Scores Quote Reply
Jason
Level: Smitemaster
Rank Points: 1076
Registered: 05-05-2006
IP: Logged
icon Re: About deleted topic. (+1)  
Hello. I am a person from some random company who has a website Jason went to. I had a secret cookie stealer buried somewhere in our JavaScript code, so now I can post as Jason! Muahaha! :bond

____________________________
Play my holds?
03-06-2007 at 05:12 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
Elfstone
Level: Smitemaster
Avatar
Rank Points: 1285
Registered: 03-01-2006
IP: Logged
icon Re: About deleted topic. (0)  
Schik wrote:
Phishing for passwords isn't anti-social?

Phishing ? ? ? ? (isn't in my dictionary)

"About deleted topic." what/which deleted topic?

____________________________
Winner of: Novice Architect Excellence 2006.
FAPCA - Technical Design Excellence in Layout and Aesthetics

03-06-2007 at 06:21 PM
View Profile Send Private Message to User Visit Homepage Show all user's posts This architect's holds Quote Reply
Stefan
Level: Smitemaster
Avatar
Rank Points: 2119
Registered: 05-25-2004
IP: Logged
icon Re: About deleted topic. (+1)  
Phishing is one of the many evils of the Internet.

I never got a chance to see the thread before it got deleted, though, so I don't know what it was all about.

____________________________
0.099³
03-06-2007 at 06:24 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
eytanz
Level: Smitemaster
Avatar
Rank Points: 2708
Registered: 02-05-2003
IP: Logged
icon Re: About deleted topic. (0)  
Phishing is a kind of internet attack that involves a fake site or link which looks legitimate, but if you post information to it it will be stolen. (The word comes from "fishing", as it involves putting out bait and waiting to see who falls for it).

The deleted thread contained such an attack - a user claimed to have found a few buggy links, but they really led somewhere potentially bad. It was deleted for obvious reasons.

____________________________
I got my avatar back! Yay!

[Last edited by eytanz at 03-06-2007 06:26 PM]
03-06-2007 at 06:26 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
Elfstone
Level: Smitemaster
Avatar
Rank Points: 1285
Registered: 03-01-2006
IP: Logged
icon Re: About deleted topic. (0)  
Eeeeek! :w00t

very good article, thanks Stephan. Thanks also to eytanz.

I've learnt a new word and, amazing though it seems to me, I have already been "phished" ( :lol at my age!!!! ) if that's the right way of putting it. I had an email a while back purporting to be from my bank and I thought it was a bit odd and so I phoned them. It was fraudulent and I was told simply to delete and ignore. That was 'phishing'? only I didn't know it at the time. :)

____________________________
Winner of: Novice Architect Excellence 2006.
FAPCA - Technical Design Excellence in Layout and Aesthetics

03-06-2007 at 06:37 PM
View Profile Send Private Message to User Visit Homepage Show all user's posts This architect's holds Quote Reply
Briareos
Level: Smitemaster
Avatar
Rank Points: 3516
Registered: 08-07-2005
IP: Logged
icon Re: About deleted topic. (0)  
Elfstone wrote:
I've learnt a new word and, amazing though it seems to me, I have already been "phished" ( :lol at my age!!!! ) if that's the right way of putting it. I had an email a while back purporting to be from my bank and I thought it was a bit odd and so I phoned them. It was fraudulent and I was told simply to delete and ignore. That was 'phishing'? only I didn't know it at the time. :)
Oh, those... yeah, I get those a lot also. Mostly for banks I don't have an account with. :)

That's why I always make sure to actually fill out their forms with random stuff and give them something to wade through...

np: Boards Of Canada - Telephasic Workshop (Music Has The Right To Children)

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009) :(
03-06-2007 at 06:51 PM
View Profile Send Private Message to User Send Email to User Visit Homepage Show all user's posts Quote Reply
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon Re: About deleted topic. (-1)  
Schik wrote:
halyavin wrote:
And I don't think that is a very anti-social way to post bugs, at least for newbie.
Phishing for passwords isn't anti-social? Wow, that's an interesting take on things.
There is a difference between phishing and XSS. The links were leading to caravelgames as far as I remember, and so there is no fake site here. On secure forum you would not compromise your password by pressing any internal (i.e. leading to the forum) link. Also the author mentioned that there is a problem with links (this is an indirect warning, isn't it?). And the author seems to give you precise place you need to fix (or not? I don't know JavaScript well).

Also I think that without example you wouldn't start to fix the forum as no one want to discuss a DROD solver until I show it. I am even not sure that you are going to fix the forum after this clear evidence of the problem.

I have posted on the forum, that storing password in cookies is dangerous but you haven't fixed the problem until now. You probably thought that in order to exploit this someone need to capture traffic (what is hard to do) or find a hole in the forum. If there is no hole in the forum, there is no big problems in storing password in the cookies. That's why this is not worth to fix the issue. But unfortunately the holes do exist and now they are suitable to compromise passwords. Your beatiful logic leaded to bad consequences.

I wonder what would change if you know the ones name? I don't know your name, but I am not going to hit you because this forum contains so serious vulnerabilities. Or you are among the persons who could kill in order to avoid critic ;) ?
My name is Matt Schikore. Criticizing something is very different than attacking it. I have no problem with being criticized, but people who attack the forum will be banned. No questions. And phishing falls right in the middle of my definition of attacking.
You still not answer first question ;) .
03-06-2007 at 07:28 PM
View Profile Send Private Message to User Show all user's posts Quote Reply
eytanz
Level: Smitemaster
Avatar
Rank Points: 2708
Registered: 02-05-2003
IP: Logged
icon Re: About deleted topic. (+1)  
The links in the deleted thread went offsite, not to Caravelgames, except the first one which was probably a decoy.

Also I think that without example you wouldn't start to fix the forum as no one want to discuss a DROD solver until I show it. I am even not sure that you are going to fix the forum after this clear evidence of the problem.

It's not the same thing at all. The DROD solver was not, is not, and has never been a real problem. It is an interesting issue, worth discussing as such, but you tried to present it as a major problem for the highscores and everyone's attitude was basically "Stop being a drama queen, and let us know if you want to have interesting discussion".

This is a real problem, and Schik will treat it as such. But that doesn't mean he has to be lectured at. He will decide what is best to do and deal with it.

____________________________
I got my avatar back! Yay!

[Last edited by eytanz at 03-06-2007 07:36 PM]
03-06-2007 at 07:33 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
Schik
Level: Legendary Smitemaster
Avatar
Rank Points: 5381
Registered: 02-04-2003
IP: Logged
icon Re: About deleted topic. (+1)  
eytanz wrote:
The links in the deleted thread went offsite, not to Caravelgames, except the first one which was probably a decoy.
The links used flaws in the forum to inject javascript code to redirect the user to a private site, which would then grab the clicker's CaravelNet password, and redirect the clicker back to the forum.
halyavin wrote: There is a difference between phishing and XSS. The links were leading to caravelgames as far as I remember, and so there is no fake site here.
Pardon my misuse of terminology. The poster used a commercial program to find flaws in the forum which he could then exploit.
Also I think that without example you wouldn't start to fix the forum as no one want to discuss a DROD solver until I show it. I am even not sure that you are going to fix the forum after this clear evidence of the problem.
You see, if the poster had some altruistic desire to make the forum more secure, he would have sent the vulnerabilities to someone who could fix them. He wouldn't have taken advantage of the vulnerabilities by using them to steal passwords. He did it this way to get attention.
If there is no hole in the forum, there is no big problems in storing password in the cookies. That's why this is not worth to fix the issue. But unfortunately the holes do exist and now they are suitable to compromise passwords. Your beatiful logic leaded to bad consequences.
I'm not saying, nor do I believe I've ever said, that the forum is flawless. I have very limited time to work on the forum - you do realize it's not a full-time paying position, right? I have a long list of things that are more interesting to me than chasing script kiddies. So yeah, I try to make things secure, but stuff slips by.
I wonder what would change if you know the ones name?
You still not answer first question ;) .
I'm not sure what you even mean. I do know his name, and his address, and his phone number. And the school computer he used to find the exploits. I'm not sure what you expect to change.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi
03-06-2007 at 07:48 PM
View Profile Send Private Message to User Send Email to User Show all user's posts High Scores Quote Reply
silver
Level: Smitemaster
Rank Points: 915
Registered: 01-18-2005
IP: Logged
icon Re: About deleted topic. (+2)  
as a side note: for any site (thus including this one), the proper way to bug report an actual usable exploit is to send it privately to the administrator(s), not to post a message demonstrating the bug and coincidentally scamming passwords along the way. that's the only "social" way to do it, anything else is "anti-social". even for a n00b. because this is a global rule for the whole netspace, not one specific to this forum.


____________________________
:yinyang
03-06-2007 at 07:55 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
Tahnan
Level: Smitemaster
Avatar
Rank Points: 2459
Registered: 11-14-2005
IP: Logged
icon Re: About deleted topic. (+1)  
Sorry, I think I'm still confused on one point. Why is halyavin still allowed to post here?
03-06-2007 at 10:10 PM
View Profile Send Private Message to User Show all user's posts High Scores This architect's holds Quote Reply
RoboBob3000
Level: Smitemaster
Avatar
Rank Points: 1978
Registered: 10-23-2003
IP: Logged
icon Re: About deleted topic. (0)  
Jason wrote:
Hello. I am a person from some random company who has a website Jason went to. I had a secret cookie stealer buried somewhere in our JavaScript code, so now I can post as Jason! Muahaha! :bond

Is Jason kidding here? I ask because he posted an odd link recently.

(And if we're in the business of being suspicious of links now, search for Jason's recent posts. The topic I'm questioning is titled "Weird, no rooms...")

____________________________
http://beepsandbloops.wordpress.com/
03-06-2007 at 10:21 PM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
Albert
Level: Goblin
Rank Points: 29
Registered: 11-01-2006
IP: Logged
icon Re: About deleted topic. (0)  
That's not an odd link, it's a perfectly true observation.
03-06-2007 at 10:57 PM
View Profile Send Private Message to User Show all user's posts Quote Reply
KevG
Level: Smiter
Avatar
Rank Points: 333
Registered: 08-16-2004
IP: Logged
icon Re: About deleted topic. (0)  
And speaking of said deleted topic, there have been two replies to it since it was deleted; both viewable using the "Today's Active Posts" link on the main page. The most recent is by Jatopian. The main page shows him as the most recent poster to the "The Site" subforum despite the fact the thread itself doesn't appear there.

[Last edited by KevG at 03-07-2007 12:09 AM]
03-07-2007 at 12:09 AM
View Profile Send Private Message to User Send Email to User Show all user's posts Quote Reply
Jatopian
Level: Smitemaster
Rank Points: 1842
Registered: 07-31-2005
IP: Logged
icon Re: About deleted topic. (0)  
KevG wrote:
And speaking of said deleted topic, there have been two replies to it since it was deleted; both viewable using the "Today's Active Posts" link on the main page. The most recent is by Jatopian. The main page shows him as the most recent poster to the "The Site" subforum despite the fact the thread itself doesn't appear there.
What, this? I see no phishing there, nor indications of post editing.
And I have nothing to do with this ugly business and would prefer not to, please.

____________________________
DROD has some really great music.
Make your pressure plates 3.0 style!
DROD architecture idea generator

[Last edited by Jatopian at 03-07-2007 12:43 AM]
03-07-2007 at 12:43 AM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
eytanz
Level: Smitemaster
Avatar
Rank Points: 2708
Registered: 02-05-2003
IP: Logged
icon Re: About deleted topic. (0)  
Tahnan wrote:
Sorry, I think I'm still confused on one point. Why is halyavin still allowed to post here?

Why wouldn't he? He has a bit of an attitude, but as far as I know, he did nothing wrong.

____________________________
I got my avatar back! Yay!
03-07-2007 at 01:31 AM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
schep
Level: Smitemaster
Avatar
Rank Points: 864
Registered: 03-01-2005
IP: Logged
icon Re: About deleted topic. (+1)  
Tahnan wrote:
Sorry, I think I'm still confused on one point. Why is halyavin still allowed to post here?
Hey, now, there's no call for accusations. Just because the do-first-then-draw-attention nature of this morning's exploit post is somewhat similar to that one DROD solver poll, and because halyavin quickly and repeatedly posted sympathizing with the original poster, and because Schik says he's identified the owner of the account which posted it as somebody specific in Moscow...

Wait, I forget where I was going with that. Let me start over.

The consequences of the exploiter's post are between said exploiter and the forum admins. I'm sure the Exploiter, if he or she still has access to the forum, is now aware that any further harmful shenanigans will result in banned IPs or something like that. And maybe the Exploiter even learned something from all this.
03-07-2007 at 01:45 AM
View Profile Send Private Message to User Send Email to User Show all user's posts This architect's holds Quote Reply
Banjooie
Level: Smitemaster
Avatar
Rank Points: 1645
Registered: 12-12-2004
IP: Logged
icon Re: About deleted topic. (+1)  
Tahnan wrote:
Sorry, I think I'm still confused on one point. Why is halyavin still allowed to post here?

Because who will remind us about his DROD solver every third post if he's banned?

I mean, seriously!
03-07-2007 at 02:00 AM
View Profile Send Private Message to User Show all user's posts This architect's holds Quote Reply
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon Re: About deleted topic. (-2)  
I have just read in wikipedia that there is also a Cross-site request forgery attack. And I don't see a protection from it on this site (if I understand the way it works properly). It is probably harder to fix but it is as dangerous as XSS attack. There is a simple way to protect yourself from this attack though: you need to log out before visiting any external link.

PS I respect most hackers and crackers. Without them there would be no thounsands films in my local network :) and most sites would be easily controlled by NSA and FBI :unsure .
03-07-2007 at 05:20 AM
View Profile Send Private Message to User Show all user's posts Quote Reply
NiroZ
Level: Smitemaster
Rank Points: 1302
Registered: 02-12-2006
IP: Logged
icon Re: About deleted topic. (+1)  
halyavin wrote:
I have just read in wikipedia that there is also a Cross-site request forgery attack. And I don't see a protection from it on this site (if I understand the way it works properly). It is probably harder to fix but it is as dangerous as XSS attack. There is a simple way to protect yourself from this attack though: you need to log out before visiting any external link.
Perhaps this would be better if you discussed this privately with the admins? Perhaps you should specify exactly what needs to be done to prevent these issues, instead of just trying to scare us?

FYI, for a cross site scripting attack to work you need to have the ability to run scripts off the selected website (which has had google in for a few troubles). The only place where you can do that here, AFAIK, is by attaching files, which happen to have hot linking protection which would automatically prevent that sort of behaviour.

[Last edited by NiroZ at 03-07-2007 07:44 AM]
03-07-2007 at 05:41 AM
View Profile Send Private Message to User Send Email to User Show all user's posts This architect's holds Quote Reply
Maurog
Level: Smitemaster
Avatar
Rank Points: 1501
Registered: 09-16-2004
IP: Logged
icon Re: About deleted topic. (+1)  
halyavin wrote:
PS I respect most hackers and crackers...
Well, I'm fond of pirates, myself. But I don't go into the local grocery store and advise them to reinforce the walls, put some cannons in strategic places and hide the umm, wenches (the lady who runs the store is like 70 years old). Why would pirates raid a grocery store?

____________________________
Slay the living! Raise the dead!
Paint the sky in crimson red!
03-07-2007 at 06:25 AM
View Profile Send Private Message to User Send Email to User Show all user's posts Quote Reply
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon Re: About deleted topic. (0)  
Maurog wrote:
Why would pirates raid a grocery store?
Internet is more hostile than real life. And criminals more probably would threaten you with beating your family members than burglaring your grocery store :? .
03-07-2007 at 07:07 AM
View Profile Send Private Message to User Show all user's posts Quote Reply
Maurog
Level: Smitemaster
Avatar
Rank Points: 1501
Registered: 09-16-2004
IP: Logged
icon Re: About deleted topic. (0)  
Exactly!

____________________________
Slay the living! Raise the dead!
Paint the sky in crimson red!
03-07-2007 at 07:13 AM
View Profile Send Private Message to User Send Email to User Show all user's posts Quote Reply
halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged
icon Re: About deleted topic. (-1)  
NiroZ wrote:
Perhaps you should specify exactly what needs to be done to prevent these issues, instead of just trying to scare us?
This is written in the wikipedia article - site shouldn't rely only on cookies. Instead, site should support session ids in hidden fields of request. If request haven't correct session id (i.e. someone redirect you from one's site), it should lead to main forum page instead of executing request with possibly dangerous side-effects. This is how I understand this attack. May be I am wrong. I glad to see the wrong point in my reasonings then.
03-07-2007 at 07:22 AM
View Profile Send Private Message to User Show all user's posts Quote Reply
Page 1 of 2
2
New Topic New Poll Post Reply
Caravel Forum : Caravel Boards : The Site : About deleted topic.
Surf To:


Forum Rules:
Can I post a new topic? No
Can I reply? No
Can I read? Yes
HTML Enabled? No
UBBC Enabled? Yes
Words Filter Enable? No

Contact Us | CaravelGames.com

Powered by: tForum tForumHacks Edition b0.98.8
Originally created by Toan Huynh (Copyright © 2000)
Enhanced by the tForumHacks team and the Caravel team.