Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] This is my %#$ rant

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] This is my %#$ rant


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] This is my %#$ rant
  • Date: Mon, 11 Sep 2017 10:50:07 -0600
  • Authentication-results: mx1.computerrehab.us; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx1.computerrehab.us 106AB2D7B9

Yes, I was actually interested in the <marquee> tag because I'm not sure I've ever seen it before.  The problem was nobody mentioned that this was exploitable.  All I thought of was standard HTML tags, and yeah they could make for some annoying displays, but the <script> tag did not occur to me.  If the original posting of the marquee tag was supposed to be a warning to me, it completely failed.  I really wish someone would have just sent me a PM pointing out what you folks apparently thought was obvious.  Never assume anything...

And yes, when I'm made aware that there is actually a security hole in such things, I'll patch it as quickly as I can.  Between what I saw there and something that Fusl pointed out to me, I forgot to sanitize the input.  Easily remedied, and the page should be a lot safer now.


On 09/11/2017 01:26 AM, Al Beano wrote:
Hi,

In case it's not already obvious, I'm one of the users who attacked the website. 

I'm sorry this incident caused you so much grief. I'll admit that I could have handled it better. That said, however, I'd like to provide my perspective on the situation. 

The first user to report the issue did it lightheartedly, by changing the "sponsored" text on his server listing to include a <marquee> tag. The only comment we heard from you on IRC was that it was "funny as hell", if I recall correctly. 

It was funny, but also very dangerous: the XSS vuln had been made public to a channel of over 100 users, and it allowed any T1/T2 op to phish for universal LDAP credentials or cause the page to provide fake IP addresses to end users. The ramifications could have been huge. 

I care hugely about OpenNIC, having recently donated a large proportion of my spare time since joining — it frustrated me to see one of the 'core' pieces of infrastructure left vulnerable to a potentially very destructive attack. What I read on IRC made it sound as if there were no short-term plans to fix this, so I did the only thing I could think of as a move towards getting it fixed: I exploited it a way which left no lasting damage but broke the it for the time being. 

During this time, I checked the data on the T2 servers page periodically, and as far as I am aware all the exploits were perhaps ass-holeish but not malicious. 

I think I speak for everyone involved when I say I am genuinely very grateful for the infrastructure you maintain; I'm still discovering new services that I wasn't even aware of. 

R.e. code hosting: I understand the frustration of code just disappearing. It seems like Github is around to stay, whether we like it or not, and some OpenNIC code (like the website) has already been published there. I think that could be a good option for permanent code hosting. 

OpenNIC also has a git service: gitlab.libre, maintained by aditaa. Git makes it pretty easy to push the same project to two remotes, and that was we would have the redundancy of two separate hosts. 

Thanks for taking the time to read my epic, and I hope to be contributing to more OpenNIC projects in the future. And no, I don't want to tamper with your quote style. :-)

albino

On 11 September 2017 05:52:31 BST, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
Last night I got an ear infection plus bad acid reflux and didn't
hardly 
sleep at all.  So you can imagine my state of mind when I got up this 
morning to find a discussion between T1 and T2 operators talking
vaguely 
about an exploit they found in the servers page, and the page itself 
broken and not providing usable info.  It took me quite awhile to dig 
through everything and determine exactly what was done and start
working 
towards repairing the intentional damage.

OK, it's a fair point that I didn't properly sanitize the input.
However 
we're talking about a page that has been online for the past two years 
without any problems, but for some reason you decided that immediate 
action must be taken right this very second.  And not a single one of 
you assholes had the courtesy to even send me a PM to say "hey we found

this problem in your page and these are the actions we took."  
Seriously, I know some of you newcomers are in your teens, but do you 
really have to ACT like it?  This is a community project, it exists 
because people in the past have worked *together* to solve problems.  
It's not a hacking contest to see who can blow up each other's 
contributions.

There have been a lot of complaints about my code in the past.  Yes I 
write in Bash and PHP, and yes my code isn't going to be the easiest to

read.  There's also the constant complaints that I don't post my code
on 
repo-of-the-week, which I've discussed several times on IRC but nobody 
seems to care.  Just how many 'official' source-hosting pages has 
opennic been through?  We've been in sourceforge, but we don't trust 
them now.  What was the one that did SVN?  And of course there's the 
numerous local repos that people have run over the years which up and 
disappear one day without warning.  I've submitted a fair chunk of my 
code at least twice. And poof, there's no evidence remaining that it 
ever existed.

I have limited time to work on opennic, but I've churned out an 
incredible amount of code for the project over the years.  There is
very 
little of opennic's infrastructure that I haven't had a hand in or 
written completely from scratch.  Everybody that comes through always 
has their own ideas on how things should be done, what changes need to 
be made, and yet almost none of those people have actually contributed 
anything.  Opennic owes its very existence to those few people such as 
myself who have dedicated months or years of programming time to
provide 
the services that everyone else uses on a daily basis.  There is a huge

amount of code in the background that I personally own and have to 
troubleshoot when things go wrong.  I spend what time I can either 
fixing the larger problems or trying to set up new code to provide 
features.  I have dedicated time nearly daily to making sure things run

smoothly or fixing whatever is broken, and the thanks I get is "hey
lets 
fuck up his shit and see how long it takes him to figure it out."  Real

mature.

If anyone wants a copy of my working code, I have always been happy to 
provide it.  It may take me some time to get it together, but I've 
always given it.  And I would love to have others help clean things up,

especially the registrar code behind reg.for.free. Unfortunately the 
only feedback I have ever gotten is "I don't like your standard use of 
single- and double-quotes... here's a rewrite to quote things MY way." 

I don't have time to keep learning a new repo system every year or two 
and I no longer have the patience to care, but if someone else wants to

do the deed I've already mentioned many times that I am happy to help 
work with them.

I've been thinking about this all day and I'm still pissed, and 
apparently still can't even coherently express my frustration, so let
me 
summarize... Grow the fuck up and learn how to actually work with other

people who are in different times zones.  People have pointed out bugs 
in my code before, and I almost always get them fixed within a day or 
two.  Yeah I make mistakes, I know this and I know enough to understand

the problem when they are pointed out, assuming you actually give me
the 
chance.


------------------------------------------------------------------------



--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org

      


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page