Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

    Yes, I was actually interested in the <marquee> tag because
    I'm not sure I've ever seen it before.  The problem was nobody
    mentioned that this was exploitable.  All I thought of was standard
    HTML tags, and yeah they could make for some annoying displays, but
    the <script> tag did not occur to me.  If the original posting
    of the marquee tag was supposed to be a warning to me, it completely
    failed.  I really wish someone would have just sent me a PM pointing
    out what you folks apparently thought was obvious.  Never assume
    anything...
    
    And yes, when I'm made aware that there is actually a security hole
    in such things, I'll patch it as quickly as I can.  Between what I
    saw there and something that Fusl pointed out to me, I forgot to
    sanitize the input.  Easily remedied, and the page should be a lot
    safer now.

On 09/11/2017 01:26 AM, Al Beano wrote:

Hi,

In case it's not already obvious, I'm one of the users who attacked the website. 

I'm sorry this incident caused you so much grief. I'll admit that I could have handled it better. That said, however, I'd like to provide my perspective on the situation. 

The first user to report the issue did it lightheartedly, by changing the "sponsored" text on his server listing to include a <marquee> tag. The only comment we heard from you on IRC was that it was "funny as hell", if I recall correctly. 

It was funny, but also very dangerous: the XSS vuln had been made public to a channel of over 100 users, and it allowed any T1/T2 op to phish for universal LDAP credentials or cause the page to provide fake IP addresses to end users. The ramifications could have been huge. 

I care hugely about OpenNIC, having recently donated a large proportion of my spare time since joining — it frustrated me to see one of the 'core' pieces of infrastructure left vulnerable to a potentially very destructive attack. What I read on IRC made it sound as if there were no short-term plans to fix this, so I did the only thing I could think of as a move towards getting it fixed: I exploited it a way which left no lasting damage but broke the it for the time being. 

During this time, I checked the data on the T2 servers page periodically, and as far as I am aware all the exploits were perhaps ass-holeish but not malicious. 

I think I speak for everyone involved when I say I am genuinely very grateful for the infrastructure you maintain; I'm still discovering new services that I wasn't even aware of. 

R.e. code hosting: I understand the frustration of code just disappearing. It seems like Github is around to stay, whether we like it or not, and some OpenNIC code (like the website) has already been published there. I think that could be a good option for permanent code hosting. 

OpenNIC also has a git service: gitlab.libre, maintained by aditaa. Git makes it pretty easy to push the same project to two remotes, and that was we would have the redundancy of two separate hosts. 

Thanks for taking the time to read my epic, and I hope to be contributing to more OpenNIC projects in the future. And no, I don't want to tamper with your quote style. :-)

albino

On 11 September 2017 05:52:31 BST, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
> Last night I got an ear infection plus bad acid reflux and didn't
> hardly 
> sleep at all.  So you can imagine my state of mind when I got up this 
> morning to find a discussion between T1 and T2 operators talking
> vaguely 
> about an exploit they found in the servers page, and the page itself 
> broken and not providing usable info.  It took me quite awhile to dig 
> through everything and determine exactly what was done and start
> working 
> towards repairing the intentional damage.
>
> OK, it's a fair point that I didn't properly sanitize the input.
> However 
> we're talking about a page that has been online for the past two years 
> without any problems, but for some reason you decided that immediate 
> action must be taken right this very second.  And not a single one of 
> you assholes had the courtesy to even send me a PM to say "hey we found
>
> this problem in your page and these are the actions we took."  
> Seriously, I know some of you newcomers are in your teens, but do you 
> really have to ACT like it?  This is a community project, it exists 
> because people in the past have worked *together* to solve problems.  
> It's not a hacking contest to see who can blow up each other's 
> contributions.
>
> There have been a lot of complaints about my code in the past.  Yes I 
> write in Bash and PHP, and yes my code isn't going to be the easiest to
>
> read.  There's also the constant complaints that I don't post my code
> on 
> repo-of-the-week, which I've discussed several times on IRC but nobody 
> seems to care.  Just how many 'official' source-hosting pages has 
> opennic been through?  We've been in sourceforge, but we don't trust 
> them now.  What was the one that did SVN?  And of course there's the 
> numerous local repos that people have run over the years which up and 
> disappear one day without warning.  I've submitted a fair chunk of my 
> code at least twice. And poof, there's no evidence remaining that it 
> ever existed.
>
> I have limited time to work on opennic, but I've churned out an 
> incredible amount of code for the project over the years.  There is
> very 
> little of opennic's infrastructure that I haven't had a hand in or 
> written completely from scratch.  Everybody that comes through always 
> has their own ideas on how things should be done, what changes need to 
> be made, and yet almost none of those people have actually contributed 
> anything.  Opennic owes its very existence to those few people such as 
> myself who have dedicated months or years of programming time to
> provide 
> the services that everyone else uses on a daily basis.  There is a huge
>
> amount of code in the background that I personally own and have to 
> troubleshoot when things go wrong.  I spend what time I can either 
> fixing the larger problems or trying to set up new code to provide 
> features.  I have dedicated time nearly daily to making sure things run
>
> smoothly or fixing whatever is broken, and the thanks I get is "hey
> lets 
> fuck up his shit and see how long it takes him to figure it out."  Real
>
> mature.
>
> If anyone wants a copy of my working code, I have always been happy to 
> provide it.  It may take me some time to get it together, but I've 
> always given it.  And I would love to have others help clean things up,
>
> especially the registrar code behind reg.for.free. Unfortunately the 
> only feedback I have ever gotten is "I don't like your standard use of 
> single- and double-quotes... here's a rewrite to quote things MY way." 
>
> I don't have time to keep learning a new repo system every year or two 
> and I no longer have the patience to care, but if someone else wants to
>
> do the deed I've already mentioned many times that I am happy to help 
> work with them.
>
> I've been thinking about this all day and I'm still pissed, and 
> apparently still can't even coherently express my frustration, so let
> me 
> summarize... Grow the fuck up and learn how to actually work with other
>
> people who are in different times zones.  People have pointed out bugs 
> in my code before, and I almost always get them fixed within a day or 
> two.  Yeah I make mistakes, I know this and I know enough to understand
>
> the problem when they are pointed out, assuming you actually give me
> the 
> chance.
>
>
> ------------------------------------------------------------------------
>
>
>
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing
> discuss-unsubscribe AT lists.opennicproject.org
>       
      
      
      

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org