Discuss mailing list

[Al Beano <albino AT autistici.org>]

There was an IRC line describing the site as "insecure as hell", or words to 
that effect, accompanying the mention of the <marquee> tag. 

I do get your point though. I'll be a bit more helpful next time. 

Would it be possible to get a copy of the source code? I'd like to audit it 
properly. Git would be ideal but a tarball is fine too. 

albino

On 11 September 2017 17:50:07 BST, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
>Yes, I was actually interested in the <marquee> tag because I'm not
>sure 
>I've ever seen it before.  The problem was nobody mentioned that this 
>was exploitable.  All I thought of was standard HTML tags, and yeah
>they 
>could make for some annoying displays, but the <script> tag did not 
>occur to me.  If the original posting of the marquee tag was supposed
>to 
>be a warning to me, it completely failed.  I really wish someone would 
>have just sent me a PM pointing out what you folks apparently thought 
>was obvious.  Never assume anything...
>
>And yes, when I'm made aware that there is actually a security hole in 
>such things, I'll patch it as quickly as I can.  Between what I saw 
>there and something that Fusl pointed out to me, I forgot to sanitize 
>the input.  Easily remedied, and the page should be a lot safer now.
>
>
>On 09/11/2017 01:26 AM, Al Beano wrote:
>> Hi,
>>
>> In case it's not already obvious, I'm one of the users who attacked
>the website.
>>
>> I'm sorry this incident caused you so much grief. I'll admit that I
>could have handled it better. That said, however, I'd like to provide
>my perspective on the situation.
>>
>> The first user to report the issue did it lightheartedly, by changing
>the "sponsored" text on his server listing to include a <marquee> tag.
>The only comment we heard from you on IRC was that it was "funny as
>hell", if I recall correctly.
>>
>> It was funny, but also very dangerous: the XSS vuln had been made
>public to a channel of over 100 users, and it allowed any T1/T2 op to
>phish for universal LDAP credentials or cause the page to provide fake
>IP addresses to end users. The ramifications could have been huge.
>>
>> I care hugely about OpenNIC, having recently donated a large
>proportion of my spare time since joining — it frustrated me to see one
>of the 'core' pieces of infrastructure left vulnerable to a potentially
>very destructive attack. What I read on IRC made it sound as if there
>were no short-term plans to fix this, so I did the only thing I could
>think of as a move towards getting it fixed: I exploited it a way which
>left no lasting damage but broke the it for the time being.
>>
>> During this time, I checked the data on the T2 servers page
>periodically, and as far as I am aware all the exploits were perhaps
>ass-holeish but not malicious.
>>
>> I think I speak for everyone involved when I say I am genuinely very
>grateful for the infrastructure you maintain; I'm still discovering new
>services that I wasn't even aware of.
>>
>> R.e. code hosting: I understand the frustration of code just
>disappearing. It seems like Github is around to stay, whether we like
>it or not, and some OpenNIC code (like the website) has already been
>published there. I think that could be a good option for permanent code
>hosting.
>>
>> OpenNIC also has a git service: gitlab.libre, maintained by aditaa.
>Git makes it pretty easy to push the same project to two remotes, and
>that was we would have the redundancy of two separate hosts.
>>
>> Thanks for taking the time to read my epic, and I hope to be
>contributing to more OpenNIC projects in the future. And no, I don't
>want to tamper with your quote style. :-)
>>
>> albino
>>
>> On 11 September 2017 05:52:31 BST, Jeff Taylor
><shdwdrgn AT sourpuss.net> wrote:
>>> Last night I got an ear infection plus bad acid reflux and didn't
>>> hardly
>>> sleep at all.  So you can imagine my state of mind when I got up
>this
>>> morning to find a discussion between T1 and T2 operators talking
>>> vaguely
>>> about an exploit they found in the servers page, and the page itself
>>> broken and not providing usable info.  It took me quite awhile to
>dig
>>> through everything and determine exactly what was done and start
>>> working
>>> towards repairing the intentional damage.
>>>
>>> OK, it's a fair point that I didn't properly sanitize the input.
>>> However
>>> we're talking about a page that has been online for the past two
>years
>>> without any problems, but for some reason you decided that immediate
>>> action must be taken right this very second.  And not a single one
>of
>>> you assholes had the courtesy to even send me a PM to say "hey we
>found
>>>
>>> this problem in your page and these are the actions we took."
>>> Seriously, I know some of you newcomers are in your teens, but do
>you
>>> really have to ACT like it?  This is a community project, it exists
>>> because people in the past have worked *together* to solve problems.
>>> It's not a hacking contest to see who can blow up each other's
>>> contributions.
>>>
>>> There have been a lot of complaints about my code in the past.  Yes
>I
>>> write in Bash and PHP, and yes my code isn't going to be the easiest
>to
>>>
>>> read.  There's also the constant complaints that I don't post my
>code
>>> on
>>> repo-of-the-week, which I've discussed several times on IRC but
>nobody
>>> seems to care.  Just how many 'official' source-hosting pages has
>>> opennic been through?  We've been in sourceforge, but we don't trust
>>> them now.  What was the one that did SVN?  And of course there's the
>>> numerous local repos that people have run over the years which up
>and
>>> disappear one day without warning.  I've submitted a fair chunk of
>my
>>> code at least twice. And poof, there's no evidence remaining that it
>>> ever existed.
>>>
>>> I have limited time to work on opennic, but I've churned out an
>>> incredible amount of code for the project over the years.  There is
>>> very
>>> little of opennic's infrastructure that I haven't had a hand in or
>>> written completely from scratch.  Everybody that comes through
>always
>>> has their own ideas on how things should be done, what changes need
>to
>>> be made, and yet almost none of those people have actually
>contributed
>>> anything.  Opennic owes its very existence to those few people such
>as
>>> myself who have dedicated months or years of programming time to
>>> provide
>>> the services that everyone else uses on a daily basis.  There is a
>huge
>>>
>>> amount of code in the background that I personally own and have to
>>> troubleshoot when things go wrong.  I spend what time I can either
>>> fixing the larger problems or trying to set up new code to provide
>>> features.  I have dedicated time nearly daily to making sure things
>run
>>>
>>> smoothly or fixing whatever is broken, and the thanks I get is "hey
>>> lets
>>> fuck up his shit and see how long it takes him to figure it out." 
>Real
>>>
>>> mature.
>>>
>>> If anyone wants a copy of my working code, I have always been happy
>to
>>> provide it.  It may take me some time to get it together, but I've
>>> always given it.  And I would love to have others help clean things
>up,
>>>
>>> especially the registrar code behind reg.for.free. Unfortunately the
>>> only feedback I have ever gotten is "I don't like your standard use
>of
>>> single- and double-quotes... here's a rewrite to quote things MY
>way."
>>>
>>> I don't have time to keep learning a new repo system every year or
>two
>>> and I no longer have the patience to care, but if someone else wants
>to
>>>
>>> do the deed I've already mentioned many times that I am happy to
>help
>>> work with them.
>>>
>>> I've been thinking about this all day and I'm still pissed, and
>>> apparently still can't even coherently express my frustration, so
>let
>>> me
>>> summarize... Grow the fuck up and learn how to actually work with
>other
>>>
>>> people who are in different times zones.  People have pointed out
>bugs
>>> in my code before, and I almost always get them fixed within a day
>or
>>> two.  Yeah I make mistakes, I know this and I know enough to
>understand
>>>
>>> the problem when they are pointed out, assuming you actually give me
>>> the
>>> chance.
>>>
>>>
>>>
>------------------------------------------------------------------------
>>>
>>>
>>>
>>> --------
>>> You are a member of the OpenNIC Discuss list.
>>> You may unsubscribe by emailing
>>> discuss-unsubscribe AT lists.opennicproject.org
>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list.
>> You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>
>
>
>------------------------------------------------------------------------
>
>
>
>--------
>You are a member of the OpenNIC Discuss list. 
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org