Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] This is my %#$ rant

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] This is my %#$ rant


Chronological Thread 
    < Chronological >      < Thread >
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] This is my %#$ rant
  • Date: Mon, 11 Sep 2017 11:28:17 -0600
  • Authentication-results: mx1.computerrehab.us; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx1.computerrehab.us 449592D7C2
Yeah I'm actually working on that right now.  There's a bunch of files in that folder, I need to figure out which parts are actually in use so nobody else has to figure it out.

On 09/11/2017 10:56 AM, Al Beano wrote:
There was an IRC line describing the site as "insecure as hell", or words to that effect, accompanying the mention of the <marquee> tag. 

I do get your point though. I'll be a bit more helpful next time. 

Would it be possible to get a copy of the source code? I'd like to audit it properly. Git would be ideal but a tarball is fine too. 

albino

On 11 September 2017 17:50:07 BST, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

Yes, I was actually interested in the <marquee> tag because I'm not
sure 
I've ever seen it before.  The problem was nobody mentioned that this 
was exploitable.  All I thought of was standard HTML tags, and yeah
they 
could make for some annoying displays, but the <script> tag did not 
occur to me.  If the original posting of the marquee tag was supposed
to 
be a warning to me, it completely failed.  I really wish someone would 
have just sent me a PM pointing out what you folks apparently thought 
was obvious.  Never assume anything...

And yes, when I'm made aware that there is actually a security hole in 
such things, I'll patch it as quickly as I can.  Between what I saw 
there and something that Fusl pointed out to me, I forgot to sanitize 
the input.  Easily remedied, and the page should be a lot safer now.


On 09/11/2017 01:26 AM, Al Beano wrote:

Hi,

In case it's not already obvious, I'm one of the users who attacked

the website.

I'm sorry this incident caused you so much grief. I'll admit that I

could have handled it better. That said, however, I'd like to provide
my perspective on the situation.

The first user to report the issue did it lightheartedly, by changing

the "sponsored" text on his server listing to include a <marquee> tag.
The only comment we heard from you on IRC was that it was "funny as
hell", if I recall correctly.

It was funny, but also very dangerous: the XSS vuln had been made

public to a channel of over 100 users, and it allowed any T1/T2 op to
phish for universal LDAP credentials or cause the page to provide fake
IP addresses to end users. The ramifications could have been huge.

I care hugely about OpenNIC, having recently donated a large

proportion of my spare time since joining — it frustrated me to see one
of the 'core' pieces of infrastructure left vulnerable to a potentially
very destructive attack. What I read on IRC made it sound as if there
were no short-term plans to fix this, so I did the only thing I could
think of as a move towards getting it fixed: I exploited it a way which
left no lasting damage but broke the it for the time being.

During this time, I checked the data on the T2 servers page

periodically, and as far as I am aware all the exploits were perhaps
ass-holeish but not malicious.

I think I speak for everyone involved when I say I am genuinely very

grateful for the infrastructure you maintain; I'm still discovering new
services that I wasn't even aware of.

R.e. code hosting: I understand the frustration of code just

disappearing. It seems like Github is around to stay, whether we like
it or not, and some OpenNIC code (like the website) has already been
published there. I think that could be a good option for permanent code
hosting.

OpenNIC also has a git service: gitlab.libre, maintained by aditaa.

Git makes it pretty easy to push the same project to two remotes, and
that was we would have the redundancy of two separate hosts.

Thanks for taking the time to read my epic, and I hope to be

contributing to more OpenNIC projects in the future. And no, I don't
want to tamper with your quote style. :-)

albino

On 11 September 2017 05:52:31 BST, Jeff Taylor

<shdwdrgn AT sourpuss.net> wrote:

Last night I got an ear infection plus bad acid reflux and didn't
hardly
sleep at all.  So you can imagine my state of mind when I got up

this

morning to find a discussion between T1 and T2 operators talking
vaguely
about an exploit they found in the servers page, and the page itself
broken and not providing usable info.  It took me quite awhile to

dig

through everything and determine exactly what was done and start
working
towards repairing the intentional damage.

OK, it's a fair point that I didn't properly sanitize the input.
However
we're talking about a page that has been online for the past two

years

without any problems, but for some reason you decided that immediate
action must be taken right this very second.  And not a single one

of

you assholes had the courtesy to even send me a PM to say "hey we

found

this problem in your page and these are the actions we took."
Seriously, I know some of you newcomers are in your teens, but do

you

really have to ACT like it?  This is a community project, it exists
because people in the past have worked *together* to solve problems.
It's not a hacking contest to see who can blow up each other's
contributions.

There have been a lot of complaints about my code in the past.  Yes

I

write in Bash and PHP, and yes my code isn't going to be the easiest

to

read.  There's also the constant complaints that I don't post my

code

on
repo-of-the-week, which I've discussed several times on IRC but

nobody

seems to care.  Just how many 'official' source-hosting pages has
opennic been through?  We've been in sourceforge, but we don't trust
them now.  What was the one that did SVN?  And of course there's the
numerous local repos that people have run over the years which up

and

disappear one day without warning.  I've submitted a fair chunk of

my

code at least twice. And poof, there's no evidence remaining that it
ever existed.

I have limited time to work on opennic, but I've churned out an
incredible amount of code for the project over the years.  There is
very
little of opennic's infrastructure that I haven't had a hand in or
written completely from scratch.  Everybody that comes through

always

has their own ideas on how things should be done, what changes need

to

be made, and yet almost none of those people have actually

contributed

anything.  Opennic owes its very existence to those few people such

as

myself who have dedicated months or years of programming time to
provide
the services that everyone else uses on a daily basis.  There is a

huge

amount of code in the background that I personally own and have to
troubleshoot when things go wrong.  I spend what time I can either
fixing the larger problems or trying to set up new code to provide
features.  I have dedicated time nearly daily to making sure things

run

smoothly or fixing whatever is broken, and the thanks I get is "hey
lets
fuck up his shit and see how long it takes him to figure it out." 

Real

mature.

If anyone wants a copy of my working code, I have always been happy

to

provide it.  It may take me some time to get it together, but I've
always given it.  And I would love to have others help clean things

up,

especially the registrar code behind reg.for.free. Unfortunately the
only feedback I have ever gotten is "I don't like your standard use

of

single- and double-quotes... here's a rewrite to quote things MY

way."

I don't have time to keep learning a new repo system every year or

two

and I no longer have the patience to care, but if someone else wants

to

do the deed I've already mentioned many times that I am happy to

help

work with them.

I've been thinking about this all day and I'm still pissed, and
apparently still can't even coherently express my frustration, so

let

me
summarize... Grow the fuck up and learn how to actually work with

other

people who are in different times zones.  People have pointed out

bugs

in my code before, and I almost always get them fixed within a day

or

two.  Yeah I make mistakes, I know this and I know enough to

understand

the problem when they are pointed out, assuming you actually give me
the
chance.




------------------------------------------------------------------------



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing

discuss-unsubscribe AT lists.opennicproject.org



------------------------------------------------------------------------



--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org


      

      
      

      

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


    
    

  
























Archive powered by MHonArc 2.6.19.





    




            

            


            
Top of Page