Print Story A Day in the Life
Working life
By ReallyEvilCanine (Wed Apr 11, 2007 at 05:16:10 AM EST) A Day in the Life, tora tora tora, CSS, The Wizard of Duhs, pie (all tags)
Hard Hat Area

Civilisation is truly in decline.

Because he boinked some fat blonde a few times there's a photographer who now has a kid and half a billion dollars or so, proof to the porn industry that you don't have to pull out for the money shot. Had he just shot his load all over her not-inconsequential ass, we might actually hear some real news, like, say, the subpoena duces tecum Congress sent the US Department of Justice for documents on the Attorneys General firings. Or not. Blind pilots? What's next, iPods for the deaf?

It's no better here. "Check out Feature XXX! Feast your eyes on Feature YYY!! Set your very own colour scheme!!!" And what about the big, gaping CSS security hole? "Pay no attention to that monkey in the corner. We're feature-rich! We're innovating!"

We're a bunch of fuckwits.

x-posted to da brog.



Hey $MegaCorp! Did you notice that it's easy to take the client URL and hijack a session with CSS? I can just append any old URL and the browser will be redirected! We need a solution!
Yeah, we need one, too. This one's been documented a dozen times. There are a few things to consider though:
  1. It can't be exploited if you're using HTTPS
  2. It can't be exploited if you're using cookies
  3. There's no reason not to use HTTPS in any sensitive environment
  4. Since the URL is coming from within the trusted system, there's not much threat
  5. What little threat exists is the same as any other sort of hack against your server
We don't want to use cookies because they might be dangerous. We're also not sure about setting up HTTPS so we don#t want to do that. And it must be a huge problem if the user can just go to the URL and then append the site he wants to go to and get there! This might allow users to get around our firewall! You need to come up with a solution.
Yeah, well I don't want to wear pants at home but when I'm cooking chicken-fried steak, I prefer the Levi's to hot spattering oil hitting Mr Happy. If you want your highly-sensitive information available on-line, you need more than just that firewall you really only installed to prevent your employees spending their working hours on GooTube and i-am-bored.com.

Setting up HTTPS on IIS is fucking point-and-click. If your "admin" is so incompetent that he can't set up SSL on fucking IIS, fire the fuckwit and hire a high school student. All it takes is a click, a right click, a click, a check that the port is 443, three more clicks, selecting a checkbox, then two more clicks. A drunk macaque could enable SSL within a day.

Official Root cause: 1-Defect.
True Root cause: 17-Fuckwit.

< The Wheels on the Car go . . . | BBC White season: 'Rivers of Blood' >
A Day in the Life | 6 comments (6 topical, 0 hidden) | Trackback
I spot the deliberate mistake in the poll by Herring (2.00 / 0) #1 Wed Apr 11, 2007 at 05:29:47 AM EST
I claim my five pounds. Only one of those is a standard port for HTTP.

WIPO: TCP Port 53. Without that, all else is useless.

christ, we're all old now - StackyMcRacky

heh by ucblockhead (2.00 / 0) #3 Wed Apr 11, 2007 at 07:18:35 AM EST
We had a bug the other day because a developer set the port to the zipcode (postal code for you furriners) which is "94***".
---
[ucblockhead is] useless and subhuman
[ Parent ]
TCP 53 by Merekat (2.00 / 0) #4 Wed Apr 11, 2007 at 07:55:56 AM EST
Do you have any idea how many people actually block that?

[ Parent ]
not everyone who should block udp 53 also? by LinDze (2.00 / 0) #5 Wed Apr 11, 2007 at 05:22:36 PM EST
To be fair I dont think any of our resolvers are using TCP 53. We dont want any customers trying to AXFR off our resolvers, and if the its a jumbo reply you can be sure its part of a DNS TXT DDOS 99.99% of the time.

-Lin Dze
Arbeit Macht Frei
[ Parent ]
heh by Merekat (4.00 / 1) #6 Wed Apr 11, 2007 at 11:29:43 PM EST
I operate in the type of network where that 0.01 percent is plausibly found and also primariy with authoritative rather than resolving DNS. Bit hard to provide secondary service when the primary has a silly firewall rule in the way, usually applied by someone who has no awareness of what is actually required on the network.

[ Parent ]
WIPO by Phage (2.00 / 0) #2 Wed Apr 11, 2007 at 05:42:03 AM EST
26000

A Day in the Life | 6 comments (6 topical, 0 hidden) | Trackback