Displaying comments 1 to 46 of 46
MeTa post:
Hello Vancouver people, I'll be in Vancouver this...
Yes beer!!! (not a drunk)
posted to MetaTalk by mock
at 5:50 AM on February 11, 2007
I was recently at the nelson cafe and was pleased to note that they have cheap pitchers of beer and reasonable pub grub. it's within easy walking distance, so I vote we go there at 7pm on Monday.
posted to MetaTalk by mock
at 6:05 PM on February 11, 2007
Ok, Nelson Cafe it is.
posted to MetaTalk by mock
at 6:28 PM on February 11, 2007
Blargh. You all suck for pussying out up until this point. I'd like to point out that I'm the only one who took this night all the way to it's finish. (still not a drunk)
posted to MetaTalk by mock
at 4:16 AM on February 13, 2007
MeTa post:
Please bring back the img tag....
Well I guess I should mail Matt again and tell him I made the img tag work ;)
Also the script tag, which is really bad
posted to MetaTalk by mock
at 1:23 PM on November 16, 2006
The filtering has gotten quite a bit better, it's just I'm not smoking right now, so I'm kinda a little OCD. This one took me an hour to puzzle out from from when I first saw this thread, and required a little bit of cleverness as I can't use the word s r c anywhere.
posted to MetaTalk by mock
at 1:47 PM on November 16, 2006
XHTML is a good idea. Gotta watch the parser though, as sometimes it can have a looser or tighter definition than the browser's parser, which will get you trouble. Here's an example of something I used to beat an RSS aggregator that was checking for XML validity as well as attempting to scrub evil html.
As an aside, here is a neat little example of a sneaky way of getting javascript in well formed xhtml. I doubt you'll have a problem with it, but I haven't seen it... [more]
posted to MetaTalk by mock
at 2:11 PM on November 16, 2006
To make GET into POST is a bit more complex than that, but easily doable with flash/actionscript. You can also do a redirect to other, non-http protocols. So given an older browser (2004) you can use GET redirected to FTP on port 80 which is actually a POST request disguised overlayed on the FTP url.
The solution to CSRF is a whitelist of safe image sites. Ideally said whitelist would allow the user to add and remove sites as necessary. The whitelist could be... [more]
posted to MetaTalk by mock
at 2:36 PM on November 16, 2006
Mathewr:
Some of the stuff on flash here
The well known ftp bounce attack
Url encoding arbitrary commands with ftp
posted to MetaTalk by mock
at 4:18 PM on November 16, 2006
MeTa post:
A possible solution to end the "We demand...
Yes, they are.
There are two different security issues that I think are getting confused here. Issue #1 is that IE is fucking retarded and will exectute javascript pretty much anywhere (img tag just being the most egregious of these). This is mostly IE's fault, and the solution for people who don't want bad things to happen to their account is to either browse with a sane browser or turn off javascript.
Issue #2 is CSRF. CSRF works even if... [more]
posted to MetaTalk by mock
at 1:02 AM on November 8, 2006
Yup, but at least you can turn if off with the noscript plugin.
posted to MetaTalk by mock
at 1:46 AM on November 8, 2006
There are a few ways around that as well, mostly involving either javascript or flash (actionscript is probably the worst thing for website security ever). For the most part it does solve the problem, but it's a real bitch to retrofit.
Also you shouldn't be using password fields, you should be using a randomly generated session key which allows you to retrieve from the database.
posted to MetaTalk by mock
at 4:19 AM on November 8, 2006
I'd just like to point out, that stavrosthewonderchicken does have the right idea. It is more secure than having img tags, and for those who desire security, it can be made just as secure (by disabling the javascript) as not having the img tags. I think that with the addition of an allowed image domains cookie it is about as secure as reasonably can be expected.
I should probably spend some time and hack the allowed image domain thing.
posted to MetaTalk by mock
at 4:27 AM on November 8, 2006
1) Yes IE really is that retarded, and no it isn't easy to filter out. Check the XSS cheat sheet and count the number of ways to evade filters that work with IE vs the number that work with FireFox. Now stop and think about how hard it would be to properly filter all of that. If you figure out a way, please post it, the rest of the world would be excited to know.
2) GET to POST is doable with actionscript. It is possibly also doable with another technique that isn't... [more]
posted to MetaTalk by mock
at 4:35 PM on November 8, 2006
MeTa post:
Vancouver (BC) meetup in the moderately near...
Mostly I kinda think Main is ass, I'm more of a downtown type. However The Whip is pretty good. The food is alright, and the beer is actually quite good.
As for meetup locations, I'd like something within drunken stagger distance, so I vote for the Railway club as well.
posted to MetaTalk by mock
at 2:33 AM on November 6, 2006
I would suggest you demand a time and place that works for you, and see how many people want to show up.
posted to MetaTalk by mock
at 7:01 PM on November 6, 2006
Well since I'll be in Tokyo on December 1st, I choose November 17th.
posted to MetaTalk by mock
at 2:22 AM on November 8, 2006
MeTa post:
Why, in the great image purge, did some folks lose...
I've got a solution for the CSRF thing that I'm working on. Hopefully I'll get some free time and post it to projects in a little bit.
posted to MetaTalk by mock
at 1:11 AM on November 7, 2006
No it wouldn't. 302 Redirects get around that.
posted to MetaTalk by mock
at 1:22 AM on November 7, 2006
Funny. Too bad javascript only works in src attribute on IE
posted to MetaTalk by mock
at 1:31 AM on November 7, 2006
That pretty much solves the problem, baring gaping holes in the image hosters. I was planning on building a firefox extension that enforced this on the users side, and allowed for a 'meta' tag (something like [image src=http://blahblah]) which would allow images for those who wanted them (safely), but the site could still keep them off, thus protecting everyone else. It has the added benefit that those who want images can turn them on, and those who don't, don't have to.
posted to MetaTalk by mock
at 1:48 AM on November 7, 2006
I really can't let olli get away with having a cooler XSS vulnerability than I have. Hopefully this works in comment links, if not, it definitely works in profile links.
I like XSS, do you?
posted to MetaTalk by mock
at 4:56 AM on November 7, 2006
Yup, that works. Admins have been informed...
posted to MetaTalk by mock
at 4:58 AM on November 7, 2006
The answer to the question about how the rest of the internet is dealing with CSRF, is that for the most part it isn't. This will probably cause some spectacular nastyness at some future date.
Now if I had my druthers I would have Matt implement the following:
Every user could turn on images for specific domains in their profile. By default images would be off. By default only sane domains (flickr, imageshack, etc) would be allowed. The user... [more]
posted to MetaTalk by mock
at 7:14 AM on November 7, 2006
I figure if said mouthbreather really wants to post an image, then he'll go to the trouble. Otherwise, no real loss, is it.
posted to MetaTalk by mock
at 7:26 AM on November 7, 2006
That said, there are a couple of other possible schemas for transposing anchors and img tags. The other possibility I thought of was to just put the word image as the first word in the anchor text. For example <a href="http://goatse.cx">image of gaping man ass</a>
posted to MetaTalk by mock
at 7:29 AM on November 7, 2006
not quite song lyrics, but you have to admit, using the <em> tag is pretty damn close.
posted to MetaTalk by mock
at 8:52 AM on November 7, 2006
Well, actually I'm quite enjoying figuring out new ways of sneaking images and javascript into my comments, but maybe that's just me. Plus the night's been rather productive. I've got a new XSS vector which isn't up on the XSS cheat sheet yet.
posted to MetaTalk by mock
at 9:22 AM on November 7, 2006
It's fairly trivial to convert an HTTP GET to a POST. You can either use actionscript, or depending on the browser version and it's protocol handlers, use a 302 redirect to a different protocol and overlay the POST on top of that.
posted to MetaTalk by mock
at 9:33 AM on November 7, 2006
MeTa post:
Is MeFi protected against CSRF? I know the logout...
No. having the webserver test IMG link is obviously equivalent to having the webserver perform the GET request. Also, allowing images with specific file types will not work either, as I can just set a 302 redirect on the image name and use that to attack the server. I honestly can't think of any way that IMG tags can be safe. Even if they can't be made to do an evil GET request here, you can use them to take down people's mailservers, ssh servers, and dns. Plus given some assumption about... [more]
posted to MetaTalk by mock
at 1:34 PM on October 22, 2006
Well there is the issue of malicious inks.
posted to MetaTalk by mock
at 6:25 PM on October 22, 2006
MeTa post:
So why don't we say Black Frog on Thursday the...
Hey it's sunny and blue sky now! I can leave my appartment again. Also, I will be at the BF.
posted to MetaTalk by mock
at 5:16 PM on October 16, 2006
hmmm, it seems there are no good pictures of me on the internet. This is me having way too much fun with the massaging chair in Yodabashi Akiba. If you just imagine me with a look of drunken stupor rather than orgasmic bliss you should be able to recognize me.
posted to MetaTalk by mock
at 9:40 PM on October 16, 2006
MeTa post:
Vancouver MeFites unite!
Me an' my lovely...
I'll be around, if it's somewhere's downtown.
posted to MetaTalk by mock
at 6:46 PM on October 4, 2006
Yeah, that's downtown, reasonably nice hotel too.
posted to MetaTalk by mock
at 7:43 PM on October 4, 2006
Yeah but those places are all in Surrey. By which I mean, across a bridge from downtown or east of main (although The Whip does have good beer - the black plague stout is a favourite).
Subeez is a decent standby, but needs a reservation for a group. Irish Heather is usually quite good, but once again needs a reservation as it can get crowded.
I'm a fan of The Mill as a nice place to take out of towners. It's close to the Hyatt and has a nice... [more]
posted to MetaTalk by mock
at 2:11 AM on October 6, 2006
If I recall my last Black Frog experience, it had an excellent view of an old lady screaming and flailing her arms while dancing naked. I would definitely repeat that experience - put me down as a vote for the Black Frog.
posted to MetaTalk by mock
at 12:13 PM on October 6, 2006
...or the Cecil, but then I'd be expected to pay for it.
posted to MetaTalk by mock
at 3:33 PM on October 6, 2006
MeTa post:
Why is metafilter so slow and crash-prone? I know...
No, he said a language that doesn't suck - not php.
posted to MetaTalk by mock
at 8:29 PM on October 4, 2006
PHP is the visual basic of our time. It allows semi-trained people to create useful applications which solve their business needs. None of this code is of the sort that you'd want to maintain even if you were being paid. It's great if your job is finding security vulnerabilities though.
It's not that it's impossible to create good code in PHP, clearly a great programmer can create great software despite the shortcomings of any tool. However the odds are against you... [more]
posted to MetaTalk by mock
at 6:30 PM on October 5, 2006
