C9 Advisory: Watch what you click | The Coffeehouse

CannotResolveSymbol
{insert caption here}

Breaking news... see http://channel9.msdn.com/forums/Feedback/449973-Script-injections/.

Not good.

Bas
It finds lightbulbs.

Beautiful.

TommyCarlier
I want my scalps!

In reply to Bas

#Dec 27th, 2008 @ 2:49 AM

If you think that is beautiful, check out TechOff.

stevo_
Human after all

Doesn't really surprise me at all, its such a fundamental flaw that just shouldn't be allowed to pass through to a live site of this magnitude.. I know you guys will have to take this really seriously considering some of the things this can allow..

ManipUni
Proving QQ for 5 years!

In reply to stevo_

#Dec 27th, 2008 @ 3:19 AM

You don't sanitize your thread titles? Really?

littleguru
<3 Seattle

OMG! This is so embarrassing! Sad

W3bbo
The Master of Baiters

In reply to littleguru

#Dec 27th, 2008 @ 6:53 AM

Did you just get the text "echo" placed everywhere on every page?

It seems to have gone now.

Rowan
Look, no errors.

In reply to W3bbo

#Dec 27th, 2008 @ 6:54 AM

Yes, it seems that a post with no comments will show up in the "Active forum threads" box, which appears in places like the front page.

Wasn't there a very similar issue a while ago on Channel9 where whole messages went unfiltered?

I've been playing around a bit in the less-used forums for shits 'n giggles, staying away from the Coffeehouse so we can at least still communicate.

ManipUni
Proving QQ for 5 years!

In reply to Rowan

#Dec 27th, 2008 @ 7:06 AM

Some made a thread with:
<style type="text/css">div:after { content: "echo"; }</style>

In the title which is appearing in the sidebar.

Rowan
Look, no errors.

In reply to ManipUni

#Dec 27th, 2008 @ 7:10 AM

I wonder who's to blame?

VB Man
Year of the Linux MCE.

In reply to Rowan

#Dec 27th, 2008 @ 7:46 AM

O....M.....G.....

mastermine
See.Hear.Frag

In reply to Rowan

#Dec 27th, 2008 @ 7:06 AM

Looks like some one broke the coffeehouse

O Joy

Dr Herbie
Horses for courses

In reply to mastermine

#Dec 27th, 2008 @ 11:08 AM

Well that was f*cking stupid : if you find a vulnerability like that you should at least email the team privately, rather than splattering it all across the site so that any f*cking retard can mess the whole place up.

Thanks a f*cking bundle.

Herbie

littleguru
<3 Seattle

In reply to Rowan

#Dec 27th, 2008 @ 7:46 AM

Rowan, why did you do this? Are you such an immature child?

http://channel9.msdn.com/forums/Feedback/449973-Script-injections/?CommentID=450028

Charles
Welcome Change

Duncan has fixed this.
C

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to Charles

#Dec 27th, 2008 @ 12:52 PM

Maybe so, but what about the posts that are already there?

For instance some retard has inserted a blink tag

Charles
Welcome Change

In reply to jh71283

#Dec 27th, 2008 @ 12:55 PM

Duncan's stopped the bleeding... There's more to do.
C

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to Charles

#Dec 27th, 2008 @ 1:01 PM

I think whoever has exploited this should be banned outright.

As Herbie says, it's fair enough to find a vulnerability and alert C9, but to exploit it is malicious.

Charles
Welcome Change

In reply to jh71283

#Dec 27th, 2008 @ 1:05 PM

Agreed. Which threads are flashing (blinking)?
C

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to Charles

#Dec 27th, 2008 @ 1:05 PM

All of them

They only blink when you are actually raeding them though, the post listings do not blink.

If they're not blinking for you, I'll try flushing my cache.

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to jh71283

#Dec 27th, 2008 @ 1:08 PM

flushing had no effect.

And it is ALL of the text on the page, not just the post text, the headers etc are all blinking.

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to jh71283

#Dec 27th, 2008 @ 1:10 PM

Stopped,. Yay.

littleguru
<3 Seattle

In reply to Charles

#Dec 27th, 2008 @ 1:05 PM

i'm also for banning the guy(s) who messed this stuff up...

ManipUni
Proving QQ for 5 years!

In reply to littleguru

#Dec 27th, 2008 @ 2:26 PM

Meh.

It was fairly harmless and caused no lasting damage. Just leave it now. The problem is fixed, the threads are gone, and everything is fine. If you are that upset about seeing the word "echo" all over the place then go ahead and start a lawsuit.

littleguru
<3 Seattle

In reply to ManipUni

#Dec 27th, 2008 @ 3:02 PM

Who said anything about lawsuits?

Defacing a website with something so easy is just childish; c'mon entering HTML in a textbox that doesn't do the filtering. On the other hand if it would have been something innovative and new - that would have been at least wicked... even the redirect to yet another linux website was plain boring. or the messagebox that said "all bases belong to us" - how boring was that...

people who do childish stuff like that shouldn't get our respect! fame to real innovators, blame to stuff like this.