C9 Advisory: Watch what you click | The Coffeehouse

Rowan
Look, no errors.

#Dec 28th, 2008 @ 12:18 PM

Whatever you consider creative is entirely subjective, this "creativity" debate is irrelevant and pointless. Personally I think the C9 developers should be held accountable for this enormous security hole, this was just a ticking time bomb waiting to go off in a very bad way. Be thankful it didn't happen at a busy time.

And if I knew there were going to be judges I would've actually tried to impress someone.

phreaks

In reply to Rowan

#Dec 28th, 2008 @ 4:14 PM

I don't really believe that script kiddies garnish much praise, regardless of how 1337 u think u are.

jh71283
Throw new System.Beverage. OutOfCoffeeException()

In reply to Rowan

#Dec 28th, 2008 @ 4:14 PM

Be thankful it didn't happen at a busy time.

No, instead it happened at a time when the C9 staff were at home enjoying the holidays, just like they were entitled to, until some numpties decide it was appropriate to mess up the site.

Holding the C9 devs responsible is like driving my car into a tree, and then blaming bmw because it shouldn't let me do that.

What a load of crap.

blowdart
Peek-a-boo

In reply to jh71283

#Dec 28th, 2008 @ 11:31 PM

Actually ...

XSS is a pretty well known exploit; and there are a bunch of MS tools to stop it, from the AntiXSS and Security Runtime Engine (which does it all for you - but you should still explicitly do it yourself as well) and code analysis tools like CAT.NET

It is the fault of developers if they leave security holes. Your analogy is a bad one; leaving a security hole is like leaving your car unlocked with the keys in the ignition and then blaming BMW when your car gets stolen. Developers have to take responsibility for security because no-one else can.

(This is not picking on Adam et al., it's an objection to the attitude that the problem lies with people who exploit bugs)

stevo_
Human after all

In reply to blowdart

#Dec 29th, 2008 @ 12:59 AM

Pretty sure this instance could be fixed by changing..

<%= post.Title %>

to

<%= Server.HtmlEncode(post.Title) %>

ZippyV
Fired Up

Looks like we have another candidate for the ban list: http://channel9.msdn.com/Niners/kachchhu1987/

blowdart
Peek-a-boo

In reply to stevo_

#Dec 29th, 2008 @ 2:23 AM

I'd recommend abandoning the built in encoders for the newer AntiXSS library - it has more encoding options, and more up to date algorithms as well as an engine which does automatic encoding in case you forget.

Bas
It finds lightbulbs.

In reply to VB Man

#Dec 28th, 2008 @ 10:09 AM

Yes, it was I with the Linux.org redirect. (IT'S NOT .COM!) No one reads or posts in the techoff.

Just looking at the first page of Techoff posts tells me that each post gets read hundreds of times, with one post being read over 8000 times. The oldest post on that page was nine days ago, the newest one a little over an hour ago. I'd say you're wrong about that.

At whom did the Japanese pop up in the coffeehouse: I hope you get banned because that made the coffeehouse useless.

Then I assume you wish to be banned yourself, for making a frequently used forum like Techoff useless?

I don't think that a ban is a good idea because this "bug" has been here for over a week and it could've been much, much worse.

Then why did you call for a ban on the Japanese-popup guy?

ZippyV
Fired Up

In reply to blowdart

#Dec 29th, 2008 @ 2:37 AM

Now I see why people keep posting img tags on the forum. When you switch pages the html does get interpreted.

I vote for de-ajaxifying the site.

Rowan
Look, no errors.

In reply to ZippyV

#Dec 30th, 2008 @ 3:14 AM

http://channel9.msdn.com/forums/Feedback/450248-HTML-in-subject-mostly-fixed-but-not-entirely/

Duncanma
Just Coding for Fun...

In reply to blowdart

#Dec 29th, 2008 @ 12:59 AM

Blowdart is right... as much as I am very happy to see people defending us, this was our mistake. We were carefully running the body through anti-xss routines and forgot the title. (then we fixed the title in server-side rendering, but not in the JSON data we send down in the AJAX view... deployed Nathan's code fix for that this morning from a hotel room in Coeur D'Alene, Idaho ).

I would have preferred an email and less annoying ways to 'try out' this security hole, but in the defense of the people who posted html, css, and JS hacks... no one actually posted an exploit. No one did anything actually malicious and they could have, so let's cut them some slack.

We were already using the AntiXSS library, just not using it consistently ... and I haven't tested out the http handler style option that is also available, but I think we'll take a look at that soon. I'm going to also look into making a staging version of C9 public. The main purpose will be for our testing of major changes, but it would also be a place where you would be welcome to try out any hack you had in mind (extensive DoS wouldn't be appreciated, because even if we are not in any way 'hacked' by that, it would still cost bandwidth and availability of the staging site... not that I can stop folks from trying, but I thought I'd be clear about what we would consider 'ok testing')

CannotResolveSymbol
{insert caption here}

In reply to Duncanma

#Dec 30th, 2008 @ 8:45 PM

Thanks for the prompt fix!

Posting here probably wasn't the best way I could have handled this... that's my mistake (although other people would have still figured it out... it was pretty obvious what was going on from the first post in Techoff). Thankfully, no lasting harm was done.