Less than 24 hours and I already created an XSS exploit for Intercourse



  • Continuing the discussion from Vote of No Confidence:

    @morbiuswilters said:

    Oh ye of little faith. Go back to that post and where it says "morbiuswilters said: So no impact..." and click my name.

    That didn't take long..

    Go here and click the quote box to expand it.

    BOOM! Headshot!



  • Oh, and to be fair, it only took me about an hour to find and exploit that hole.

    But don't worry, Master Programmer Jeff Atewood will surely have it fixed soon!



  • All hail Master Morbius!



  • Oh, and I'm not really stealing ur cookies. I could, and the POC did that, but I changed it because I don't really want ur cookies.

    But I could have ur cookies, if I wanted ur cookies.



  • @morbiuswilters said:

    Oh, and I'm not really stealing ur cookies. I could, and the POC did that, but I changed it because I don't really want ur cookies.

    But I could have ur cookies, if I wanted ur cookies.

    All I have right now are Oreos. One of these days I'll get around to baking some chocolate chip cookies. I have everything I need except butter, but lately I've kinda lost interest in doing any real cooking.



  • Did you report the bug or are you just going to blackhat?



  • What's supposed to happen?



  • Oh I figured it out. I was clicking in the wrong spot.

    Next up, Signature Guy is back? I can live with infinite scrolling and lying new post indicators if we all get Signature Guy.



  • @ben_lubar said:

    Did you report the bug or are you just going to blackhat?

    Neither, I'm just bitching about it.

    Edit: And stop defending crappy software, Ben. Jeeze, does your crush on Atewood know no ends?



  • @mott555 said:

    Next up, Signature Guy is back? I can live with infinite scrolling and lying new post indicators if we all get Signature Guy.

    I could do it now, but it would require the marks to click on something first.

    Given how easy it was to exploit, I'd say there are probably other holes you could use to get Signature Guy back.


  • Banned

    @morbiuswilters said:

    Master Programmer Jeff Atewood

    Unlikely, more like me or one of the others. We will get this plugged asap. Can you email me what you did at sam.saffron@gmail.com

    or alternatively @apapadimoulis or any of the other mods can you give me mod powers here.


  • ♿ (Parody)

    @sam said:

    or alternatively @apapadimoulis or any of the other mods can you give me mod powers here.

    Done! Thanks for the help.


  • Banned

    This XSS exploit is now fixed and the fix is deployed here.

    @morbiuswilters I know I somehow found myself on the top your shit list, nonetheless I would very much appreciate if you could email me privately if you find any more of these.

    My email address is sam.saffron@gmail.com



  • @sam said:

    @morbiuswilters I know I somehow found myself on the top your shit list,

    Do I know you?

    Anyway, my shit list is like 700 million names long. I don't think you're cracking the top 5%.

    Whoops, didn't mean to hit Save..

    @sam said:

    nonetheless I would very much appreciate if you could email me privately if you find any more of these.

    My email address is sam.saffron@gmail.com

    Sure thing. You probably should not do server-level redirects, even to count clicks. Just count the click by firing a pixel from the onclick handler on the link. Or if you must do redirects, do it in Javascript. Doing server-level redirects is what made this go from a silly data sanitizing bug into an XSS exploit.


  • Banned

    Are you saying there are 35 million people you hate more than me?



  • @sam said:

    Are you saying there are 35 million people you hate more than me?

    At least.

    Also, I accidentally saved before I meant to so there's more to my reply above.


  • Banned

    @morbiuswilters said:

    You probably should not do server-level redirects, even to count clicks.

    Totally agree with you there, especially for this use case. Not sure why we even care about click count for this particular case.

    It gets a bit trickier when you are trying to get the click count for an external link, especially in a cross browser way we have been fighting with that one for a while.



  • @sam said:

    It gets a bit trickier when you are trying to get the click count for an external link, especially in a cross browser way we have been fighting with that one for a while.

    I would still suggest you just open the links in a new window and use an onclick handler to fire off a pixel.

    If you absolutely must do a server-level redirect, check for the "X-Requested-With" header, and if the value is "XMLHttpRequest" refuse the redirect. Then you at least won't be serving redirects to AJAX requests, which I can't imagine you'd ever want to do.



  • @sam said:

    It gets a bit trickier when you are trying to get the click count for an external link, especially in a cross browser way we have been fighting with that one for a while.

    That's easy if you know the secret. But us web analytics guys don't tell open source-y guys because if we did you'd patch it because God knows sending an analytics pixel on page unload is EBIL!!! And as soon as some idiot with their fingers all over the Chromium codebase found out about it, you bet your ass it'd be sealed the next day.

    That said the technique ain't perfect on mobile, but for desktop browsers it's nearly 100%.


  • Banned

    This is great. If you can find any more exploits let us know. @morbiuswilters PM me with your mailing address if you want a letter bomb stickers.



  • @codinghorror said:

    This is great. If you can find any more exploits let us know. @morbiuswilters PM me with your mailing address if you want a letter bomb stickers.

    I must say, I did not expect this. @sam fixed the bug quickly and you coming in and commenting--and having such a good sense of humor about it all--has increased my respect for you guys.

    Given that you guys are being so responsive and that Alex is framing this as a "beta test" experience, I'm willing to give you all the benefit of the doubt.

    Truthfully, being the forum software for a site dedicated to viciously mocking all software is like being the caterer to an Irritable Bowel Syndrome convention--even if you do a good job, you are going to hear a lot of shit.


  • Banned

    I like this site, and this community! We want Discourse to be awesome for you.

    Alex and I are friends from way back, even though there was some... unfortunate redacted .. that happened in our prior business relationships. All good now though!



  • quick everyone, find the WTFs posted relating to this! FOR JUSTICE!



  • @codinghorror said:

    I like this site, and this community!

    You're a bad liar, Atwood.



  • @codinghorror said:

    I like (..) this community!

    Do you also have a particular liking for pits filled with feral dogs? That's the closest thing I've ever seen to this community.

    Oh and I agree with morbs: kudo's that you're actively engaging and responding to complaints and problems (not necessarily agreeing or fixing them, but at least you're responding), especially because of the fierceness of those comments.



  • @codinghorror said:

    I like this site, and this community!

    Really? Because it seems like you have no exposure to it whatsoever, and your software development style is firmly in the camp we would label as "WTF".



  • @blakeyrat said:

    Really? Because it seems like you have no exposure to it whatsoever, and your software development style is firmly in the camp we would label as "WTF".

    Be fair, Blakey, they're at least trying. And being so hostile isn't really helping us here. It's one thing to sneer at software when the people involved are nowhere to be seen; another when they are right here, trying to get feedback. I think you're a smart enough guy to know that insulting people is not going to get them to do what you want, no matter how good your ideas are.

    I don't like everything, either, but this is the situation we're in. I was pleasantly surprised when they fixed the XSS bug within hours of me posting this thread. The only reason I didn't file a bug is because I figured I'd have to find their bug tracker and then it would languish there for three years, like every other FOSS bug I've filed, until being closed when they rewrote the entire thing in Scala.


  • Banned

    @blakeyrat said:

    your software development style is firmly in the camp we would label as "WTF".

    All software development is WTF.



  • @codinghorror said:

    All software development is WTF.

    There is nothing I can add to this.



  • @codinghorror said:

    All software development is WTF.

    Trier words have never been posted.



  • @dhromed said:

    There is nothing I can add to this.

    Yes there is. Watch:

    @codinghorror said:

    All software development is WTF. + 4

    See?



  • You're very easy to hate.



  • @dhromed said:

    You're very easy to hate.

    Me?


    Filed under: I can't tell who dhromed is replying to.



  • @morbiuswilters said:

    Me?


    Filed under: I can't tell who dhromed is replying to.

    I think he's referring to someone else.



  • @mikeTheLiar said:

    I think he's referring to someone else.

    I'm really confused now.. I thought even if you didn't quote someone then Discourse put a link at the upper-right of your post showing who you are replying to (like Ben's reply to me 18h ago about "blackhat").

    But then most of the replies in here don't contain that magic thingy which tells me who they are replying to..



  • @morbiuswilters said:

    I'm really confused now.. I thought even if you didn't quote someone then Discourse put a link at the upper-right of your post showing who you are replying to (like Ben's reply to me 18h ago about "blackhat").

    But then most of the replies in here don't contain that magic thingy which tells me who they are replying to..


    It doesn't show up if you're replying to the post directly above yours. Hence, good ol' dhromy hates Ben L. You might say that Ben is getting on his nervous system.


  • Discourse touched me in a no-no place

    @mikeTheLiar said:

    It doesn't show up if you're replying to the post directly above yours.

    Or you're replying to the thread in general (the dark blue + Reply button at the bottom of the thread.)

    If it's ambiguous as to which it is, then it's impossible to tell without asking the OP.



  • @mikeTheLiar said:

    It doesn't show up if you're replying to the post directly above yours.

    Nor, IIRC, if you are responding directly to the OP, nor a few other cases where not having it is confusing, but I don't remember specifically what they are.



  • @morbiuswilters said:

    Be fair, Blakey, they're at least trying.

    I don't see trying.

    I see condescension. I see some of those good ol' Linux trademarks ("you don't need that"). I see some weird paranoid thing where a bunch of people from the Discourse "community" (for lack of a better word) are coming here and suddenly they're dictators of the DailyWTF and we're part of the "Discourse family" or whatever the hell is going on there psychologically. I don't want to be involved in some religion or philosophy, I don't want to "change the world of reading forum posts", I just want a normal forum that works normally.

    In any case, there's roughly zero percent chance that Jeff Atwood or anybody else in the Discourse community is going to address any of the complaints we've brought up, regardless of how they're phrased. It's just yet another broken open source project which doesn't give a shit about its users.

    Look here's a giant bug right here: I'm obviously replying to Morbius but for some reason it says I'm replying to Atwood. Why? I didn't quote him. I don't have my cursor in his post. WTF? So many bugs:

    @morbiuswilters said:

    I think you're a smart enough guy to know that insulting people is not going to get them to do what you want, no matter how good your ideas are.

    Well derp. But since there's already zero chance of me getting anything I want, I might as well have some fun while complaining.



  • @morbiuswilters said:

    I thought even if you didn't quote someone then Discourse put a link at the upper-right of your post showing who you are replying to

    Oh, I must have clicked the wrong Reply button.



  • Why is there such a thing as "the wrong reply button"?



  • @dhromed said:

    Why is there such a thing as "the wrong reply button"?

    Because this system seems to be built around the idea that a discussion should be limited to a narrow topic rather than branching and looping like actual discussions do (which might be useful for some things, but then the buttons should be labeled differently).



  • @locallunatic said:

    Because this system seems to be built around the idea that a discussion should be limited to a narrow topic rather than branching and looping like actual discussions do (which might be useful for some things, but then the buttons should be labeled differently).

    Why did this post pop up and shove down the post I was in the middle of reading? Talk about a jarring experience...


  • Considered Harmful

    @locallunatic said:

    branching and looping like actual discussions

    I want to make a forum modeled after the Git branching model, just to give Blakey conniptions.



  • Yes this is the viewpoint I am mostly subscribing to. Stack flow discussions are different since they are in Q & A format. Here our discussions go on for years and years. If we lived to be 100 and some of us might be already 100, we will still be having same discussion started in 1914 about rifles issued in World War I.

    @locallunatic said:

    Because this system seems to be built around the idea that a discussion should be limited to a narrow topic rather than branching and looping like actual discussions do (which might be useful for some things, but then the buttons should be labeled differently).

    @dhromed said:

    Why is there such a thing as "the wrong reply button"?



  • @Nagesh said:

    we will still be having same discussion started in 1914 about rifles issued in World War I.

    There should be a law against the ridiculously high availability of guns to soldiers.


  • Banned

    This stuff is configurable, topics get mighty noisy if you remove the suppression of "in reply to" for direct replies.

    The only other exceptions is when replying to the 1st post. it got really confusing having reply to first post and the reply button at the bottom of the page doing diff things. So we removed that confusion.


  • Banned

    I went ahead and removed (disabled) the suppression of in-reply-to indicators for single replies directly under.

    For communities coming from other software, I think it can be useful to show this in all cases.



  • By the way, in Stylish, I configured a rule for TDWTF where nested blockquotes would have 90% of the parent's font size. I didn't think it would be that good, but it does and it's fantastic against quote hell: At some point the person quoted 5 levels deep is ureadable but their text isn't relevant anyway: all you may want are the most recent two or three nested quotes.

    It's very low-tech and doesn't require futzing around with crazy quote features.

    Have a try. See what I mean.



  • @error said:

    I want to make a forum modeled after the Git branching model, just to give Blakey conniptions.

    Why would that give me conniptions?


Log in to reply